Skip to content

Code Security Report: 172 high severity findings, 256 total findings #5

Open
Open
Code Security Report: 172 high severity findings, 256 total findings#5
Labels
Mend: code security findingsCode security findings detected by Mend
@dev-mend-for-github-com

Description

@dev-mend-for-github-com
dev-mend-for-github-com
bot
opened on Mar 5, 2024

Code Security Report

Scan Metadata

Latest Scan: 2024-04-16 03:59pm
Total Findings: 256 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 310
Detected Programming Languages: 2 (Python, JavaScript / Node.js)

  • Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighPath/Directory Traversal

CWE-22

req_tracker.py:70

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Lines 65 to 70 in 4214ce5

% (link, fp.read()))
except IOError as e:
if e.errno != errno.ENOENT:
raise
assert req not in self._entries
with open(entry_path, 'w') as fp:

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 28 in 4214ce5

self._root = os.environ.get('PIP_REQ_TRACKER')

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 60 in 4214ce5

entry_path = self._entry_path(link)

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 70 in 4214ce5

with open(entry_path, 'w') as fp:

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Path/Directory Traversal Training

● Videos

   ▪ Secure Code Warrior Path/Directory Traversal Video

● Further Reading

   ▪ OWASP Path Traversal

   ▪ OWASP Input Validation Cheat Sheet

 
HighPath/Directory Traversal

CWE-22

req_tracker.py:62

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Lines 57 to 62 in 4214ce5

# type: (InstallRequirement) -> None
link = req.link
info = str(req)
entry_path = self._entry_path(link)
try:
with open(entry_path) as fp:

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 28 in 4214ce5

self._root = os.environ.get('PIP_REQ_TRACKER')

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 60 in 4214ce5

entry_path = self._entry_path(link)

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/pip/_internal/req/req_tracker.py

Line 62 in 4214ce5

with open(entry_path) as fp:

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Path/Directory Traversal Training

● Videos

   ▪ Secure Code Warrior Path/Directory Traversal Video

● Further Reading

   ▪ OWASP Path Traversal

   ▪ OWASP Input Validation Cheat Sheet

 
HighCross-Site Scripting

CWE-79

radioselect.html:4

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap3/layout/radioselect.html

Lines 1 to 4 in 4214ce5

{% load crispy_forms_filters %}
{% load l10n %}
<div class="controls {{ field_class }}"{% if flat_attrs %} {{ flat_attrs|safe }}{% endif %}>

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap3/layout/radioselect.html

Line 4 in 4214ce5

<div class="controls {{ field_class }}"{% if flat_attrs %} {{ flat_attrs|safe }}{% endif %}>

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

alert.html:3

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/layout/alert.html

Lines 1 to 3 in 4214ce5

<div{% if alert.css_id %} id="{{ alert.css_id }}"{% endif %}{% if alert.css_class %} class="{{ alert.css_class }}"{% endif %}>
{% if dismiss %}<button type="button" class="close" data-dismiss="alert">&times;</button>{% endif %}
{{ content|safe }}

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/layout/alert.html

Line 3 in 4214ce5

{{ content|safe }}

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

table_inline_formset.html:25

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/table_inline_formset.html

Lines 20 to 25 in 4214ce5

{% else %}
<tr>
{% for field in formset.forms.0 %}
{% if field.label and not field.is_hidden %}
<th for="{{ field.auto_id }}" class="col-form-label {% if field.field.required %}requiredField{% endif %}">
{{ field.label|safe }}{% if field.field.required and not field|is_checkbox %}<span class="asteriskField">*</span>{% endif %}

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/table_inline_formset.html

Line 25 in 4214ce5

{{ field.label|safe }}{% if field.field.required and not field|is_checkbox %}<span class="asteriskField">*</span>{% endif %}

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

table_inline_formset.html:25

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap3/table_inline_formset.html

Lines 20 to 25 in 4214ce5

{% else %}
<tr>
{% for field in formset.forms.0 %}
{% if field.label and not field.is_hidden %}
<th for="{{ field.auto_id }}" class="control-label {% if field.field.required %}requiredField{% endif %}">
{{ field.label|safe }}{% if field.field.required and not field|is_checkbox %}<span class="asteriskField">*</span>{% endif %}

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap3/table_inline_formset.html

Line 25 in 4214ce5

{{ field.label|safe }}{% if field.field.required and not field|is_checkbox %}<span class="asteriskField">*</span>{% endif %}

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

uneditable_input.html:2

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap/layout/uneditable_input.html

Lines 1 to 2 in 4214ce5

<div id="div_{{ field.auto_id }}" class="control-group{% if form_show_errors and field.errors %} error{% endif %}{% if field.css_classes %} {{ field.css_classes }}{% endif %}">
<div class="control-label{% if field.field.required %} requiredField{% endif %}">{{ field.label|safe }}{% if field.field.required %}<span class="asteriskField">*</span>{% endif %}</div>

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap/layout/uneditable_input.html

Line 2 in 4214ce5

<div class="control-label{% if field.field.required %} requiredField{% endif %}">{{ field.label|safe }}{% if field.field.required %}<span class="asteriskField">*</span>{% endif %}</div>

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

fieldset.html:3

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/uni_form/layout/fieldset.html

Lines 1 to 3 in 4214ce5

<fieldset {% if fieldset.css_id %}id="{{ fieldset.css_id }}"{% endif %}
{% if fieldset.css_class or form_style %}class="{{ fieldset.css_class }} {{ form_style }}"{% endif %}
{{ fieldset.flat_attrs|safe }}>

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/uni_form/layout/fieldset.html

Line 3 in 4214ce5

{{ fieldset.flat_attrs|safe }}>

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

checkboxselectmultiple.html:4

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/layout/checkboxselectmultiple.html

Lines 1 to 4 in 4214ce5

{% load crispy_forms_filters %}
{% load l10n %}
<div class="{% if field_class %} {{ field_class }}{% endif %}"{% if flat_attrs %} {{ flat_attrs|safe }}{% endif %}>

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/layout/checkboxselectmultiple.html

Line 4 in 4214ce5

<div class="{% if field_class %} {{ field_class }}{% endif %}"{% if flat_attrs %} {{ flat_attrs|safe }}{% endif %}>

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

 
HighCross-Site Scripting

CWE-79

accordion-group.html:14

12024-03-05 03:50am
Vulnerable Code

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/accordion-group.html

Lines 9 to 14 in 4214ce5

</div>
<div id="{{ div.css_id }}" class="collapse{% if div.active %} show{% endif %}" role="tabpanel"
aria-labelledby="{{ div.css_id }}" data-parent="#accordion">
<div class="card-body">
{{ fields|safe }}

1 Data Flow/s detected

app_control_stock_python_django/envappstock/lib/python3.7/site-packages/crispy_forms/templates/bootstrap4/accordion-group.html

Line 14 in 4214ce5

{{ fields|safe }}

Secure Code Warrior Training Material

● Training

   ▪ Secure Code Warrior Cross-Site Scripting Training

● Videos

   ▪ Secure Code Warrior Cross-Site Scripting Video

Findings Overview

Severity Vulnerability Type CWE Language Count
High Deserialization of Untrusted Data CWE-502 Python 2
High Cross-Site Scripting CWE-79 Python 149
High File Manipulation CWE-73 Python 3
High Path/Directory Traversal CWE-22 Python 13
High Command Injection CWE-78 Python 5
Medium Hardcoded Password/Credentials CWE-798 Python 18
Medium Hidden HTML Input CWE-472 Python 15
Low Weak Hash Strength CWE-916 Python 51

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: code security findingsCode security findings detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions