ssvc
Version:
TypeScript implementation of SSVC (Stakeholder-Specific Vulnerability Categorization). A prioritization framework to triage CVE vulnerabilities as an alternative or compliment to CVSS
1,069 lines (1,068 loc) • 5.75 MB
JSON
{
"version": "2.1.0",
"runs": [
{
"invocations": [
{
"executionSuccessful": true,
"toolExecutionNotifications": [
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.system.systemdebug.system-debug:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.encryption.badcrypto.bad-crypto:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Missing plugin"
},
"level": "note",
"message": {
"text": "Missing plugin for rule apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command."
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-urllib3.tainted-django-http-request-urllib3:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-httplib2.tainted-django-http-request-httplib2:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-torch-pickle-django.tainted-torch-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-pyyaml-django.tainted-pyyaml-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-fs-django.tainted-path-traversal-fs-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-requests.tainted-django-http-request-requests:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-openpyxl-django.tainted-path-traversal-openpyxl-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.regex.tainted-regex-stdlib-django.tainted-regex-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.aiosqlite-django.aiosqlite-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-pycurl.tainted-django-http-request-pycurl:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.xml.tainted-django-xml-stdlib.tainted-django-xml-stdlib:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.pymongo-django.pymongo-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-pickleshare-django.tainted-pickleshare-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.peewee-django.peewee-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.sqlobject-django.sqlobject-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.os.tainted-os-command-stdlib-django.tainted-os-command-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-aiofile-django.tainted-path-traversal-aiofile-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-marshal-django.tainted-marshal-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.ai.prompt-injection-django.prompt-injection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.os.tainted-dotenv-variable-django.tainted-dotenv-variable-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-crispy-forms-disable-csrf.django-crispy-forms-disable-csrf:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.os.tainted-os-command-stdlib-django-secure-default.tainted-os-command-stdlib-django-secure-default:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-pickle-django.tainted-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-httpx.tainted-django-http-request-httpx:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.sqlalchemy-django.sqlalchemy-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-stdlib-django.tainted-path-traversal-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.xml.tainted-django-xml-lxml.tainted-django-xml-lxml:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-shelve-django.tainted-shelve-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-dill-django.tainted-dill-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.os.tainted-os-command-paramiko-django.tainted-os-command-paramiko-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.ponyorm-django.ponyorm-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-pandas-pickle-django.tainted-pandas-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-aiohttp.tainted-django-http-request-aiohttp:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-jsonpickle-django.tainted-jsonpickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.sqlobject-connection-django.sqlobject-connection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-numpy-pickle-django.tainted-numpy-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-ruamel-django.tainted-ruamel-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.code.tainted-code-stdlib-django.tainted-code-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.deserialization.tainted-pandas-hdf-django.tainted-pandas-hdf-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.generic-sql-django.generic-sql-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-samesite-missing.django-cookie-samesite-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-secure-missing.django-cookie-secure-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.db.djangoorm-django.djangoorm-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-httponly-false.django-cookie-httponly-false:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-samesite-none.django-cookie-samesite-none:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.file.tainted-file-response-django.tainted-filename-response-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.tainted-direct-response-django.tainted-direct-response-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-httponly-missing.django-cookie-httponly-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.django-cookie-secure-false.django-cookie-secure-false:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Incompatible rule"
},
"level": "note",
"message": {
"text": "Incompatible rule python.django.web.tainted-redirect-django.tainted-redirect-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0"
}
},
{
"descriptor": {
"id": "Syntax error"
},
"level": "warning",
"message": {
"text": "Syntax error at line semgrep.sarif.json:1:\n missing element"
}
}
]
}
],
"results": [
{
"fingerprints": {
"matchBasedId/v1": "10664bb781b15eeb8846b9b40da355f2bcc7cd0c0ce977533e672f42ab3222e05ce0adb8e4c5849b91cbe382463804cff4b9facb8a1b531e721ac6fc17b2a902_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 48,
"endLine": 77,
"snippet": {
"text": " this.priority = priorityMap[action];"
},
"startColumn": 29,
"startLine": 77
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "10664bb781b15eeb8846b9b40da355f2bcc7cd0c0ce977533e672f42ab3222e05ce0adb8e4c5849b91cbe382463804cff4b9facb8a1b531e721ac6fc17b2a902_1"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 48,
"endLine": 86,
"snippet": {
"text": " this.priority = priorityMap[action];"
},
"startColumn": 29,
"startLine": 86
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "de15f8d20c30053cb883a43c8a7399ff72a1ad746690ce842f0478f3c0c995de21778cff6131ff3f7cf29f73eedfe064310f89109e569777918c5d397b7bb90e_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 62,
"endLine": 207,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.automatable!]?.[this.technical_impact!]?.[this.mission_wellbeing!] ?? ActionCISA.TRACK;"
},
"startColumn": 28,
"startLine": 207
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "32591ae20c3136a56daf6d1ad701436975660c1076a4ca2be989a8a9acf78a02e299e9c1ef3c0bb3baa0d5be6bfc138c7ba2db56f08a3c91ea9d938fc0a94a3b_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 83,
"endLine": 207,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.automatable!]?.[this.technical_impact!]?.[this.mission_wellbeing!] ?? ActionCISA.TRACK;"
},
"startColumn": 28,
"startLine": 207
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "a151f5f0f1d5d72dff488e6181457d6138d175837180a2338f1e5f1811cf9a5a60fa26f1cc40b94fc60fd9eec00c1f789158fe689dfa59f1a31971e35f5caea5_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 109,
"endLine": 207,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.automatable!]?.[this.technical_impact!]?.[this.mission_wellbeing!] ?? ActionCISA.TRACK;"
},
"startColumn": 28,
"startLine": 207
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "93ff78d190f3f20d8016d70e36c4ba4ba0c547c598256b2c86a4bd50eb46856f0044c7459b800a7ca93fb875a7d4bf6465b12cb7551a09de8bab9616b5a6ba87_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 136,
"endLine": 207,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.automatable!]?.[this.technical_impact!]?.[this.mission_wellbeing!] ?? ActionCISA.TRACK;"
},
"startColumn": 28,
"startLine": 207
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "de15f8d20c30053cb883a43c8a7399ff72a1ad746690ce842f0478f3c0c995de21778cff6131ff3f7cf29f73eedfe064310f89109e569777918c5d397b7bb90e_1"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 62,
"endLine": 367,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.utility!]?.[this.technical_impact!]?.[this.safety_impact!] ?? ActionFIRST.SCHEDULED;"
},
"startColumn": 28,
"startLine": 367
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "17b4a27bf096d1677f74724cd87d3cc014f34424d6ea72824f210aa816782aa43890e96a8483b44a1341edcc58ec474f24168b63c7cf5684dd0a31560743652d_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 79,
"endLine": 367,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.utility!]?.[this.technical_impact!]?.[this.safety_impact!] ?? ActionFIRST.SCHEDULED;"
},
"startColumn": 28,
"startLine": 367
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "a73ae15cc2653c7c22cbd1201a12151d7482d8ad09ed023c071b13ad69fbcb0a1b7cb3ac472a8559f6c517d3b194b1e22a9a176c5e4a07e9064fef1832da8739_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 105,
"endLine": 367,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.utility!]?.[this.technical_impact!]?.[this.safety_impact!] ?? ActionFIRST.SCHEDULED;"
},
"startColumn": 28,
"startLine": 367
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
},
{
"fingerprints": {
"matchBasedId/v1": "a711911c2fcfe0859a3d615d412fc44280b272280ad2d121352c597da26b0f8864bc43fdcec5b026df37cbfec5debe7b999279af792efa5074a7a59b7d617893_0"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "src/decision.ts",
"uriBaseId": "%SRCROOT%"
},
"region": {
"endColumn": 128,
"endLine": 367,
"snippet": {
"text": " const action = decisionMatrix[this.exploitation!]?.[this.utility!]?.[this.technical_impact!]?.[this.safety_impact!] ?? ActionFIRST.SCHEDULED;"
},
"startColumn": 28,
"startLine": 367
}
}
}
],
"message": {
"text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution."
},
"properties": {},
"ruleId": "gitlab.eslint.detect-object-injection"
}
],
"tool": {
"driver": {
"name": "Semgrep OSS",
"rules": [
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."
},
"help": {
"markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."
},
"helpUri": "https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret",
"id": "swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret",
"name": "swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."
},
"help": {
"markdown": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n",
"text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)."
},
"helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf",
"id": "csharp.lang.security.ssrf.web-request.ssrf",
"name": "csharp.lang.security.ssrf.web-request.ssrf",
"properties": {
"precision": "very-high",
"tags": [
"CWE-918: Server-Side Request Forgery (SSRF)",
"LOW CONFIDENCE",
"OWASP-A10:2021 - Server-Side Request Forgery (SSRF)",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."
},
"help": {
"markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n",
"text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)."
},
"helpUri": "https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret",
"id": "swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret",
"name": "swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret",
"properties": {
"precision": "very-high",
"tags": [
"CWE-798: Use of Hard-coded Credentials",
"HIGH CONFIDENCE",
"OWASP-A07:2021 - Identification and Authentication Failures",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret"
}
},
{
"defaultConfiguration": {
"level": "warning"
},
"fullDescription": {
"text": "A hardcoded Key is identified."
},
"help": {
"markdown": "A hardcoded Key is identified.\n\n<b>References:</b>\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_api_key)\n",
"text": "A hardcoded Key is identified."
},
"helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_api_key",
"id": "mobsf.mobsfscan.android.secrets.hardcoded_api_key",
"name": "mobsf.mobsfscan.android.secrets.hardcoded_api_key",
"properties": {
"precision": "very-high",
"tags": [
"cwe-798",
"security"
]
},
"shortDescription": {
"text": "Semgrep Finding: mobsf.mobsfscan.android.secrets.hardcoded_api_key"
}
},
{
"defaultConfiguration": {
"level": "error"
},
"fullDescription": {
"text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false."
},