Skip to content

Pull Request to add ShiftLeft CORE scans #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
prabhu wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Pull Request to add ShiftLeft CORE scans #2

prabhu wants to merge 1 commit into from

Conversation

@prabhu
Copy link

@prabhu prabhu commented Dec 15, 2022

This automated PR was created by your AppSec team. ShiftLeft CORE is our preferred code analysis tool to continuously scan this application and open-source libraries for vulnerabilities.

Please contact the AppSec team should you require any additional information about this pull request or the ShiftLeft platform.

@github-actions
Copy link

github-actions bot commented Dec 15, 2022

ShiftLeft LogoShiftLeft Logo

Checking analysis of application java-sec-code against 1 build rules.

Using sl version 0.9.1641 (5243f3b0cac2a4ebdba236c30eeb398ad612465a).

Checking findings on scan 5.

Results per rule:

  • report: FAIL
    (629 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
       4   10.0   critical   GMS-2022-560     Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.           
     105   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     245   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     253   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     327   10.0   critical   GMS-2022-558     Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.                           
     Severity rating   Count 
     Critical             90 
     High                145 
     Medium              109 
     Low                  94 
     Finding Type   Count 
     Oss_vuln         261 
     Package          188 
     Vuln             177 
     Secret             3 
     OWASP 2021 Category                              Count 
     A09-Security-Logging-And-Monitoring-Failures        55 
     A01-Broken-Access-Control                           32 
     A03-Injection                                       30 
     A05-Security-Misconfiguration                       27 
     A10-Server-Side-Request-Forgery-(Ssrf)              23 
     A08-Software-And-Data-Integrity-Failures             8 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

@github-actions
Copy link

github-actions bot commented Dec 15, 2022

ShiftLeft LogoShiftLeft Logo

Checking analysis of application java-sec-code against 1 build rules.

Using sl version 0.9.1641 (5243f3b0cac2a4ebdba236c30eeb398ad612465a).

Checking findings on scan 6.

Results per rule:

  • report: FAIL
    (629 matched vulnerabilities; configured threshold is 0).

    First 5 findings:

        ID   CVSS    Rating    CVE              Title                                                                                                                                                     
       4   10.0   critical   GMS-2022-560     Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework.boot:spring-boot-starter-web.           
     105   10.0   critical   CVE-2018-14721   FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to b…
     245   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     253   10.0   critical   CVE-2021-44228   Log4j versions prior to 2.16.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.                                             
     327   10.0   critical   GMS-2022-558     Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.springframework:spring-beans.                           
     Severity rating   Count 
     Critical             90 
     High                145 
     Medium              109 
     Low                  94 
     Finding Type   Count 
     Oss_vuln         261 
     Package          188 
     Vuln             177 
     Secret             3 
     OWASP 2021 Category                              Count 
     A09-Security-Logging-And-Monitoring-Failures        55 
     A01-Broken-Access-Control                           32 
     A03-Injection                                       30 
     A05-Security-Misconfiguration                       27 
     A10-Server-Side-Request-Forgery-(Ssrf)              23 
     A08-Software-And-Data-Integrity-Failures             8 
     A07-Identification-And-Authentication-Failures       1 
     A02-Cryptographic-Failures                           1 

1 rule failed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prabhu