Chain 1 — B2B order endpoint evaluates client-supplied data in a vm sandbox (RCE)
Critical Confidence: high
The Assessment
11.8
/ 100
Critical
Your codebase has fixable exposure.
78 production-actionable findings of 267 total — none are unrecoverable; each ships with a copy-paste fix prompt.
Section 01
Security Posture
Automated security assessment of juice-shop. Overall grade: Critical — CRITICAL risk level. 78 production-actionable findings of 267 total — +124 dependency-pinning (one lockfile fix); +25 in test/demo files; +40 informational (third-party / non-security random / verified-safe ORM); each not production-actionable but listed in full with a remediation brief.
7
10
45
205
7Critical
10High
45Medium
205Low
7 attack chains our Adversarial AI Review traced end-to-end — multi-step exploit paths, business-logic and race-condition flaws that automated scanners miss. See the chains →
See Key Findings for the top risks, or jump to Detailed Findings to copy a fix-prompt for any issue.
Section 02
Risk Overview
Severity × Effort Heatmap
Sev \ Effort
Config
1-liner
Small
Moderate
Refactor
Critical
1
—
6
—
—
High
2
—
8
—
—
Medium
3
—
42
—
—
Low
37
124
44
—
—
Section 03
Executive Summary
Risk Level: CRITICAL
Security Score: 11.8/100 Critical
What This Means
The assessment identified critical security issues that could allow attackers to compromise the system or access sensitive data. Immediate remediation is recommended before production deployment.
Top 3 Risks
| # | Risk (non-technical label) | Impact if exploited | Fix window |
|---|---|---|---|
| 1 | Server Takeover — routes/b2bOrder.ts:23 | arbitrary code execution | a few hours |
| 2 | Code-Injection Attack — routes/captcha.ts:22 | arbitrary code execution from evaluated input | a few hours |
| 3 | Stolen Credentials — lib/insecurity.ts:23 | credential compromise: the embedded secret grants direct access | a few hours |
Recommended Actions
- Immediate: Address all P0 findings before next deployment.
- Short-term: Plan P1 remediation within the current sprint.
- Planned: Schedule P2/P3 work into the next quarterly roadmap.
Section 04
Key Findings
| Severity | Finding | CWE | Location |
|---|---|---|---|
| Critical | F01 — Server Takeover | CWE-94 | routes/b2bOrder.ts:23 |
| Critical | F02 — Code-Injection Attack | CWE-95 | routes/captcha.ts:22 |
| Critical | F03 — Code-Injection Attack | CWE-95 | routes/userProfile.ts:61 |
| Critical | F04 — Stolen Credentials | CWE-798 | lib/insecurity.ts:23 |
| Critical | F05 — Internal Network Abuse | CWE-918 | routes/profileImageUrlUpload.ts:24 |
Full detail for every finding — evidence, CVSS, affected code and a copy-paste fix prompt — is in Detailed Findings.
Section 05
Priority Matrix
P0 — Do immediately
| ID | Finding | Severity | File |
|---|---|---|---|
| F01 | RCE/b2b-order-vm-eval-user-input | Critical | routes/b2bOrder.ts:23 |
| F02 | eval-with-expression | Critical | routes/captcha.ts:22 |
| F03 | eval-with-expression | Critical | routes/userProfile.ts:61 |
| F04 | private-key | Critical | lib/insecurity.ts:23 |
| F05 | node-ssrf | Critical | routes/profileImageUrlUpload.ts:24 |
| F06 | node-nosqli-js-injection | Critical | routes/showProductReviews.ts:31 |
| F07 | node-nosqli-js-injection | Critical | routes/trackOrder.ts:15 |
| F11 | hardcoded-jwt-secret | High | lib/insecurity.ts:56 |
| F12 | generic-api-key | High | routes/login.ts:65 |
P1 — Do this week
| ID | Finding | Severity | File |
|---|---|---|---|
| F08 | yaml-deserialize | High | routes/vulnCodeFixes.ts:81 |
| F09 | yaml-deserialize | High | rsn/rsnUtil.ts:135 |
| F10 | yaml-deserialize | High | server.ts:139 |
| F13 | BOLA/basket-read-any-id | High | routes/basket.ts:19 |
| F14 | AUTHZ/change-password-without-current | High | routes/changePassword.ts:39 |
| F15 | BOLA/basket-checkout-any-id | High | routes/order.ts:35 |
| F16 | express-open-redirect | High | routes/redirect.ts:19 |
| F17 | LOGIC/wallet-topup-without-charge | High | routes/wallet.ts:27 |
| F24 | DS-0001 | Medium | Dockerfile:22 |
| F25 | DL3006 | Medium | Dockerfile:22 |
| F26 | express-cors | Medium | server.ts:182 |
P2 — Plan sprint
| ID | Finding | Severity | File |
|---|---|---|---|
| F18 | express-xss | Medium | routes/chat.ts:216 |
| F19 | express-xss | Medium | routes/chat.ts:226 |
| F20 | express-xss | Medium | routes/chat.ts:239 |
| F21 | express-xss | Medium | routes/chat.ts:253 |
| F22 | express-xss | Medium | routes/dataExport.ts:108 |
| F23 | express-xss | Medium | routes/userProfile.ts:98 |
| F27 | SC-UNPINNED-ACTION-GHA | Medium | .github/workflows/ci.yml:202 |
| F28 | SC-UNPINNED-ACTION-GHA | Medium | .github/workflows/codeql-analysis.yml:23 |
| F29 | SC-UNPINNED-ACTION-GHA | Medium | .github/workflows/codeql-analysis.yml:34 |
| F30 | SC-UNPINNED-ACTION-GHA | Medium | .github/workflows/codeql-analysis.yml:36 |
| F31 | possible-timing-attacks | Medium | frontend/src/app/change-password/change-password.component.ts:150 |
| F32 | non-literal-regexp | Medium | lib/codingChallenges.ts:76 |
| F33 | non-literal-regexp | Medium | lib/codingChallenges.ts:78 |
| F34 | node-insecure-random-generator | Medium | lib/insecurity.ts:55 |
| F35 | non-literal-fs-filename | Medium | lib/utils.ts:120 |
| F36 | SC-MISSING-LOCKFILE-NPM | Medium | package.json:0 |
| F37 | layer7-object-dos | Medium | routes/basket.ts:26 |
| F38 | LOGIC/basket-quantity-no-lower-bound | Medium | routes/basketItems.ts:92 |
| F39 | possible-timing-attacks | Medium | routes/changePassword.ts:28 |
| F40 | BOLA/coupon-apply-any-id | Medium | routes/coupon.ts:18 |
| F41 | layer7-object-dos | Medium | routes/currentUser.ts:23 |
| F42 | express-lfr | Medium | routes/dataErasure.ts:50 |
| F43 | layer7-object-dos | Medium | routes/dataExport.ts:72 |
| F44 | non-literal-fs-filename | Medium | routes/fileUpload.ts:33 |
| F45 | non-literal-fs-filename | Medium | routes/fileUpload.ts:38 |
| F46 | non-literal-fs-filename | Medium | routes/fileUpload.ts:45 |
| F47 | layer7-object-dos | Medium | routes/likeProductReviews.ts:47 |
| F48 | non-literal-fs-filename | Medium | routes/order.ts:45 |
| F49 | layer7-object-dos | Medium | routes/payment.ts:22 |
| F50 | non-literal-fs-filename | Medium | routes/profileImageFileUpload.ts:43 |
| F51 | non-literal-fs-filename | Medium | routes/profileImageUrlUpload.ts:29 |
| F52 | non-literal-fs-filename | Medium | routes/videoHandler.ts:21 |
| F53 | non-literal-fs-filename | Medium | routes/videoHandler.ts:29 |
| F54 | non-literal-fs-filename | Medium | routes/videoHandler.ts:45 |
| F55 | non-literal-fs-filename | Medium | routes/videoHandler.ts:82 |
| F56 | non-literal-fs-filename | Medium | routes/vulnCodeFixes.ts:29 |
| F57 | non-literal-fs-filename | Medium | routes/vulnCodeFixes.ts:80 |
| F58 | non-literal-fs-filename | Medium | routes/vulnCodeFixes.ts:81 |
| F59 | non-literal-fs-filename | Medium | rsn/rsnUtil.ts:66 |
| F60 | non-literal-fs-filename | Medium | rsn/rsnUtil.ts:133 |
| F61 | non-literal-fs-filename | Medium | rsn/rsnUtil.ts:134 |
| F62 | non-literal-fs-filename | Medium | rsn/rsnUtil.ts:155 |
| F63 | generic-api-key | Low | data/static/users.yml:88 |
| F64 | generic-api-key | Low | data/static/users.yml:151 |
| F65 | jwt | Low | frontend/src/app/app.guard.spec.ts:46 |
| F66 | jwt | Low | frontend/src/app/last-login-ip/last-login-ip.component.spec.ts:72 |
| F67 | generic-api-key | Low | frontend/src/app/oauth/oauth.component.spec.ts:91 |
| F68 | generic-api-key | Low | frontend/src/app/oauth/oauth.component.spec.ts:98 |
| F69 | generic-api-key | Low | test/api/2fa.test.ts:42 |
| F70 | generic-api-key | Low | test/api/2fa.test.ts:66 |
| F71 | generic-api-key | Low | test/api/2fa.test.ts:104 |
| F72 | generic-api-key | Low | test/api/2fa.test.ts:144 |
| F73 | generic-api-key | Low | test/api/2fa.test.ts:219 |
| F74 | generic-api-key | Low | test/api/2fa.test.ts:254 |
| F75 | generic-api-key | Low | test/api/2fa.test.ts:281 |
| F76 | generic-api-key | Low | test/api/data-export.test.ts:24 |
| F77 | generic-api-key | Low | test/api/erasure-request.test.ts:66 |
| F78 | generic-api-key | Low | test/api/web3.test.ts:48 |
| F79 | generic-api-key | Low | test/api/web3.test.ts:70 |
| F80 | jwt | Low | test/cypress/e2e/forgedJwt.spec.ts:7 |
| F81 | jwt | Low | test/cypress/e2e/forgedJwt.spec.ts:22 |
| F82 | jwt | Low | test/server/currentUserSpec.ts:35 |
| F83 | jwt | Low | test/server/currentUserSpec.ts:36 |
| F84 | jwt | Low | test/server/verifySpec.ts:265 |
| F85 | DS-0002 | Low | test/smoke/Dockerfile:0 |
| F86 | DS-0025 | Low | test/smoke/Dockerfile:3 |
| F87 | DS-0001 | Low | test/smoke/Dockerfile:1 |
| F88 | DS-0026 | Low | Dockerfile:0 |
| F89 | DL3059 | Low | Dockerfile:5 |
| F90 | DL3059 | Low | Dockerfile:6 |
| F91 | DL3059 | Low | Dockerfile:7 |
| F92 | DL3059 | Low | Dockerfile:8 |
| F93 | DL3059 | Low | Dockerfile:9 |
| F94 | DL3059 | Low | Dockerfile:10 |
| F95 | DL3059 | Low | Dockerfile:11 |
| F96 | DL3059 | Low | Dockerfile:12 |
| F97 | DL3059 | Low | Dockerfile:13 |
| F98 | DL3059 | Low | Dockerfile:20 |
| F99 | DS-0026 | Low | test/smoke/Dockerfile:0 |
P3 — Backlog
| ID | Finding | Severity | File |
|---|---|---|---|
| F100 | SC-UNPINNED-RANGE-NPM | Low | — |
| F101 | SC-UNPINNED-RANGE-NPM | Low | — |
| F102 | SC-UNPINNED-RANGE-NPM | Low | — |
| F103 | SC-UNPINNED-RANGE-NPM | Low | — |
| F104 | SC-UNPINNED-RANGE-NPM | Low | — |
| F105 | SC-UNPINNED-RANGE-NPM | Low | — |
| F106 | SC-UNPINNED-RANGE-NPM | Low | — |
| F107 | SC-UNPINNED-RANGE-NPM | Low | — |
| F108 | SC-UNPINNED-RANGE-NPM | Low | — |
| F109 | SC-UNPINNED-RANGE-NPM | Low | — |
| F110 | SC-UNPINNED-RANGE-NPM | Low | — |
| F111 | SC-UNPINNED-RANGE-NPM | Low | — |
| F112 | SC-UNPINNED-RANGE-NPM | Low | — |
| F113 | SC-UNPINNED-RANGE-NPM | Low | — |
| F114 | SC-UNPINNED-RANGE-NPM | Low | — |
| F115 | SC-UNPINNED-RANGE-NPM | Low | — |
| F116 | SC-UNPINNED-RANGE-NPM | Low | — |
| F117 | SC-UNPINNED-RANGE-NPM | Low | — |
| F118 | SC-UNPINNED-RANGE-NPM | Low | — |
| F119 | SC-UNPINNED-RANGE-NPM | Low | — |
| F120 | SC-UNPINNED-RANGE-NPM | Low | — |
| F121 | SC-UNPINNED-RANGE-NPM | Low | — |
| F122 | SC-UNPINNED-RANGE-NPM | Low | — |
| F123 | SC-UNPINNED-RANGE-NPM | Low | — |
| F124 | SC-UNPINNED-RANGE-NPM | Low | — |
| F125 | SC-UNPINNED-RANGE-NPM | Low | — |
| F126 | SC-UNPINNED-RANGE-NPM | Low | — |
| F127 | SC-UNPINNED-RANGE-NPM | Low | — |
| F128 | SC-UNPINNED-RANGE-NPM | Low | — |
| F129 | SC-UNPINNED-RANGE-NPM | Low | — |
| F130 | SC-UNPINNED-RANGE-NPM | Low | — |
| F131 | SC-UNPINNED-RANGE-NPM | Low | — |
| F132 | SC-UNPINNED-RANGE-NPM | Low | — |
| F133 | SC-UNPINNED-RANGE-NPM | Low | — |
| F134 | SC-UNPINNED-RANGE-NPM | Low | — |
| F135 | SC-UNPINNED-RANGE-NPM | Low | — |
| F136 | SC-UNPINNED-RANGE-NPM | Low | — |
| F137 | SC-UNPINNED-RANGE-NPM | Low | — |
| F138 | SC-UNPINNED-RANGE-NPM | Low | — |
| F139 | SC-UNPINNED-RANGE-NPM | Low | — |
| F140 | SC-UNPINNED-RANGE-NPM | Low | — |
| F141 | SC-UNPINNED-RANGE-NPM | Low | — |
| F142 | SC-UNPINNED-RANGE-NPM | Low | — |
| F143 | SC-UNPINNED-RANGE-NPM | Low | — |
| F144 | SC-UNPINNED-RANGE-NPM | Low | — |
| F145 | SC-UNPINNED-RANGE-NPM | Low | — |
| F146 | SC-UNPINNED-RANGE-NPM | Low | — |
| F147 | SC-UNPINNED-RANGE-NPM | Low | — |
| F148 | SC-UNPINNED-RANGE-NPM | Low | — |
| F149 | SC-UNPINNED-RANGE-NPM | Low | — |
| F150 | SC-UNPINNED-RANGE-NPM | Low | — |
| F151 | SC-UNPINNED-RANGE-NPM | Low | — |
| F152 | SC-UNPINNED-RANGE-NPM | Low | — |
| F153 | SC-UNPINNED-RANGE-NPM | Low | — |
| F154 | SC-UNPINNED-RANGE-NPM | Low | — |
| F155 | SC-UNPINNED-RANGE-NPM | Low | — |
| F156 | SC-UNPINNED-RANGE-NPM | Low | — |
| F157 | SC-UNPINNED-RANGE-NPM | Low | — |
| F158 | SC-UNPINNED-RANGE-NPM | Low | — |
| F159 | SC-UNPINNED-RANGE-NPM | Low | — |
| F160 | SC-UNPINNED-RANGE-NPM | Low | — |
| F161 | SC-UNPINNED-RANGE-NPM | Low | — |
| F162 | SC-UNPINNED-RANGE-NPM | Low | — |
| F163 | SC-UNPINNED-RANGE-NPM | Low | — |
| F164 | SC-UNPINNED-RANGE-NPM | Low | — |
| F165 | SC-UNPINNED-RANGE-NPM | Low | — |
| F166 | SC-UNPINNED-RANGE-NPM | Low | — |
| F167 | SC-UNPINNED-RANGE-NPM | Low | — |
| F168 | SC-UNPINNED-RANGE-NPM | Low | — |
| F169 | SC-UNPINNED-RANGE-NPM | Low | — |
| F170 | SC-UNPINNED-RANGE-NPM | Low | — |
| F171 | SC-UNPINNED-RANGE-NPM | Low | — |
| F172 | SC-UNPINNED-RANGE-NPM | Low | — |
| F173 | SC-UNPINNED-RANGE-NPM | Low | — |
| F174 | SC-UNPINNED-RANGE-NPM | Low | — |
| F175 | SC-UNPINNED-RANGE-NPM | Low | — |
| F176 | SC-UNPINNED-RANGE-NPM | Low | — |
| F177 | SC-UNPINNED-RANGE-NPM | Low | — |
| F178 | SC-UNPINNED-RANGE-NPM | Low | — |
| F179 | SC-UNPINNED-RANGE-NPM | Low | — |
| F180 | SC-UNPINNED-RANGE-NPM | Low | — |
| F181 | SC-UNPINNED-RANGE-NPM | Low | — |
| F182 | SC-UNPINNED-RANGE-NPM | Low | — |
| F183 | SC-UNPINNED-RANGE-NPM | Low | — |
| F184 | SC-UNPINNED-RANGE-NPM | Low | — |
| F185 | SC-UNPINNED-RANGE-NPM | Low | — |
| F186 | SC-UNPINNED-RANGE-NPM | Low | — |
| F187 | SC-UNPINNED-RANGE-NPM | Low | — |
| F188 | SC-UNPINNED-RANGE-NPM | Low | — |
| F189 | SC-UNPINNED-RANGE-NPM | Low | — |
| F190 | SC-UNPINNED-RANGE-NPM | Low | — |
| F191 | SC-UNPINNED-RANGE-NPM | Low | — |
| F192 | SC-UNPINNED-RANGE-NPM | Low | — |
| F193 | SC-UNPINNED-RANGE-NPM | Low | — |
| F194 | SC-UNPINNED-RANGE-NPM | Low | — |
| F195 | SC-UNPINNED-RANGE-NPM | Low | — |
| F196 | SC-UNPINNED-RANGE-NPM | Low | — |
| F197 | SC-UNPINNED-RANGE-NPM | Low | — |
| F198 | SC-UNPINNED-RANGE-NPM | Low | — |
| F199 | SC-UNPINNED-RANGE-NPM | Low | — |
| F200 | SC-UNPINNED-RANGE-NPM | Low | — |
| F201 | SC-UNPINNED-RANGE-NPM | Low | — |
| F202 | SC-UNPINNED-RANGE-NPM | Low | — |
| F203 | SC-UNPINNED-RANGE-NPM | Low | — |
| F204 | SC-UNPINNED-RANGE-NPM | Low | — |
| F205 | SC-UNPINNED-RANGE-NPM | Low | — |
| F206 | SC-UNPINNED-RANGE-NPM | Low | — |
| F207 | SC-UNPINNED-RANGE-NPM | Low | — |
| F208 | SC-UNPINNED-RANGE-NPM | Low | — |
| F209 | SC-UNPINNED-RANGE-NPM | Low | — |
| F210 | SC-UNPINNED-RANGE-NPM | Low | — |
| F211 | SC-UNPINNED-RANGE-NPM | Low | — |
| F212 | SC-UNPINNED-RANGE-NPM | Low | — |
| F213 | SC-UNPINNED-RANGE-NPM | Low | — |
| F214 | SC-UNPINNED-RANGE-NPM | Low | — |
| F215 | SC-UNPINNED-RANGE-NPM | Low | — |
| F216 | SC-UNPINNED-RANGE-NPM | Low | — |
| F217 | SC-UNPINNED-RANGE-NPM | Low | — |
| F218 | SC-UNPINNED-RANGE-NPM | Low | — |
| F219 | SC-UNPINNED-RANGE-NPM | Low | — |
| F220 | SC-UNPINNED-RANGE-NPM | Low | — |
| F221 | SC-UNPINNED-RANGE-NPM | Low | — |
| F222 | SC-UNPINNED-RANGE-NPM | Low | — |
| F223 | SC-UNPINNED-RANGE-NPM | Low | — |
| F224 | non-literal-fs-filename | Low | Gruntfile.js:75 |
| F225 | node-insecure-random-generator | Low | data/datacreator.ts:304 |
| F226 | node-insecure-random-generator | Low | data/datacreator.ts:322 |
| F227 | node-insecure-random-generator | Low | data/datacreator.ts:380 |
| F228 | node-insecure-random-generator | Low | data/datacreator.ts:754 |
| F229 | node-nosqli-injection | Low | data/static/codefixes/chatbotPromptInjectionChallenge_2_correct.ts:8 |
| F230 | node-insecure-random-generator | Low | frontend/src/app/Services/conversation-storage.service.ts:17 |
| F231 | node-insecure-random-generator | Low | frontend/src/app/chatbot/chat-welcome-screen/chat-welcome-screen.component.ts:71 |
| F232 | node-insecure-random-generator | Low | frontend/src/app/coding-challenge-page/components/coding-challenge-fix-it/coding-challenge-fix-it.component.ts:119 |
| F233 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:6359 |
| F234 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:6426 |
| F235 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:6434 |
| F236 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:6442 |
| F237 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:6450 |
| F238 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:15504 |
| F239 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:15534 |
| F240 | node-insecure-random-generator | Low | frontend/src/assets/private/three.js:15567 |
| F241 | non-literal-fs-filename | Low | lib/codingChallenges.ts:22 |
| F242 | non-literal-fs-filename | Low | lib/codingChallenges.ts:23 |
| F243 | non-literal-fs-filename | Low | lib/codingChallenges.ts:29 |
| F244 | node-nosqli-injection | Low | routes/address.ts:18 |
| F245 | node-nosqli-injection | Low | routes/basket.ts:19 |
| F246 | node-nosqli-injection | Low | routes/basketItems.ts:68 |
| F247 | node-insecure-random-generator | Low | routes/captcha.ts:14 |
| F248 | node-insecure-random-generator | Low | routes/captcha.ts:15 |
| F249 | node-insecure-random-generator | Low | routes/captcha.ts:16 |
| F250 | node-insecure-random-generator | Low | routes/captcha.ts:18 |
| F251 | node-insecure-random-generator | Low | routes/captcha.ts:19 |
| F252 | node-nosqli-injection | Low | routes/captcha.ts:37 |
| F253 | node-nosqli-injection | Low | routes/dataErasure.ts:31 |
| F254 | node-nosqli-injection | Low | routes/dataErasure.ts:34 |
| F255 | node-nosqli-injection | Low | routes/delivery.ts:34 |
| F256 | node-nosqli-injection | Low | routes/deluxe.ts:19 |
| F257 | node-nosqli-injection | Low | routes/deluxe.ts:25 |
| F258 | node-nosqli-injection | Low | routes/deluxe.ts:35 |
| F259 | node-nosqli-injection | Low | routes/likeProductReviews.ts:19 |
| F260 | node-nosqli-injection | Low | routes/order.ts:35 |
| F261 | node-nosqli-injection | Low | routes/order.ts:74 |
| F262 | node-nosqli-injection | Low | routes/order.ts:121 |
| F263 | node-nosqli-injection | Low | routes/payment.ts:41 |
| F264 | node-nosqli-injection | Low | routes/resetPassword.ts:18 |
| F265 | node-nosqli-injection | Low | routes/resetPassword.ts:35 |
| F266 | node-nosqli-injection | Low | routes/securityQuestion.ts:13 |
| F267 | node-nosqli-injection | Low | routes/wallet.ts:24 |
Section 06
Attack Chains
Chain 2 — Any authenticated user can read any basket by id (BOLA read)
High Confidence: high
Chain 3 — Basket item quantity check validates only the upper bound (negative quantity accepted)
Medium Confidence: high
Chain 4 — Password change does not require the current password
High Confidence: high
Chain 5 — Coupon can be applied/overwritten on any basket id (BOLA write)
Medium Confidence: high
Chain 6 — Checkout/place-order works on any basket id and destroys its items (BOLA write)
High Confidence: high
Chain 7 — Wallet balance is credited by a client-supplied amount with no verified payment
High Confidence: high
Section 07
Detailed Findings
Showing 267 of 267 findings. Use the filter above to focus by severity; expand a category to read each finding.
Step 2 — Dependency Audit 0 finding(s)
No findings for Step 2 — Tool error.
Step 3 — Supply Chain 129 finding(s)
| ID | Finding | CWE | Location | Severity | Description | Remediation | Fix |
|---|---|---|---|---|---|---|---|
| F27 | SC-UNPINNED-ACTION-GHA | CWE-1104 | .github/workflows/ci.yml:202 | Medium | GitHub Actions step uses 'coverallsapp/github-action@v2' in .github/workflows/ci.yml:202. A version tag (e.g. @v3) is mutable. A compromised release under that tag will run in CI automatically. | Pin 'coverallsapp/github-action@v2' to an immutable commit SHA, e.g. `coverallsapp/github-action@<40-char-sha> # v2`. Use `pin-github-actions` or `tj-actions/auto-approve` to automate. | |
| F28 | SC-UNPINNED-ACTION-GHA | CWE-1104 | .github/workflows/codeql-analysis.yml:23 | Medium | GitHub Actions step uses 'github/codeql-action/init@v3' in .github/workflows/codeql-analysis.yml:23. A version tag (e.g. @v3) is mutable. A compromised release under that tag will run in CI automatically. | Pin 'github/codeql-action/init@v3' to an immutable commit SHA, e.g. `github/codeql-action/init@<40-char-sha> # v3`. Use `pin-github-actions` or `tj-actions/auto-approve` to automate. | |
| F29 | SC-UNPINNED-ACTION-GHA | CWE-1104 | .github/workflows/codeql-analysis.yml:34 | Medium | GitHub Actions step uses 'github/codeql-action/autobuild@v3' in .github/workflows/codeql-analysis.yml:34. A version tag (e.g. @v3) is mutable. A compromised release under that tag will run in CI automatically. | Pin 'github/codeql-action/autobuild@v3' to an immutable commit SHA, e.g. `github/codeql-action/autobuild@<40-char-sha> # v3`. Use `pin-github-actions` or `tj-actions/auto-approve` to automate. | |
| F30 | SC-UNPINNED-ACTION-GHA | CWE-1104 | .github/workflows/codeql-analysis.yml:36 | Medium | GitHub Actions step uses 'github/codeql-action/analyze@v3' in .github/workflows/codeql-analysis.yml:36. A version tag (e.g. @v3) is mutable. A compromised release under that tag will run in CI automatically. | Pin 'github/codeql-action/analyze@v3' to an immutable commit SHA, e.g. `github/codeql-action/analyze@<40-char-sha> # v3`. Use `pin-github-actions` or `tj-actions/auto-approve` to automate. | |
| F36 | SC-MISSING-LOCKFILE-NPM | CWE-494 | package.json | Medium | No npm/yarn/pnpm lockfile found (package-lock.json / yarn.lock / pnpm-lock.yaml / npm-shrinkwrap.json). Without a lockfile, dependency versions are resolved at install time and may drift silently. A supply-chain attacker can publish a malicious minor version that is installed automatically. | Commit a lockfile: run `npm install` (or `yarn install` / `pnpm install`) and commit the generated lockfile. Use `npm ci` in CI to enforce the locked versions. | |
| F100 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@ai-sdk/openai-compatible' in dependencies uses a range specifier ('^2.0.35') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@ai-sdk/openai-compatible' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | |
| F101 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@cyclonedx/cyclonedx-npm' in devDependencies uses a range specifier ('^2.0.0||^3.0.0||^4.00') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@cyclonedx/cyclonedx-npm' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F102 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@eslint/js' in devDependencies uses a range specifier ('^9.33.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@eslint/js' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F103 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@fontsource/roboto' in dependencies uses a range specifier ('^5.2.9') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@fontsource/roboto' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F104 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@istanbuljs/nyc-config-typescript' in devDependencies uses a range specifier ('^1.0.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@istanbuljs/nyc-config-typescript' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F105 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/chai' in devDependencies uses a range specifier ('^4.3.20') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/chai' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F106 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/clarinet' in devDependencies uses a range specifier ('^0.12.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/clarinet' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F107 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/compression' in devDependencies uses a range specifier ('^1.8.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/compression' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F108 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/config' in devDependencies uses a range specifier ('^3.3.5') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/config' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F109 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/cookie-parser' in devDependencies uses a range specifier ('^1.4.10') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/cookie-parser' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F110 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/cors' in devDependencies uses a range specifier ('^2.8.19') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/cors' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F111 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/cross-spawn' in devDependencies uses a range specifier ('^6.0.6') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/cross-spawn' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F112 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/cypress' in devDependencies uses a range specifier ('^1.1.6') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/cypress' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F113 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/diff' in devDependencies uses a range specifier ('^7.0.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/diff' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F114 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/download' in devDependencies uses a range specifier ('^8.0.5') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/download' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F115 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/errorhandler' in devDependencies uses a range specifier ('^1.5.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/errorhandler' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F116 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/exif' in devDependencies uses a range specifier ('^0.6.5') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/exif' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F117 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/express' in devDependencies uses a range specifier ('^4.17.25') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/express' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F118 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/express-jwt' in devDependencies uses a range specifier ('^6.0.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/express-jwt' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F119 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/fs-extra' in devDependencies uses a range specifier ('^9.0.13') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/fs-extra' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F120 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/glob' in devDependencies uses a range specifier ('^7.2.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/glob' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F121 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/graceful-fs' in devDependencies uses a range specifier ('^4.1.9') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/graceful-fs' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F122 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/i18n' in devDependencies uses a range specifier ('^0.12.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/i18n' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F123 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/js-yaml' in devDependencies uses a range specifier ('^3.12.10') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/js-yaml' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F124 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/jsonwebtoken' in devDependencies uses a range specifier ('^8.5.9') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/jsonwebtoken' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F125 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/jws' in devDependencies uses a range specifier ('^3.2.10') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/jws' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F126 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/lodash' in devDependencies uses a range specifier ('^4.17.14') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/lodash' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F127 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/mocha' in devDependencies uses a range specifier ('^8.2.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/mocha' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F128 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/morgan' in devDependencies uses a range specifier ('^1.9.9') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/morgan' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F129 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/multer' in devDependencies uses a range specifier ('^1.4.12') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/multer' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F130 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/node' in devDependencies uses a range specifier ('^20.17.25') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/node' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F131 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/on-finished' in devDependencies uses a range specifier ('^2.3.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/on-finished' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F132 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/pdfkit' in devDependencies uses a range specifier ('^0.10.6') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/pdfkit' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F133 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/portscanner' in devDependencies uses a range specifier ('^2.1.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/portscanner' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F134 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/pug' in devDependencies uses a range specifier ('^2.0.10') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/pug' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F135 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/sanitize-html' in devDependencies uses a range specifier ('^1.27.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/sanitize-html' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F136 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/semver' in devDependencies uses a range specifier ('^7.5.8') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/semver' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F137 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/sequelize' in devDependencies uses a range specifier ('^4.28.20') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/sequelize' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F138 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/serve-index' in devDependencies uses a range specifier ('^1.9.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/serve-index' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F139 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/sinon' in devDependencies uses a range specifier ('^10.0.20') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/sinon' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F140 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/sinon-chai' in devDependencies uses a range specifier ('^3.2.12') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/sinon-chai' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F141 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/socket.io' in devDependencies uses a range specifier ('^2.1.13') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/socket.io' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F142 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/socket.io-client' in devDependencies uses a range specifier ('^1.4.36') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/socket.io-client' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F143 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/supertest' in devDependencies uses a range specifier ('^7.2.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/supertest' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F144 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/swagger-ui-express' in devDependencies uses a range specifier ('^4.1.6') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/swagger-ui-express' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F145 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package '@types/unzipper' in devDependencies uses a range specifier ('^0.10.10') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin '@types/unzipper' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F146 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'ai' in dependencies uses a range specifier ('^6.0.116') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'ai' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F147 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'beercss' in dependencies uses a range specifier ('^4.0.19') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'beercss' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F148 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'body-parser' in dependencies uses a range specifier ('^1.20.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'body-parser' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F149 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'chai' in devDependencies uses a range specifier ('^4.5.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'chai' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F150 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'check-dependencies' in dependencies uses a range specifier ('^2.0.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'check-dependencies' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F151 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'clarinet' in dependencies uses a range specifier ('^0.12.6') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'clarinet' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F152 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'compression' in dependencies uses a range specifier ('^1.8.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'compression' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F153 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'concurrently' in devDependencies uses a range specifier ('^5.3.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'concurrently' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F154 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'config' in dependencies uses a range specifier ('^3.3.12') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'config' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F155 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'cookie-parser' in dependencies uses a range specifier ('^1.4.7') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'cookie-parser' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F156 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'cookieconsent' in dependencies uses a range specifier ('^3.1.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'cookieconsent' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F157 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'cors' in dependencies uses a range specifier ('^2.8.5') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'cors' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F158 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'cypress' in devDependencies uses a range specifier ('^13.17.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'cypress' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F159 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'download' in dependencies uses a range specifier ('^8.0.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'download' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F160 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'errorhandler' in dependencies uses a range specifier ('^1.5.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'errorhandler' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F161 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'eslint' in devDependencies uses a range specifier ('^9.39.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'eslint' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F162 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'ethers' in dependencies uses a range specifier ('^6.16.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'ethers' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F163 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'exif' in devDependencies uses a range specifier ('^0.6.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'exif' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F164 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'express' in dependencies uses a range specifier ('^4.22.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'express' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F165 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'express-ipfilter' in dependencies uses a range specifier ('^1.3.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'express-ipfilter' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F166 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'express-rate-limit' in dependencies uses a range specifier ('^7.5.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'express-rate-limit' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F167 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'express-robots-txt' in dependencies uses a range specifier ('^0.5.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'express-robots-txt' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F168 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'express-security.txt' in dependencies uses a range specifier ('^2.0.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'express-security.txt' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F169 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'feature-policy' in dependencies uses a range specifier ('^0.6.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'feature-policy' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F170 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'file-stream-rotator' in dependencies uses a range specifier ('^1.0.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'file-stream-rotator' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F171 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'file-type' in dependencies uses a range specifier ('^16.5.4') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'file-type' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F172 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'finale-rest' in dependencies uses a range specifier ('^1.2.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'finale-rest' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F173 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'fs-extra' in dependencies uses a range specifier ('^9.1.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'fs-extra' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F174 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'glob' in dependencies uses a range specifier ('^10.4.5') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'glob' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F175 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'globals' in devDependencies uses a range specifier ('^17.4.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'globals' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F176 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'graceful-fs' in dependencies uses a range specifier ('^4.2.11') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'graceful-fs' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F177 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'grunt' in dependencies uses a range specifier ('^1.6.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'grunt' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F178 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'grunt-cli' in devDependencies uses a range specifier ('^1.5.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'grunt-cli' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F179 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'grunt-contrib-compress' in dependencies uses a range specifier ('^1.6.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'grunt-contrib-compress' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F180 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'grunt-replace-json' in dependencies uses a range specifier ('^0.1.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'grunt-replace-json' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F181 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'hashids' in dependencies uses a range specifier ('^2.3.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'hashids' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F182 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'hbs' in dependencies uses a range specifier ('^4.2.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'hbs' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F183 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'helmet' in dependencies uses a range specifier ('^4.6.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'helmet' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F184 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'html-entities' in dependencies uses a range specifier ('^1.4.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'html-entities' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F185 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'i18n' in dependencies uses a range specifier ('^0.11.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'i18n' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F186 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'js-yaml' in dependencies uses a range specifier ('^3.14.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'js-yaml' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F187 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'libxmljs2' in dependencies uses a range specifier ('~0.37.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'libxmljs2' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F188 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'marsdb' in dependencies uses a range specifier ('^0.6.11') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'marsdb' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F189 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'material-icons' in dependencies uses a range specifier ('^1.13.14') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'material-icons' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F190 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'median' in dependencies uses a range specifier ('^0.0.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'median' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F191 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'mocha' in devDependencies uses a range specifier ('^8.4.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'mocha' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F192 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'morgan' in dependencies uses a range specifier ('^1.10.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'morgan' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F193 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'multer' in dependencies uses a range specifier ('^1.4.5-lts.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'multer' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F194 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'neostandard' in devDependencies uses a range specifier ('^0.13.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'neostandard' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F195 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'node-pre-gyp' in dependencies uses a range specifier ('^0.15.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'node-pre-gyp' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F196 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'notevil' in dependencies uses a range specifier ('^1.3.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'notevil' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F197 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'nyc' in devDependencies uses a range specifier ('^15.1.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'nyc' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F198 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'on-finished' in dependencies uses a range specifier ('^2.3.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'on-finished' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F199 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'otplib' in dependencies uses a range specifier ('^13.4.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'otplib' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F200 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'pdfkit' in dependencies uses a range specifier ('^0.11.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'pdfkit' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F201 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'portscanner' in dependencies uses a range specifier ('^2.2.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'portscanner' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F202 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'prom-client' in dependencies uses a range specifier ('^15.1.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'prom-client' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F203 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'pug' in dependencies uses a range specifier ('^3.0.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'pug' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F204 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'replace' in dependencies uses a range specifier ('^1.2.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'replace' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F205 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'sanitize-filename' in dependencies uses a range specifier ('^1.6.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'sanitize-filename' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F206 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'semver' in dependencies uses a range specifier ('^7.6.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'semver' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F207 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'sequelize' in dependencies uses a range specifier ('^6.37.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'sequelize' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F208 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'serve-index' in dependencies uses a range specifier ('^1.9.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'serve-index' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F209 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'sinon' in devDependencies uses a range specifier ('^11.1.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'sinon' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F210 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'sinon-chai' in devDependencies uses a range specifier ('^3.7.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'sinon-chai' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F211 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'socket.io' in dependencies uses a range specifier ('^3.1.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'socket.io' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F212 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'socket.io-client' in devDependencies uses a range specifier ('^3.1.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'socket.io-client' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F213 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'sqlite3' in dependencies uses a range specifier ('^5.1.7') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'sqlite3' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F214 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'supertest' in devDependencies uses a range specifier ('^7.2.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'supertest' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F215 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'svg-captcha' in dependencies uses a range specifier ('^1.4.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'svg-captcha' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F216 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'swagger-ui-express' in dependencies uses a range specifier ('^5.0.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'swagger-ui-express' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F217 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'tsx' in devDependencies uses a range specifier ('^4.21.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'tsx' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F218 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'typescript' in devDependencies uses a range specifier ('~5.3.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'typescript' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F219 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'typescript-eslint' in devDependencies uses a range specifier ('^8.57.1') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'typescript-eslint' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F220 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'winston' in dependencies uses a range specifier ('^3.16.0') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'winston' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F221 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'yaml-schema-validator' in dependencies uses a range specifier ('^1.2.3') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'yaml-schema-validator' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F222 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'z85' in dependencies uses a range specifier ('^0.0.2') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'z85' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
| F223 | SC-UNPINNED-RANGE-NPM | CWE-1104 | — | Low | Package 'zod' in dependencies uses a range specifier ('^3.25.76') and NO lockfile is committed. npm can install any compatible version; a supply-chain compromise on a matching minor/patch release will be auto-installed. | Pin 'zod' to an exact version AND commit a lockfile (`npm install` then commit package-lock.json; `npm ci` in CI). | — |
Step 4 — Working-Tree Secrets 24 finding(s)
| ID | Finding | CWE | Location | Severity | Description | Remediation | Fix |
|---|---|---|---|---|---|---|---|
| F04 | private-key | CWE-798 | lib/insecurity.ts:23 | Critical | Identified a Private Key, which may compromise cryptographic security and sensitive data encryption. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | |
| F12 | generic-api-key | CWE-798 | routes/login.ts:65 | High | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | |
| F63 | generic-api-key | CWE-798 | data/static/users.yml:88 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the secret from source. Rotate it immediately at the provider. Move runtime values to environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault). Add this credential/config file to `.gitignore` and purge it from git history (`git filter-repo --path <file> --invert-paths`). | |
| F64 | generic-api-key | CWE-798 | data/static/users.yml:151 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the secret from source. Rotate it immediately at the provider. Move runtime values to environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault). Add this credential/config file to `.gitignore` and purge it from git history (`git filter-repo --path <file> --invert-paths`). | — |
| F65 | jwt | CWE-798 | frontend/src/app/app.guard.spec.ts:46 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F66 | jwt | CWE-798 | frontend/src/app/last-login-ip/last-login-ip.component.spec.ts:72 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F67 | generic-api-key | CWE-798 | frontend/src/app/oauth/oauth.component.spec.ts:91 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F68 | generic-api-key | CWE-798 | frontend/src/app/oauth/oauth.component.spec.ts:98 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F69 | generic-api-key | CWE-798 | test/api/2fa.test.ts:42 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F70 | generic-api-key | CWE-798 | test/api/2fa.test.ts:66 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F71 | generic-api-key | CWE-798 | test/api/2fa.test.ts:104 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F72 | generic-api-key | CWE-798 | test/api/2fa.test.ts:144 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F73 | generic-api-key | CWE-798 | test/api/2fa.test.ts:219 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F74 | generic-api-key | CWE-798 | test/api/2fa.test.ts:254 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F75 | generic-api-key | CWE-798 | test/api/2fa.test.ts:281 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F76 | generic-api-key | CWE-798 | test/api/data-export.test.ts:24 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F77 | generic-api-key | CWE-798 | test/api/erasure-request.test.ts:66 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F78 | generic-api-key | CWE-798 | test/api/web3.test.ts:48 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F79 | generic-api-key | CWE-798 | test/api/web3.test.ts:70 | Low | Detected a Generic API Key, potentially exposing access to various services and sensitive operations. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F80 | jwt | CWE-798 | test/cypress/e2e/forgedJwt.spec.ts:7 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F81 | jwt | CWE-798 | test/cypress/e2e/forgedJwt.spec.ts:22 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F82 | jwt | CWE-798 | test/server/currentUserSpec.ts:35 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F83 | jwt | CWE-798 | test/server/currentUserSpec.ts:36 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
| F84 | jwt | CWE-798 | test/server/verifySpec.ts:265 | Low | Uncovered a JSON Web Token, which may lead to unauthorized access to web applications and sensitive user data. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | — |
Step 5 — Static Analysis 90 finding(s)
| ID | Finding | CWE | Location | Severity | Description | Remediation | Fix |
|---|---|---|---|---|---|---|---|
| F02 | eval-with-expression | CWE-95 | routes/captcha.ts:22 | Critical | The application was found calling the `eval` function OR Function() constructor OR setTimeout() OR setInterval() methods. If the variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary JavaScript code. This could lead to a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications. To remediate this issue, remove all calls to above methods and consider alternative methods for executing the necessary business logic. | Replace `eval` / `new Function(...)` / dynamic `require` on user-controlled data with a safe alternative: `JSON.parse` for data, a vetted expression parser for formulas, or an explicit dispatch map for command strings. Never pass request input to a code-execution sink. | |
| F03 | eval-with-expression | CWE-95 | routes/userProfile.ts:61 | Critical | The application was found calling the `eval` function OR Function() constructor OR setTimeout() OR setInterval() methods. If the variables or strings or functions passed to these methods contains user-supplied input, an adversary could attempt to execute arbitrary JavaScript code. This could lead to a full system compromise in Node applications or Cross-site Scripting (XSS) in web applications. To remediate this issue, remove all calls to above methods and consider alternative methods for executing the necessary business logic. | Replace `eval` / `new Function(...)` / dynamic `require` on user-controlled data with a safe alternative: `JSON.parse` for data, a vetted expression parser for formulas, or an explicit dispatch map for command strings. Never pass request input to a code-execution sink. | |
| F05 | node-ssrf | CWE-918 | routes/profileImageUrlUpload.ts:24 | Critical | This application allows user-controlled URLs to be passed directly to HTTP client libraries. This can result in Server-Side Request Forgery (SSRF). SSRF refers to an attack where the attacker can abuse functionality on the server to force it to make requests to other internal systems within your infrastructure that are not directly exposed to the internet. This allows the attacker to access internal resources they do not have direct access to. | Validate outbound URLs against an allowlist of permitted hosts. Block link-local and private IP ranges (169.254/16, 10/8, 172.16/12, 192.168/16). Disable HTTP redirects to untrusted destinations. | |
| F06 | node-nosqli-js-injection | CWE-943 | routes/showProductReviews.ts:31 | Critical | Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | |
| F07 | node-nosqli-js-injection | CWE-943 | routes/trackOrder.ts:15 | Critical | Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | |
| F08 | yaml-deserialize | CWE-502 | routes/vulnCodeFixes.ts:81 | High | User controlled data in 'yaml.load()' function can result in Remote Code Injection. | Avoid deserialising untrusted input. If unavoidable, use schema-validating libraries (`zod`, `pydantic`) and an explicit allowlist of types. Never `Object.assign` user-controlled keys onto sensitive objects. | |
| F09 | yaml-deserialize | CWE-502 | rsn/rsnUtil.ts:135 | High | User controlled data in 'yaml.load()' function can result in Remote Code Injection. | Avoid deserialising untrusted input. If unavoidable, use schema-validating libraries (`zod`, `pydantic`) and an explicit allowlist of types. Never `Object.assign` user-controlled keys onto sensitive objects. | |
| F10 | yaml-deserialize | CWE-502 | server.ts:139 | High | User controlled data in 'yaml.load()' function can result in Remote Code Injection. | Avoid deserialising untrusted input. If unavoidable, use schema-validating libraries (`zod`, `pydantic`) and an explicit allowlist of types. Never `Object.assign` user-controlled keys onto sensitive objects. | |
| F11 | hardcoded-jwt-secret | CWE-798 | lib/insecurity.ts:56 | High | Hardcoded JWT secret or private key was found. Hardcoding secrets like JWT signing keys poses a significant security risk. If the source code ends up in a public repository or is compromised, the secret is exposed. Attackers could then use the secret to generate forged tokens and access the system. Store it properly in an environment variable. Here are some recommended safe ways to access JWT secrets: - Use environment variables to store the secret and access it in code instead of hardcoding. This keeps it out of source control. | Remove the hardcoded value from the source code and replace it with a runtime lookup (environment variable or a secrets manager such as AWS Secrets Manager / HashiCorp Vault). Do NOT add this source file to `.gitignore`. It is application code. If the credential was ever a real/live secret, rotate it at the provider AND purge the leaked value from git history (`git filter-repo --replace-text`), but keep the file in the repo. | |
| F16 | express-open-redirect | CWE-601 | routes/redirect.ts:19 | High | Passing untrusted user input in `redirect()` can result in an open redirect vulnerability. This could be abused by malicious actors to trick users into being redirected to websites under their control to capture authentication information. To prevent open redirect vulnerabilities: - Always validate and sanitize user inputs, especially URL parameters or query strings that may influence the flow of the application. - Use allowlists (lists of permitted URLs) to validate redirect targets against known, trusted URLs before performing the redirect. | Do not build redirects from user-controlled input. Redirect only to a server-side allowlist of paths/hosts, or use a fixed relative path. If an external redirect is required, validate the target against an explicit allowlist before issuing the 3xx. | |
| F18 | express-xss | CWE-79 | routes/chat.ts:216 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F19 | express-xss | CWE-79 | routes/chat.ts:226 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F20 | express-xss | CWE-79 | routes/chat.ts:239 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F21 | express-xss | CWE-79 | routes/chat.ts:253 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F22 | express-xss | CWE-79 | routes/dataExport.ts:108 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F23 | express-xss | CWE-79 | routes/userProfile.ts:98 | Medium | This application accepts user input directly from the client side without validation. This could lead to Cross Site Scripting (XSS) if the input contains malicious script code and the application server does not properly escape or sanitize the output. Consider encoding input data before sending it to the client side. ``` // safe method of sending user input data router.get('/safe/1', (req, res) => { var name = encodeURI(req.query.name); res.send(name); }) ``` XSS is an attack that exploits a web application or system to treat user input as markup or script code. | Escape user-controlled output (HTML entities for HTML context, JS escaping for script context). Add a Content-Security-Policy header and prefer framework-native templating over manual string interpolation. | |
| F26 | express-cors | CWE-346 | server.ts:182 | Medium | Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions. | Replace wildcard `Access-Control-Allow-Origin: *` with an explicit allowlist of trusted origins. Never combine `*` with `Allow-Credentials: true`. Validate the request `Origin` server-side. | |
| F31 | possible-timing-attacks | CWE-208 | frontend/src/app/change-password/change-password.component.ts:150 | Medium | The application was found executing string comparisons using one of `===`, `!==`, `==` or `!=` against security sensitive values. String comparisons like this are not constant time, meaning the first character found not to match in the two strings will immediately exit the conditional statement. This allows an adversary to calculate or observe small timing differences depending on the strings passed to this comparison. This potentially allows an adversary the ability to brute force a string that will match the expected value by monitoring different character values. | Compare secret values in constant time. Replace `===` / `!==` / `==` / `!=` on passwords, tokens, HMACs, or signatures with a constant-time comparison: in Node use `crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))`; in Python `hmac.compare_digest(a, b)`. Make both operands the same length first (hash them if needed) so length itself does not leak, and never short-circuit on the first mismatching byte. | |
| F32 | non-literal-regexp | CWE-185 | lib/codingChallenges.ts:76 | Medium | The `RegExp` constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests. To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as [node-re2](https://www.npmjs.com/package/re2). | Fix the vulnerable regular expression (ReDoS). Remove nested quantifiers and overlapping alternations (catastrophic backtracking), or switch to a linear-time engine (RE2 / Rust `regex` / `node-re2`). Bound the input length before matching and add a timeout around the match. Prefer a non-regex parser for structured input. | |
| F33 | non-literal-regexp | CWE-185 | lib/codingChallenges.ts:78 | Medium | The `RegExp` constructor was called with a non-literal value. If an adversary were able to supply a malicious regex, they could cause a Regular Expression Denial of Service (ReDoS) against the application. In Node applications, this could cause the entire application to no longer be responsive to other users' requests. To remediate this issue, never allow user-supplied regular expressions. Instead, the regular expression should be hardcoded. If this is not possible, consider using an alternative regular expression engine such as [node-re2](https://www.npmjs.com/package/re2). | Fix the vulnerable regular expression (ReDoS). Remove nested quantifiers and overlapping alternations (catastrophic backtracking), or switch to a linear-time engine (RE2 / Rust `regex` / `node-re2`). Bound the input length before matching and add a timeout around the match. Prefer a non-regex parser for structured input. | |
| F34 | node-insecure-random-generator | CWE-338 | lib/insecurity.ts:55 | Medium | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | |
| F35 | non-literal-fs-filename | CWE-22 | lib/utils.ts:120 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F37 | layer7-object-dos | CWE-606 | routes/basket.ts:26 | Medium | This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place. For example, if a user can control the size of an array or object passed into the application, they could create an extremely large input that gets looped over. | Bound the resource. Add request rate-limiting, a maximum request/body size, pagination limits, and timeouts on the operation. Cap loop/recursion depth and concurrent work derived from user input, and release handles (files/sockets/connections) in a `finally`/`defer` so they cannot be exhausted. | |
| F39 | possible-timing-attacks | CWE-208 | routes/changePassword.ts:28 | Medium | The application was found executing string comparisons using one of `===`, `!==`, `==` or `!=` against security sensitive values. String comparisons like this are not constant time, meaning the first character found not to match in the two strings will immediately exit the conditional statement. This allows an adversary to calculate or observe small timing differences depending on the strings passed to this comparison. This potentially allows an adversary the ability to brute force a string that will match the expected value by monitoring different character values. | Compare secret values in constant time. Replace `===` / `!==` / `==` / `!=` on passwords, tokens, HMACs, or signatures with a constant-time comparison: in Node use `crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b))`; in Python `hmac.compare_digest(a, b)`. Make both operands the same length first (hash them if needed) so length itself does not leak, and never short-circuit on the first mismatching byte. | |
| F41 | layer7-object-dos | CWE-606 | routes/currentUser.ts:23 | Medium | This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place. For example, if a user can control the size of an array or object passed into the application, they could create an extremely large input that gets looped over. | Bound the resource. Add request rate-limiting, a maximum request/body size, pagination limits, and timeouts on the operation. Cap loop/recursion depth and concurrent work derived from user input, and release handles (files/sockets/connections) in a `finally`/`defer` so they cannot be exhausted. | |
| F42 | express-lfr | CWE-23 | routes/dataErasure.ts:50 | Medium | This application is using untrusted user input in express render() function. Rendering templates with untrusted user input enables arbitrary file read vulnerabilities when using templating engines like Handlebars (hbs). An attacker can craft malicious input that traverses the filesystem and exposes sensitive files. Consider sanitizing and validating all user input before passing it to render() to prevent arbitrary file reads. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F43 | layer7-object-dos | CWE-606 | routes/dataExport.ts:72 | Medium | This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place. For example, if a user can control the size of an array or object passed into the application, they could create an extremely large input that gets looped over. | Bound the resource. Add request rate-limiting, a maximum request/body size, pagination limits, and timeouts on the operation. Cap loop/recursion depth and concurrent work derived from user input, and release handles (files/sockets/connections) in a `finally`/`defer` so they cannot be exhausted. | |
| F44 | non-literal-fs-filename | CWE-22 | routes/fileUpload.ts:33 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F45 | non-literal-fs-filename | CWE-22 | routes/fileUpload.ts:38 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F46 | non-literal-fs-filename | CWE-22 | routes/fileUpload.ts:45 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F47 | layer7-object-dos | CWE-606 | routes/likeProductReviews.ts:47 | Medium | This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place. For example, if a user can control the size of an array or object passed into the application, they could create an extremely large input that gets looped over. | Bound the resource. Add request rate-limiting, a maximum request/body size, pagination limits, and timeouts on the operation. Cap loop/recursion depth and concurrent work derived from user input, and release handles (files/sockets/connections) in a `finally`/`defer` so they cannot be exhausted. | |
| F48 | non-literal-fs-filename | CWE-22 | routes/order.ts:45 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F49 | layer7-object-dos | CWE-606 | routes/payment.ts:22 | Medium | This application is looping over user controlled objects, which can lead to a layer 7 denial of service vulnerability. A layer 7 denial of service attack refers to overloading the application layer of the OSI model, typically layer 7. This can happen when user-controlled input such as objects, arrays, strings, etc. are iterated or looped over without proper validation or limits in place. For example, if a user can control the size of an array or object passed into the application, they could create an extremely large input that gets looped over. | Bound the resource. Add request rate-limiting, a maximum request/body size, pagination limits, and timeouts on the operation. Cap loop/recursion depth and concurrent work derived from user input, and release handles (files/sockets/connections) in a `finally`/`defer` so they cannot be exhausted. | |
| F50 | non-literal-fs-filename | CWE-22 | routes/profileImageFileUpload.ts:43 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F51 | non-literal-fs-filename | CWE-22 | routes/profileImageUrlUpload.ts:29 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F52 | non-literal-fs-filename | CWE-22 | routes/videoHandler.ts:21 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F53 | non-literal-fs-filename | CWE-22 | routes/videoHandler.ts:29 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F54 | non-literal-fs-filename | CWE-22 | routes/videoHandler.ts:45 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F55 | non-literal-fs-filename | CWE-22 | routes/videoHandler.ts:82 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F56 | non-literal-fs-filename | CWE-22 | routes/vulnCodeFixes.ts:29 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F57 | non-literal-fs-filename | CWE-22 | routes/vulnCodeFixes.ts:80 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F58 | non-literal-fs-filename | CWE-22 | routes/vulnCodeFixes.ts:81 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F59 | non-literal-fs-filename | CWE-22 | rsn/rsnUtil.ts:66 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F60 | non-literal-fs-filename | CWE-22 | rsn/rsnUtil.ts:133 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F61 | non-literal-fs-filename | CWE-22 | rsn/rsnUtil.ts:134 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F62 | non-literal-fs-filename | CWE-22 | rsn/rsnUtil.ts:155 | Medium | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F224 | non-literal-fs-filename | CWE-22 | Gruntfile.js:75 | Low | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F225 | node-insecure-random-generator | CWE-338 | data/datacreator.ts:304 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | |
| F226 | node-insecure-random-generator | CWE-338 | data/datacreator.ts:322 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F227 | node-insecure-random-generator | CWE-338 | data/datacreator.ts:380 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F228 | node-insecure-random-generator | CWE-338 | data/datacreator.ts:754 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F229 | node-nosqli-injection | CWE-943 | data/static/codefixes/chatbotPromptInjectionChallenge_2_correct.ts:8 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F230 | node-insecure-random-generator | CWE-338 | frontend/src/app/Services/conversation-storage.service.ts:17 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F231 | node-insecure-random-generator | CWE-338 | frontend/src/app/chatbot/chat-welcome-screen/chat-welcome-screen.component.ts:71 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F232 | node-insecure-random-generator | CWE-338 | frontend/src/app/coding-challenge-page/components/coding-challenge-fix-it/coding-challenge-fix-it.component.ts:119 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F233 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:6359 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F234 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:6426 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F235 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:6434 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F236 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:6442 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F237 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:6450 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F238 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:15504 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F239 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:15534 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F240 | node-insecure-random-generator | CWE-338 | frontend/src/assets/private/three.js:15567 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F241 | non-literal-fs-filename | CWE-22 | lib/codingChallenges.ts:22 | Low | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F242 | non-literal-fs-filename | CWE-22 | lib/codingChallenges.ts:23 | Low | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F243 | non-literal-fs-filename | CWE-22 | lib/codingChallenges.ts:29 | Low | The application dynamically constructs file or path information. If the path information comes from user-supplied input, it could be abused to read sensitive files, access other users' data, or aid in exploitation to gain further system access. User input should never be used in constructing paths or files for interacting with the filesystem. This includes filenames supplied by user uploads or downloads. If possible, consider hashing user input or using unique values and use `path.normalize` to resolve and validate the path information prior to processing any file functionality. | Canonicalize and validate the path. Reject inputs containing `..`, NUL bytes, or absolute paths. Use `realpath` and assert the result begins with the expected base directory. | |
| F244 | node-nosqli-injection | CWE-943 | routes/address.ts:18 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F245 | node-nosqli-injection | CWE-943 | routes/basket.ts:19 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F246 | node-nosqli-injection | CWE-943 | routes/basketItems.ts:68 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F247 | node-insecure-random-generator | CWE-338 | routes/captcha.ts:14 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F248 | node-insecure-random-generator | CWE-338 | routes/captcha.ts:15 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F249 | node-insecure-random-generator | CWE-338 | routes/captcha.ts:16 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F250 | node-insecure-random-generator | CWE-338 | routes/captcha.ts:18 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F251 | node-insecure-random-generator | CWE-338 | routes/captcha.ts:19 | Low | This rule identifies use of cryptographically weak random number generators. Using cryptographically weak random number generators like `crypto.pseudoRandomBytes()` and `Math.random()` for security-critical tasks can expose systems to significant vulnerabilities. Attackers might predict the generated random numbers, compromising the integrity and confidentiality of cryptographic operations. | Replace the predictable random source with a cryptographically secure one. In Node use `crypto.randomBytes(n)` or `crypto.randomInt()` (in the browser, Web Crypto `crypto.getRandomValues()`). Never use `Math.random()`, `crypto.pseudoRandomBytes()`, or a time/PID-seeded generator for anything an attacker benefits from predicting, session ids, tokens, password-reset codes, OTPs, nonces, IVs, salts, coupon codes, or 'random' prices. If the value is genuinely non-security (e.g. UI jitter), document that so the finding can be triaged as a false positive. | — |
| F252 | node-nosqli-injection | CWE-943 | routes/captcha.ts:37 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F253 | node-nosqli-injection | CWE-943 | routes/dataErasure.ts:31 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F254 | node-nosqli-injection | CWE-943 | routes/dataErasure.ts:34 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F255 | node-nosqli-injection | CWE-943 | routes/delivery.ts:34 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F256 | node-nosqli-injection | CWE-943 | routes/deluxe.ts:19 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F257 | node-nosqli-injection | CWE-943 | routes/deluxe.ts:25 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F258 | node-nosqli-injection | CWE-943 | routes/deluxe.ts:35 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F259 | node-nosqli-injection | CWE-943 | routes/likeProductReviews.ts:19 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F260 | node-nosqli-injection | CWE-943 | routes/order.ts:35 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F261 | node-nosqli-injection | CWE-943 | routes/order.ts:74 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F262 | node-nosqli-injection | CWE-943 | routes/order.ts:121 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F263 | node-nosqli-injection | CWE-943 | routes/payment.ts:41 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F264 | node-nosqli-injection | CWE-943 | routes/resetPassword.ts:18 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F265 | node-nosqli-injection | CWE-943 | routes/resetPassword.ts:35 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F266 | node-nosqli-injection | CWE-943 | routes/securityQuestion.ts:13 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
| F267 | node-nosqli-injection | CWE-943 | routes/wallet.ts:24 | Low | Untrusted user input in findOne() function can result in NoSQL Injection. | Do not build a NoSQL query by merging untrusted request data. Reject query-operator keys in user input (`$where`, `$ne`, `$gt`, `$regex`, `$function`, ...), cast each expected value to its scalar type, and validate the request body against a strict schema before it reaches the driver. Use the driver's typed query API rather than passing a raw user-supplied object as a filter. | — |
Step 6 — OWASP Top 10 0 finding(s)
No findings for Step 6 — No issues detected.
Step 7 — Dynamic Analysis 0 finding(s)
No findings for Step 7 — Tool error.
Step 8 — Manual Testing 0 finding(s)
No findings for Step 8 — Tool error.
Step 9 — Infrastructure 17 finding(s)
| ID | Finding | CWE | Location | Severity | Description | Remediation | Fix |
|---|---|---|---|---|---|---|---|
| F24 | DS-0001 | — | Dockerfile:22 | Medium | ':latest' tag used, When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. | Add a tag to the image in the 'FROM' statement | |
| F25 | DL3006 | — | Dockerfile:22 | Medium | Always tag the version of an image explicitly | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | |
| F85 | DS-0002 | — | test/smoke/Dockerfile | Low | Image user should not be 'root', Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. | Add 'USER <non root user name>' line to the Dockerfile | |
| F86 | DS-0025 | — | test/smoke/Dockerfile:3 | Low | 'apk add' is missing '--no-cache', You should use 'apk add' with '--no-cache' to clean package cached data and reduce image size. | Add '--no-cache' to 'apk add' in Dockerfile | |
| F87 | DS-0001 | — | test/smoke/Dockerfile:1 | Low | ':latest' tag used, When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated. | Add a tag to the image in the 'FROM' statement | |
| F88 | DS-0026 | — | Dockerfile | Low | No HEALTHCHECK defined, You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. | Add HEALTHCHECK instruction in Dockerfile | |
| F89 | DL3059 | — | Dockerfile:5 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | |
| F90 | DL3059 | — | Dockerfile:6 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F91 | DL3059 | — | Dockerfile:7 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F92 | DL3059 | — | Dockerfile:8 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F93 | DL3059 | — | Dockerfile:9 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F94 | DL3059 | — | Dockerfile:10 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F95 | DL3059 | — | Dockerfile:11 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F96 | DL3059 | — | Dockerfile:12 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F97 | DL3059 | — | Dockerfile:13 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F98 | DL3059 | — | Dockerfile:20 | Low | Multiple consecutive `RUN` instructions. Consider consolidation. | Apply the Dockerfile best-practice noted above. Pin the base image by digest (not `:latest`), add a non-root `USER`, combine consecutive `RUN` layers with `&&`, clean package caches (`apk add --no-cache` / `rm -rf /var/lib/apt/lists/*`), and add a `HEALTHCHECK`. Re-run a Dockerfile/container-config linter to confirm the warning clears. | — |
| F99 | DS-0026 | — | test/smoke/Dockerfile | Low | No HEALTHCHECK defined, You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. | Add HEALTHCHECK instruction in Dockerfile |
Step 10 — Backup & IR 0 finding(s)
No findings for Step 10 — Tool error.
Step 11 — Adversarial AI Review 7 finding(s)
| ID | Finding | CWE | Location | Severity | Description | Remediation | Fix |
|---|---|---|---|---|---|---|---|
| F01 | RCE/b2b-order-vm-eval-user-input | CWE-94 | routes/b2bOrder.ts:23 | Critical | Traced user input to an eval sink the static scan missed (no b2bOrder.ts entry in static_analysis_result.json). `/b2b/v2/orders` (server.ts:647, behind the `/b2b/v2` isAuthorized prefix at server.ts:423) reads `const orderLinesData = body.orderLinesData` (b2bOrder.ts:19) and passes it into `vm.runInContext('safeEval(orderLinesData)', sandbox, { timeout: 2000 })` (line 23). Both layers are bypassable security boundaries: Node's `vm` module is explicitly NOT a sandbox, and `notevil`'s `safeEval` (imported line 9) has known prototype-chain escapes. | Remove the eval path entirely: parse `orderLinesData` as JSON against a strict field allowlist (cid, items, quantities) and reject anything else, never evaluate request data as code. Delete the `vm.runInContext`/`notevil` usage at b2bOrder.ts:21-23. If an expression must be computed, use a non-Turing-complete, schema-validated parser, not `vm` or `notevil`. | |
| F13 | BOLA/basket-read-any-id | CWE-639 | routes/basket.ts:19 | High | `/rest/basket/:id` is mounted with `security.isAuthorized()` (server.ts:398), which is `expressJwt({«REDACTED: Generic Secret (unquoted) (20 chars)» (lib/insecurity.ts:54), it only validates that the JWT is well-formed and signed, never that the basket belongs to the caller. retrieveBasket then loads `BasketModel.findOne({ where: { id } })` straight from `req.params.id` (basket.ts:18-19) with no owner/tenant filter. The session user is touched only inside the `challengeUtils.solveIf(...)` scoring call at line 22, that is telemetry, NOT an authorization guard. | In retrieveBasket, derive the caller's basket id from the session (`security.authenticatedUsers.from(req).bid`) and 403 when it differs from `req.params.id`; or scope the query `BasketModel.findOne({ where: { id, UserId: <session user id> } })`. Apply the same ownership check across the sibling `:id` basket routes below. | |
| F14 | AUTHZ/change-password-without-current | CWE-620 | routes/changePassword.ts:39 | High | The handler authenticates the caller via the session token (lib/insecurity.ts authenticatedUsers, changePassword.ts:33-37 rejects an unknown token), but the current-password check at line 39 is written `if (currentPassword && security.hash(currentPassword) !== loggedInUser.data.password)`, it ONLY runs when `currentPassword` is truthy. Omit the `current` query parameter entirely and the check is skipped: line 51 calls `user.update({ «REDACTED: Generic Secret (unquoted) (29 chars)» })` with no proof the caller knows the existing password. Any party holding a valid session token (e.g. | Make `current` mandatory: reject with 401 when it is empty/absent (before the update), and compare it constant-time against `loggedInUser.data.password`. Change `if (currentPassword && ...)` at line 39 so a missing current password is a hard failure, not a bypass. Move the endpoint from GET to POST so the secret is not placed in the query string / logs. | |
| F15 | BOLA/basket-checkout-any-id | CWE-639 | routes/order.ts:35 | High | Write-side twin of the basket-read BOLA. `/rest/basket/:id/checkout` is covered only by the `security.isAuthorized()` prefix (server.ts:398), valid token, no ownership. placeOrder reads `const id = req.params.id` (order.ts:34) and `BasketModel.findOne({ where: { id } })` (line 35) with no owner check, then on success runs `BasketItemModel.destroy({ where: { BasketId: id } })` (line 50). An authenticated attacker checks out a victim's basket and wipes its items, a destructive, state-changing cross-user action. Found by sweeping every `:id` basket route, not just the read. | Before loading the basket in placeOrder, confirm `req.params.id` equals the session user's basket id (`security.authenticatedUsers.from(req).bid`) or scope the `findOne` by the session UserId; return 403 on mismatch. This single ownership check also closes the basket-read and coupon BOLAs. | |
| F17 | LOGIC/wallet-topup-without-charge | CWE-840 | routes/wallet.ts:27 | High | Verified guard first: the cross-user IDOR is NOT exploitable here, `/rest/wallet/balance` PUT runs `security.appendUserId()` (server.ts:626) which OVERWRITES `req.body.UserId` with the session user id (lib/insecurity.ts:177-178), so a caller cannot top up someone else's wallet. The real flaw is the amount: addWalletBalance only checks that a card with `req.body.paymentId` exists for the user (wallet.ts:24), then runs `WalletModel.increment({ balance: req.body.balance })` (line 27). | Do not treat `req.body.balance` as authorized credit. Charge the selected card for that exact amount through the payment flow and only `increment` by the amount the processor confirms as captured. Reject non-positive and out-of-range values server-side before the increment, and make card existence a precondition of the charge, not a substitute for it. | |
| F38 | LOGIC/basket-quantity-no-lower-bound | CWE-840 | routes/basketItems.ts:92 | Medium | quantityCheck (basketItems.ts:85-100), wired in front of both add (server.ts:426) and update (server.ts:425), only ever rejects quantities that are TOO LARGE: line 92 checks `limitPerUser >= quantity` and line 93 checks `product.quantity >= quantity` (stock). There is no lower-bound comparison, so quantity = 0 or a negative integer passes `next()`. A negative quantity persists on the basket item and flows into the order total in placeOrder (order.ts sums quantity*price), reducing the amount owed or zeroing it out. No scanner flags this, it is an ABSENT comparison, not a sink. | In quantityCheck, before the upper-bound checks, reject when `quantity` is not a positive integer (e.g. `if (!Number.isInteger(quantity) || quantity < 1) return res.status(400)...`). Enforce the same lower bound on both the add and update paths. | |
| F40 | BOLA/coupon-apply-any-id | CWE-639 | routes/coupon.ts:18 | Medium | Same missing-ownership pattern on the third `:id` basket sibling. `/rest/basket/:id/coupon/:coupon` runs under the `security.isAuthorized()` prefix only (server.ts:398). applyCoupon takes `const id = params.id` (coupon.ts:13), loads `BasketModel.findByPk(id)` (line 18) and calls `basket.update({ coupon })` (line 24) with no check that the basket is the caller's. An authenticated attacker writes a coupon onto another user's basket. Confirms the ownership gap is repeated across read (basket.ts), checkout (order.ts) and coupon (coupon.ts). | Add the same session-vs-`params.id` ownership check before `BasketModel.findByPk`/`basket.update` in applyCoupon, or scope the lookup by the session UserId; 403 on mismatch. |
Section 08
Compliance Mapping
| Finding | PCI DSS v4 | SOC2 CC | ISO 27001:2022 | OWASP 2021 | CIS Benchmark |
|---|---|---|---|---|---|
| F01 | — | — | — | — | — |
| F02 | — | — | — | — | — |
| F03 | — | — | — | — | — |
| F04 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F05 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.6 | ISO/IEC 27001:2022 A.8.20, A.8.25 | — | — |
| F06 | — | — | — | — | — |
| F07 | — | — | — | — | — |
| F08 | PCI DSS v4.0 §6.3.1, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F09 | PCI DSS v4.0 §6.3.1, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F10 | PCI DSS v4.0 §6.3.1, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F11 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F12 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F13 | — | — | — | — | — |
| F14 | — | — | — | — | — |
| F15 | — | — | — | — | — |
| F16 | PCI DSS v4.0 §6.3.1 | SOC 2 CC6.1 | — | — | — |
| F17 | — | — | — | — | — |
| F18 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F19 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F20 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F21 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F22 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F23 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F24 | — | — | — | — | — |
| F25 | — | — | — | — | — |
| F26 | — | — | — | — | — |
| F27 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F28 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F29 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F30 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F31 | — | — | — | — | — |
| F32 | — | — | — | — | — |
| F33 | — | — | — | — | — |
| F34 | — | — | — | — | — |
| F35 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F36 | PCI DSS v4.0 §6.3.1, §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.28 | — | — |
| F37 | — | — | — | — | — |
| F38 | — | — | — | — | — |
| F39 | — | — | — | — | — |
| F40 | — | — | — | — | — |
| F41 | — | — | — | — | — |
| F42 | — | — | — | — | — |
| F43 | — | — | — | — | — |
| F44 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F45 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F46 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F47 | — | — | — | — | — |
| F48 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F49 | — | — | — | — | — |
| F50 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F51 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F52 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F53 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F54 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F55 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F56 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F57 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F58 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F59 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F60 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F61 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F62 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F63 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F64 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F65 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F66 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F67 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F68 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F69 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F70 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F71 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F72 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F73 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F74 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F75 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F76 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F77 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F78 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F79 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F80 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F81 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F82 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F83 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F84 | PCI DSS v4.0 §8.3.1, §8.6.1, §8.6.2 | SOC 2 CC6.1, CC6.2 | ISO/IEC 27001:2022 A.5.16, A.8.24 | — | — |
| F85 | — | — | — | — | — |
| F86 | — | — | — | — | — |
| F87 | — | — | — | — | — |
| F88 | — | — | — | — | — |
| F89 | — | — | — | — | — |
| F90 | — | — | — | — | — |
| F91 | — | — | — | — | — |
| F92 | — | — | — | — | — |
| F93 | — | — | — | — | — |
| F94 | — | — | — | — | — |
| F95 | — | — | — | — | — |
| F96 | — | — | — | — | — |
| F97 | — | — | — | — | — |
| F98 | — | — | — | — | — |
| F99 | — | — | — | — | — |
| F100 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F101 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F102 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F103 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F104 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F105 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F106 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F107 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F108 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F109 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F110 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F111 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F112 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F113 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F114 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F115 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F116 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F117 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F118 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F119 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F120 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F121 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F122 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F123 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F124 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F125 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F126 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F127 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F128 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F129 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F130 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F131 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F132 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F133 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F134 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F135 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F136 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F137 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F138 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F139 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F140 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F141 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F142 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F143 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F144 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F145 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F146 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F147 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F148 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F149 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F150 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F151 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F152 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F153 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F154 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F155 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F156 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F157 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F158 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F159 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F160 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F161 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F162 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F163 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F164 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F165 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F166 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F167 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F168 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F169 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F170 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F171 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F172 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F173 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F174 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F175 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F176 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F177 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F178 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F179 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F180 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F181 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F182 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F183 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F184 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F185 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F186 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F187 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F188 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F189 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F190 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F191 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F192 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F193 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F194 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F195 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F196 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F197 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F198 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F199 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F200 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F201 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F202 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F203 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F204 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F205 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F206 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F207 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F208 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F209 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F210 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F211 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F212 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F213 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F214 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F215 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F216 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F217 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F218 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F219 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F220 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F221 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F222 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F223 | PCI DSS v4.0 §6.3.2, §6.3.3 | SOC 2 CC6.8 | ISO/IEC 27001:2022 A.8.25, A.8.8 | — | — |
| F224 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F225 | — | — | — | — | — |
| F226 | — | — | — | — | — |
| F227 | — | — | — | — | — |
| F228 | — | — | — | — | — |
| F229 | — | — | — | — | — |
| F230 | — | — | — | — | — |
| F231 | — | — | — | — | — |
| F232 | — | — | — | — | — |
| F233 | — | — | — | — | — |
| F234 | — | — | — | — | — |
| F235 | — | — | — | — | — |
| F236 | — | — | — | — | — |
| F237 | — | — | — | — | — |
| F238 | — | — | — | — | — |
| F239 | — | — | — | — | — |
| F240 | — | — | — | — | — |
| F241 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F242 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F243 | PCI DSS v4.0 §6.3.1, §6.3.2 | SOC 2 CC6.1, CC6.6 | ISO/IEC 27001:2022 A.8.3, A.8.25 | — | — |
| F244 | — | — | — | — | — |
| F245 | — | — | — | — | — |
| F246 | — | — | — | — | — |
| F247 | — | — | — | — | — |
| F248 | — | — | — | — | — |
| F249 | — | — | — | — | — |
| F250 | — | — | — | — | — |
| F251 | — | — | — | — | — |
| F252 | — | — | — | — | — |
| F253 | — | — | — | — | — |
| F254 | — | — | — | — | — |
| F255 | — | — | — | — | — |
| F256 | — | — | — | — | — |
| F257 | — | — | — | — | — |
| F258 | — | — | — | — | — |
| F259 | — | — | — | — | — |
| F260 | — | — | — | — | — |
| F261 | — | — | — | — | — |
| F262 | — | — | — | — | — |
| F263 | — | — | — | — | — |
| F264 | — | — | — | — | — |
| F265 | — | — | — | — | — |
| F266 | — | — | — | — | — |
| F267 | — | — | — | — | — |
Section 09
Remediation Roadmap
Week 1
- F04 — Stolen Credentials Config change (~5 min)
- F11 — Stolen Credentials Config change (~5 min)
- F12 — Stolen Credentials Config change (~5 min)
- F24 — Container Hardening Gap Config change (~5 min)
- F25 — Container Hardening Gap Config change (~5 min)
- F26 — Cross-Origin Misconfig Config change (~5 min)
- F01 — Server Takeover Small fix (1–2 hrs)
- F02 — Code-Injection Attack Small fix (1–2 hrs)
- F03 — Code-Injection Attack Small fix (1–2 hrs)
- F05 — Internal Network Abuse Small fix (1–2 hrs)
- F06 — Database Attack Small fix (1–2 hrs)
- F07 — Database Attack Small fix (1–2 hrs)
- F08 — Code-Injection Attack Small fix (1–2 hrs)
- F09 — Code-Injection Attack Small fix (1–2 hrs)
- F10 — Code-Injection Attack Small fix (1–2 hrs)
- F13 — Unauthorized Data Access Small fix (1–2 hrs)
- F14 — Account Takeover Risk Small fix (1–2 hrs)
- F15 — Unauthorized Data Access Small fix (1–2 hrs)
- F16 — Open Redirect Small fix (1–2 hrs)
- F17 — Business-Logic Abuse Small fix (1–2 hrs)
Week 2-4
- F63 — Stolen Credentials Config change (~5 min)
- F64 — Stolen Credentials Config change (~5 min)
- F65 — Stolen Credentials Config change (~5 min)
- F66 — Stolen Credentials Config change (~5 min)
- F67 — Stolen Credentials Config change (~5 min)
- F68 — Stolen Credentials Config change (~5 min)
- F69 — Stolen Credentials Config change (~5 min)
- F70 — Stolen Credentials Config change (~5 min)
- F71 — Stolen Credentials Config change (~5 min)
- F72 — Stolen Credentials Config change (~5 min)
- F73 — Stolen Credentials Config change (~5 min)
- F74 — Stolen Credentials Config change (~5 min)
- F75 — Stolen Credentials Config change (~5 min)
- F76 — Stolen Credentials Config change (~5 min)
- F77 — Stolen Credentials Config change (~5 min)
- F78 — Stolen Credentials Config change (~5 min)
- F79 — Stolen Credentials Config change (~5 min)
- F80 — Stolen Credentials Config change (~5 min)
- F81 — Stolen Credentials Config change (~5 min)
- F82 — Stolen Credentials Config change (~5 min)
- F83 — Stolen Credentials Config change (~5 min)
- F84 — Stolen Credentials Config change (~5 min)
- F85 — Container Hardening Gap Config change (~5 min)
- F86 — Container Hardening Gap Config change (~5 min)
- F87 — Container Hardening Gap Config change (~5 min)
- F88 — Container Hardening Gap Config change (~5 min)
- F89 — Container Hardening Gap Config change (~5 min)
- F90 — Container Hardening Gap Config change (~5 min)
- F91 — Container Hardening Gap Config change (~5 min)
- F92 — Container Hardening Gap Config change (~5 min)
- F93 — Container Hardening Gap Config change (~5 min)
- F94 — Container Hardening Gap Config change (~5 min)
- F95 — Container Hardening Gap Config change (~5 min)
- F96 — Container Hardening Gap Config change (~5 min)
- F97 — Container Hardening Gap Config change (~5 min)
- F98 — Container Hardening Gap Config change (~5 min)
- F99 — Container Hardening Gap Config change (~5 min)
- F18 — Browser Hijack Small fix (1–2 hrs)
- F19 — Browser Hijack Small fix (1–2 hrs)
- F20 — Browser Hijack Small fix (1–2 hrs)
- F21 — Browser Hijack Small fix (1–2 hrs)
- F22 — Browser Hijack Small fix (1–2 hrs)
- F23 — Browser Hijack Small fix (1–2 hrs)
- F27 — Unpinned CI/CD Dependency Small fix (1–2 hrs)
- F28 — Unpinned CI/CD Dependency Small fix (1–2 hrs)
- F29 — Unpinned CI/CD Dependency Small fix (1–2 hrs)
- F30 — Unpinned CI/CD Dependency Small fix (1–2 hrs)
- F31 — Timing Side-Channel Small fix (1–2 hrs)
- F32 — Security Weakness Small fix (1–2 hrs)
- F33 — Security Weakness Small fix (1–2 hrs)
- F34 — Predictable Randomness Small fix (1–2 hrs)
- F35 — File-System Escape Small fix (1–2 hrs)
- F36 — Missing Dependency Lockfile Small fix (1–2 hrs)
- F37 — Security Weakness Small fix (1–2 hrs)
- F38 — Business-Logic Abuse Small fix (1–2 hrs)
- F39 — Timing Side-Channel Small fix (1–2 hrs)
- F40 — Unauthorized Data Access Small fix (1–2 hrs)
- F41 — Security Weakness Small fix (1–2 hrs)
- F42 — Security Weakness Small fix (1–2 hrs)
- F43 — Security Weakness Small fix (1–2 hrs)
- F44 — File-System Escape Small fix (1–2 hrs)
- F45 — File-System Escape Small fix (1–2 hrs)
- F46 — File-System Escape Small fix (1–2 hrs)
- F47 — Security Weakness Small fix (1–2 hrs)
- F48 — File-System Escape Small fix (1–2 hrs)
- F49 — Security Weakness Small fix (1–2 hrs)
- F50 — File-System Escape Small fix (1–2 hrs)
- F51 — File-System Escape Small fix (1–2 hrs)
- F52 — File-System Escape Small fix (1–2 hrs)
- F53 — File-System Escape Small fix (1–2 hrs)
- F54 — File-System Escape Small fix (1–2 hrs)
- F55 — File-System Escape Small fix (1–2 hrs)
- F56 — File-System Escape Small fix (1–2 hrs)
- F57 — File-System Escape Small fix (1–2 hrs)
- F58 — File-System Escape Small fix (1–2 hrs)
- F59 — File-System Escape Small fix (1–2 hrs)
- F60 — File-System Escape Small fix (1–2 hrs)
- F61 — File-System Escape Small fix (1–2 hrs)
- F62 — File-System Escape Small fix (1–2 hrs)
Quarter
- F100 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F101 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F102 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F103 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F104 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F105 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F106 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F107 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F108 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F109 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F110 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F111 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F112 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F113 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F114 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F115 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F116 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F117 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F118 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F119 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F120 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F121 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F122 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F123 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F124 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F125 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F126 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F127 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F128 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F129 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F130 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F131 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F132 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F133 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F134 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F135 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F136 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F137 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F138 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F139 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F140 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F141 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F142 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F143 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F144 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F145 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F146 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F147 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F148 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F149 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F150 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F151 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F152 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F153 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F154 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F155 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F156 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F157 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F158 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F159 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F160 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F161 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F162 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F163 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F164 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F165 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F166 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F167 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F168 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F169 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F170 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F171 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F172 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F173 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F174 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F175 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F176 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F177 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F178 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F179 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F180 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F181 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F182 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F183 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F184 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F185 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F186 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F187 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F188 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F189 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F190 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F191 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F192 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F193 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F194 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F195 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F196 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F197 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F198 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F199 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F200 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F201 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F202 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F203 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F204 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F205 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F206 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F207 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F208 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F209 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F210 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F211 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F212 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F213 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F214 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F215 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F216 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F217 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F218 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F219 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F220 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F221 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F222 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F223 — Dependency Pinning / Lockfile Gap One-liner fix (~15 min)
- F224 — File-System Escape Small fix (1–2 hrs)
- F225 — Predictable Randomness Small fix (1–2 hrs)
- F226 — Predictable Randomness Small fix (1–2 hrs)
- F227 — Predictable Randomness Small fix (1–2 hrs)
- F228 — Predictable Randomness Small fix (1–2 hrs)
- F229 — Database Attack Small fix (1–2 hrs)
- F230 — Predictable Randomness Small fix (1–2 hrs)
- F231 — Predictable Randomness Small fix (1–2 hrs)
- F232 — Predictable Randomness Small fix (1–2 hrs)
- F233 — Predictable Randomness Small fix (1–2 hrs)
- F234 — Predictable Randomness Small fix (1–2 hrs)
- F235 — Predictable Randomness Small fix (1–2 hrs)
- F236 — Predictable Randomness Small fix (1–2 hrs)
- F237 — Predictable Randomness Small fix (1–2 hrs)
- F238 — Predictable Randomness Small fix (1–2 hrs)
- F239 — Predictable Randomness Small fix (1–2 hrs)
- F240 — Predictable Randomness Small fix (1–2 hrs)
- F241 — File-System Escape Small fix (1–2 hrs)
- F242 — File-System Escape Small fix (1–2 hrs)
- F243 — File-System Escape Small fix (1–2 hrs)
- F244 — Database Attack Small fix (1–2 hrs)
- F245 — Database Attack Small fix (1–2 hrs)
- F246 — Database Attack Small fix (1–2 hrs)
- F247 — Predictable Randomness Small fix (1–2 hrs)
- F248 — Predictable Randomness Small fix (1–2 hrs)
- F249 — Predictable Randomness Small fix (1–2 hrs)
- F250 — Predictable Randomness Small fix (1–2 hrs)
- F251 — Predictable Randomness Small fix (1–2 hrs)
- F252 — Database Attack Small fix (1–2 hrs)
- F253 — Database Attack Small fix (1–2 hrs)
- F254 — Database Attack Small fix (1–2 hrs)
- F255 — Database Attack Small fix (1–2 hrs)
- F256 — Database Attack Small fix (1–2 hrs)
- F257 — Database Attack Small fix (1–2 hrs)
- F258 — Database Attack Small fix (1–2 hrs)
- F259 — Database Attack Small fix (1–2 hrs)
- F260 — Database Attack Small fix (1–2 hrs)
- F261 — Database Attack Small fix (1–2 hrs)
- F262 — Database Attack Small fix (1–2 hrs)
- F263 — Database Attack Small fix (1–2 hrs)
- F264 — Database Attack Small fix (1–2 hrs)
- F265 — Database Attack Small fix (1–2 hrs)
- F266 — Database Attack Small fix (1–2 hrs)
- F267 — Database Attack Small fix (1–2 hrs)
Section 10
Scope & Limitations
In Scope
- Package manager:
npm - Languages: JavaScript
- Frameworks: express
- Project type: General
Out of Scope & Limitations
All 11 scan steps were invoked. Depth varies per step — see the per-step status in §5 Methodology and the live-app coverage note above for what was and was not actively tested.
- Manual review, threat modeling, and human pentest testing are outside the automated scope.
- This assessment is a point-in-time snapshot — posture may change.
Section 11
Methodology
The Vollos Lens framework executes 11 ordered steps covering static analysis, dependency review, secret scanning, configuration audit, and adversarial AI review. Each step produces a structured JSON artifact that this report consolidates.
| Step | Title | Status |
|---|---|---|
| Step 2 | Dependency Audit | skipped |
| Step 3 | Supply Chain | ok |
| Step 4 | Working-Tree Secrets | ok |
| Step 5 | Static Analysis | ok |
| Step 6 | OWASP Top 10 | ok |
| Step 7 | Dynamic Analysis | static only (no live-app run) |
| Step 8 | Manual Testing | skipped |
| Step 9 | Infrastructure | ok |
| Step 10 | Backup & IR | skipped |
| Step 11 | Adversarial AI Review | ok |
How findings are prioritised
Each finding gets a priority from P0 (fix now) to P3 (fix when convenient), based on two things: how dangerous it is, and how quick it is to fix.
- Every Critical finding is P0 — top priority no matter how long the fix takes.
- A quick fix to a serious issue jumps the queue — e.g. a 5-minute config change on a High-severity issue is also P0.
- Minor issues that need a large rewrite sink to P3.
Your findings, each with its priority, estimated effort and exact location, are listed in §9 Priority Matrix.
Section 12
Assessment Timeline
Timing not recorded.
Section 13
Attestation & Re-test
| Assessed By | Automated Assessment |
|---|---|
| Date | 2026-06-12T13:39:23Z |
| Valid Until | 2026-09-10 |
| Recommended Re-test | Within 90 days or after major release |
DISCLAIMER: This assessment is a point-in-time snapshot as of 2026-06-12T13:39:23Z. No warranty expressed or implied. Liability limited per engagement SOW. Security posture may change; re-assessment required for ongoing assurance.
Methodology Attribution: This dashboard uses methodology derived from OWASP Top 10, OWASP API Security Top 10 2023, OWASP LLM Top 10 2025, and OWASP Mobile Top 10 2024 — © OWASP Foundation, licensed CC-BY-SA-4.0 (https://creativecommons.org/licenses/by-sa/4.0/). The OWASP Foundation does not endorse this dashboard. Tool licenses and full third-party attributions: see the NOTICE file shipped with vollos-lens.
Section 14
Tool Coverage
Tool Inventory
| Tool | Version | Status |
|---|---|---|
| secret scanner | 8.21.2 | ok |
| configuration scanner | 2.12.0 | conditional-skip |
| dependency scanner | 2.3.8, 0.70.0 | ok |
| static code analysis | 1.163.0 | ok |
Status is each scanner's availability recorded at the start of the scan — `ok`: a required scanner, installed and meeting the minimum version; `conditional-skip`: an optional scanner that is installed. It reflects tool provisioning, not per-finding execution.
Step Scores
| Step | Title | Score | Weight |
|---|---|---|---|
| Step 2 | Dependency Audit | — | 0.08 |
| Step 3 | Supply Chain | 0.0/100 | 0.10 |
| Step 4 | Working-Tree Secrets | 25.0/100 | 0.14 |
| Step 5 | Static Analysis | 0.0/100 | 0.08 |
| Step 6 | OWASP Top 10 | 0.0/100 | 0.18 |
| Step 7 | Dynamic Analysis | — | 0.08 |
| Step 8 | Manual Testing | — | 0.04 |
| Step 9 | Infrastructure | 47.0/100 | 0.13 |
| Step 10 | Backup & IR | — | 0.02 |
| Step 11 | Adversarial AI Review | 0.0/100 | 0.15 |
Score is out of 100 — higher is more secure. green = strong, amber = needs work, red = weak (0 means issues were found in that area), — = no numeric score for that step (see its status in §5 Methodology).
Section 15
SBOM Summary
SBOM not generated — pass `--sbom` flag.
Section 16
Glossary
- CVSS
- Common Vulnerability Scoring System — 0.0-10.0 severity score.
- CWE
- Common Weakness Enumeration — category of software flaw.
- CVE
- Common Vulnerabilities and Exposures — unique vulnerability ID.
- OWASP Top 10
- OWASP's ranked list of top web application risks.
- P0/P1/P2/P3
- Priority tier — P0 is immediate action, P3 is backlog.
- SARIF
- Static Analysis Results Interchange Format — JSON schema for findings.
- SBOM
- Software Bill of Materials — list of project dependencies.
- HIPAA
- US Health Insurance Portability and Accountability Act — applies only to healthcare-scoped projects.
- PCI DSS v4
- Payment Card Industry Data Security Standard, version 4.
- SOC 2
- Service Organization Control 2 — auditing criteria for service providers.
Section 17
Raw Artifacts
| File | Size (bytes) | SHA256 (short) |
|---|---|---|
security_report.json | 415415 | 109328ff3644caab |
security_report.sarif | 334875 | 04b4d952827c8e98 |
security_report.md | 88926 | 4d1aeb3e7dbe5ac5 |
Section 18
Document Control
| Run Timestamp | 2026-06-12T13:39:23Z |
|---|---|
| Spec Version | v3.37 |
| Mode | standard |
| Classification | PUBLIC |
| Assessor | Automated Assessment |
| Reviewer | — |
Revision History
No prior revisions.
Distribution
No distribution list registered.
Cover
Security Assessment · Prepared by Vollos Lens
juice-shop
Report Details