PM-20578 Added api to fetch and save data

[voommen-livefront]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-20578

📔 Objective

Create an api service that fetches and saves data

📸 Screenshots

none at this time

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 5bb310ec-aabb-4366-baf8-5ca21fdb70bf

New Issues (48)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2024-40643	Npm-htmlparser2-3.10.1	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW ID: FwnulsUrQggh3vg4hYFcwdVUzrn6mU%2Bar3WvyCfY4vw%3D Vulnerable Package
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 334	details Method Lambda at line 334 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: u%2Bq8kEU80HsgITKEkY0Ddou0kYc%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 302	details Method Lambda at line 302 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: ZszmkoDuF76FJFAInDVglX87Lcw%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 302	details Method Lambda at line 302 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: O7x%2F0wLkSm66%2FycU3W6TFugqPuM%3D Attack Vector
	Absolute_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 334	details Method Lambda at line 334 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: pgQhiWjQOOLU5MJq%2BHEC6M92XGI%3D Attack Vector
	CVE-2025-47935	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.1 Description: Multer is a Node.js middleware for handling "multipart/form-data". In versions prior to 2.0.0 are vulnerable to a resource exhaustion and memory le... Attack Vector: NETWORK Attack Complexity: LOW ID: ueEG%2B1xeTxnj47Lu1TqiC0pnU2rhZD7jL8GAFyK8mc0%3D Vulnerable Package
	CVE-2025-47944	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.1 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability that is present in versions 1.0.0 through 1.4.5-lts.2, and 2.0.0... Attack Vector: NETWORK Attack Complexity: LOW ID: fSAONTssgGC0PBA3OTK1Znm9GUJkF4SqRxu24xhwSkI%3D Vulnerable Package
	CVE-2025-48997	Npm-multer-1.4.5-lts.2	details Recommended version: 2.0.1 Description: Multer is a Node.js middleware for handling "multipart/form-data". A vulnerability allows an attacker to trigger a Denial of Service (DoS) by sendi... Attack Vector: NETWORK Attack Complexity: LOW ID: heauZiM%2BAh6l3rqF4lLIe6ftVrjBlGdlDHDPHmXj3d4%3D Vulnerable Package
	CVE-2025-5068	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Use After Free in Blink in Google Chrome versions prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a cra... Attack Vector: NETWORK Attack Complexity: LOW ID: QWOPNSlvI6Xw9%2ByYfCDelLDcwPu3fkSfjstarGlC7bE%3D Vulnerable Package
	CVE-2025-5280	Npm-electron-36.4.0	details Recommended version: 37.0.0 Description: Out-of-bounds Write in V8 in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: flX6Blot%2BGX47oGyUrgKuu8POkAgwG0aEOa%2FKtHeHSE%3D Vulnerable Package
	CVE-2025-5419	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Out-of-bounds Read and Write in V8 in Google Chrome prior to 137.0.7151.68 allowed a remote attacker to potentially exploit heap corruption via a c... Attack Vector: NETWORK Attack Complexity: LOW ID: N65VhCjFjDoo%2BJ0MawAK8CQg394ASRG9Sos%2Bk3obOxI%3D Vulnerable Package
	CVE-2025-5958	Npm-electron-36.4.0	details Recommended version: 37.0.0 Description: Use After Free in Media in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: GVO6uDXJRu9GUzz0i%2FYWiR%2BIv%2Byfh8yXZnynLo1sLtU%3D Vulnerable Package
	CVE-2025-5959	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Type Confusion in V8 in Google Chrome prior to 137.0.7151.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HT... Attack Vector: NETWORK Attack Complexity: LOW ID: URjDf9MJyyoUD9%2B4a0I9Z%2FW012KxQ1kf2ddQDnHtd3A%3D Vulnerable Package
	CVE-2025-6191	Npm-electron-36.4.0	details Recommended version: 37.0.0 Description: Integer Overflow in V8 in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially perform out-of-bounds memory access via a ... Attack Vector: NETWORK Attack Complexity: LOW ID: Y5chjNdMWVJ65wbxvmjyM1MpeO3jsX9I208uy9We514%3D Vulnerable Package
	CVE-2025-6192	Npm-electron-36.4.0	details Recommended version: 36.6.0 Description: Use After Free in Metrics in Google Chrome prior to 137.0.7151.119 allowed a remote attacker to potentially exploit heap corruption via a crafted H... Attack Vector: NETWORK Attack Complexity: LOW ID: r%2BOl4Rl5a%2BqOQp4ZJWU1T4EZBxFY1h5MOuIkUB3Jkyw%3D Vulnerable Package
	Client_DOM_XSS	/apps/web/src/connectors/redirect.ts: 6	details The method Lambda embeds untrusted data in generated output with href, at line 16 of /apps/web/src/connectors/redirect.ts. This untrusted data is... ID: J8h77eFiSWyRh3XTl0AMwUPdp0s%3D Attack Vector
	Cxdca8e59f-8bfe	Npm-inflight-1.0.6	details Description: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the... Attack Vector: NETWORK Attack Complexity: LOW ID: R88ZofKAkGNHomum19aqA3br5UCku54ySC%2BJjpEDH7Y%3D Vulnerable Package
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 371	details Method Lambda at line 371 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: %2BhkfV10LUkB5qp%2BCL%2Bh9k0uQSBg%3D Attack Vector
	Relative_Path_Traversal	/apps/cli/src/oss-serve-configurator.ts: 371	details Method Lambda at line 371 of /apps/cli/src/oss-serve-configurator.ts gets dynamic data from the query element. This element’s value then flows ... ID: te4BuMJMC34bGrJHkPfNl3YB%2BrY%3D Attack Vector
	CVE-2025-30359	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: The webpack-dev-server allows users to use webpack with a development server that provides live reloading. The webpack-dev-server users' source cod... Attack Vector: NETWORK Attack Complexity: HIGH ID: qCMNl1deOUTqxjLAgdOv7KZTqLWo7D5MhxP6bocPano%3D Vulnerable Package
	CVE-2025-30360	Npm-webpack-dev-server-5.2.0	details Recommended version: 5.2.1 Description: Webpack-dev-server allows users to use webpack with a development server that provides live reloading. Webpack-dev-server users' source code may b... Attack Vector: NETWORK Attack Complexity: LOW ID: fahhlYCdosesuWjJDCaQV%2FvFnDCsb5ICfCPxhklV0Uo%3D Vulnerable Package
	CVE-2025-5064	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Inappropriate implementation in Background Fetch API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to leak cross-origin data vi... Attack Vector: NETWORK Attack Complexity: LOW ID: o1agAvacgxU0qWBSGbHahhZe%2Bw8G39MR2Eid%2BbIxKj4%3D Vulnerable Package
	CVE-2025-5065	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Inappropriate implementation in FileSystemAccess API in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to perform UI spoofing via a... Attack Vector: NETWORK Attack Complexity: LOW ID: 1X9BwZf4XZPXZXg3AALLbj3uyfEFzVx7WmMC7lZeXu8%3D Vulnerable Package
	CVE-2025-5066	Npm-electron-36.4.0	details Recommended version: 36.6.0 Description: Inappropriate implementation in Messages in Google Chrome on Android prior to 137.0.7151.55 allowed a remote attacker who convinced a user to engag... Attack Vector: NETWORK Attack Complexity: LOW ID: Jct4NcX56gi3ZpPudtZKpSUid%2FL%2B7lGn1x9bLHxvyD8%3D Vulnerable Package
	CVE-2025-5281	Npm-electron-36.4.0	details Recommended version: 36.5.0 Description: Inappropriate implementation in BFCache in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially obtain user information vi... Attack Vector: NETWORK Attack Complexity: LOW ID: qEIHZ3f13gpZo6eLaNbWtbr4swOaAyHVVv7wnAZ4VoE%3D Vulnerable Package
	CVE-2025-5283	Npm-electron-36.4.0	details Recommended version: 37.0.0 Description: Use after free in libvpx in Google Chrome prior to 137.0.7151.55 allowed a remote attacker to potentially exploit heap corruption via a crafted HTM... Attack Vector: NETWORK Attack Complexity: LOW ID: xl9uttAXCkfYjNwi0RGnkulk%2BWanB9w3tZpQern1F5Y%3D Vulnerable Package
	CVE-2025-6555	Npm-electron-36.4.0	details Description: Use After Free in Animation in Google Chrome prior to 138.0.7204.49, allowed a remote attacker to potentially exploit heap corruption via a crafted... Attack Vector: NETWORK Attack Complexity: LOW ID: tYMIMQfGg40TY4wC32VaKtUcTuJ9XXWybIAgYx%2BpAAo%3D Vulnerable Package
	CVE-2025-6556	Npm-electron-36.4.0	details Description: Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a... Attack Vector: NETWORK Attack Complexity: LOW ID: AYul0Fzr2AQYRLFQc0UFObGqJLn3N4lyJDz27%2FfjhjQ%3D Vulnerable Package
	CVE-2025-6557	Npm-electron-36.4.0	details Description: Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engag... Attack Vector: NETWORK Attack Complexity: LOW ID: %2F8r0%2BuEJkSwlx8JDNPKzXdrzeiPVR7Hru6ckTiuW%2FA8%3D Vulnerable Package
	Client_DOM_Open_Redirect	/apps/web/src/connectors/redirect.ts: 6	details The potentially tainted value provided by href in /apps/web/src/connectors/redirect.ts at line 6 is used as a destination URL by href in /apps/web... ID: ERUIOf8nz7H9qTeJgj9br44RfOU%3D Attack Vector
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277	details The potentially tainted value provided by substring in /apps/desktop/src/auth/scripts/duo.js at line 277 is used as a destination URL by open in /... ID: 0J7MONsxfaUSQFRMXNuzAJ0kfRE%3D Attack Vector
	HttpOnly_Cookie_Flag_Not_Set	/apps/web/src/connectors/sso.ts: 37	details The web application's initiateBrowserSso method creates a cookie cookie, at line 37 of /apps/web/src/connectors/sso.ts, and returns it in the resp... ID: GaFGH21C7jMu1QpVRaBCDH%2Bd0W8%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 405	details The application takes sensitive, personal data cipher, found at line 405 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: q7HHydnpXhACzwE4xIueYeF8zso%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 404	details The application takes sensitive, personal data cipherService, found at line 404 of /apps/cli/src/commands/get.command.ts, and stores it in an unp... ID: n%2BaXc6CneE7FbAK0qCWs1kYCUVQ%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 75	details The application takes sensitive, personal data password, found at line 75 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... ID: ujO3S48DoYDAJ1Cs%2FLyFXOahkU8%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/tools/export.command.ts: 79	details The application takes sensitive, personal data password, found at line 79 of /apps/cli/src/tools/export.command.ts, and stores it in an unprotect... ID: lkBnHxIV9NiZA5ehPMhNSkwSarI%3D Attack Vector
	Insecure_Storage_of_Sensitive_Data	/apps/cli/src/commands/get.command.ts: 389	details The application takes sensitive, personal data cipher, found at line 389 of /apps/cli/src/commands/get.command.ts, and stores it in an unprotecte... ID: %2B9UKP%2ByuVtF893fdkCUTS%2BsJZ8I%3D Attack Vector
	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 679	details The web-application does not define an HSTS header, leaving it vulnerable to attack. ID: WSZpSsoTSrLlZDx0o9kF3SorED8%3D Attack Vector
	Use_of_Broken_or_Risky_Cryptographic_Algorithm	/libs/node/src/services/node-crypto-function.service.ts: 362	details In toNodeCryptoAesMode, the application protects sensitive data using a cryptographic algorithm, "aes-256-ecb", that is considered weak or even t... ID: wAe1lEPOyUMesbINEsSjvvGqu4A%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 78	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /apps/desktop/src/app/components/avatar... ID: RmRXHNEUBCsm490STUuSJBvaQVw%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 92	details Usage of an unsafe class bypassSecurityTrustResourceUrl, which overrides output sanitization, was found at /libs/components/src/avatar/avatar.comp... ID: VI4H41L4c4TnJpMpljg7%2B9YEfZw%3D Attack Vector
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 24	details Usage of an unsafe class bypassSecurityTrustHtml, which overrides output sanitization, was found at /libs/components/src/icon/icon.component.ts i... ID: 8BNotoA3XEu%2B3TgDXF9hPlWH1W0%3D Attack Vector
	CVE-2024-6531	Npm-bootstrap-4.6.0	details Recommended version: 5.0.0 Description: A vulnerability has been identified in Bootstrap that exposes users to Cross-Site Scripting (XSS) attacks. The issue is present in the carousel com... Attack Vector: NETWORK Attack Complexity: HIGH ID: 1mY6mpa%2Bx1gy0n9eK8eygF3LEpRQvresh8W6wGfb3JE%3D Vulnerable Package
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/pages/menu-container/autofill-inline-menu-container.ts: 68	details The application employs an HTML iframe at whose contents are not properly sandboxed ID: eC9rGjAaHK3DyR9G%2BtM7mnxXkNU%3D Attack Vector
	Client_Use_Of_Iframe_Without_Sandbox	/apps/browser/src/autofill/overlay/inline-menu/iframe-content/autofill-inline-menu-iframe.service.ts: 87	details The application employs an HTML iframe at whose contents are not properly sandboxed ID: mfl0i7Wn6Zj3Z71nx1CQn0bYd3s%3D Attack Vector
	Cx8bc4df28-fcf5	Npm-debug-2.6.9	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: 459SGooi%2F0VMl4qg3XkgjJ1A6zLW6SOKmBdPgIuhYAo%3D Vulnerable Package
	Cx8bc4df28-fcf5	Npm-debug-3.2.7	details Recommended version: 4.4.0 Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e... Attack Vector: NETWORK Attack Complexity: HIGH ID: fd92RP82K20LZtVxTFAu%2BdtJnfkfLFYqLsA523EJYmc%3D Vulnerable Package
	Missing_CSP_Header	/apps/cli/src/auth/commands/login.command.ts: 679	details A Content Security Policy is not explicitly defined within the web-application. ID: lLZgm2yuYYaMNn1QRee4PLSAeIA%3D Attack Vector

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 36.88%. Comparing base (1df54c7) to head (d86f52f).
Report is 15 commits behind head on dirt/feature/risk-insights-saving-reports.

✅ All tests successful. No failed tests found.

Additional details and impacted files

@@                              Coverage Diff                              @@
##           dirt/feature/risk-insights-saving-reports   #15334      +/-   ##
=============================================================================
+ Coverage                                      36.83%   36.88%   +0.04%     
=============================================================================
  Files                                           3230     3231       +1     
  Lines                                          93448    93531      +83     
  Branches                                       14064    14079      +15     
=============================================================================
+ Hits                                           34424    34498      +74     
- Misses                                         57598    57604       +6     
- Partials                                        1426     1429       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[ttalty]

⛏️ Just a few test case additions

[ttalty]

⛏️ Can you add test cases for getRiskInsightsReport and the error cases?

[voommen-livefront]

done. Added test cases for the error cases as well. Thanks for catching this.

[ttalty]

⛏️ Every other test case covered. Thank you. I know this one is a real pick but could we get a test case for this one like the other errors?

[voommen-livefront]

thanks for catching this Tom. The line of code would not execute. That's because the catch in the earlier block would handle all errors and therefore, dbResponse is never an instance of Error. I removed that line of code.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud