Feature 123

[julz0815]

No description provided.

[github-actions]

Scan Summary:
PIPELINE_SCAN_VERSION: 22.11.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 51013b8b-51c5-42de-b14c-5eabef8ea55e
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 351017 bytes
====================
Analysis Successful.
====================

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 159 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 92 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 19 issues!
=========================

[github-actions]

Scan Summary:
PIPELINE_SCAN_VERSION: 22.11.0-0
DEV-STAGE: DEVELOPMENT
SCAN_ID: 1f1dd0fd-565c-42df-a0d9-54b68a752828
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 351017 bytes
====================
Analysis Successful.
====================

===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war

====================
Analyzed 159 issues.
====================

details

-------------------------------------
Found 5 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): WEB-INF/views/login.jsp:33
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:56
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:59
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:91
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:94
---------------------------------
Found 14 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:166
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:251
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:316
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:384
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:495
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:506
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:51
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:47
--------------------------------------
Skipping 92 issues of Medium severity.
--------------------------------------
-----------------------------------
Skipping 30 issues of Low severity.
-----------------------------------
---------------------------------------------
Skipping 18 issues of Informational severity.
---------------------------------------------

=========================
FAILURE: Found 19 issues!
=========================

[github-actions]

Veraocde SCA Scan failed with exit code 5

Veracode SCA Scan details

---Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5479 lines of code Processing results... Processing results complete

Summary Report
Scan ID 906624cc-c0ac-414f-995e-54984015211d
Scan Date & Time Nov 26 2022 11:10AM UTC
Account type ENTERPRISE
Scan engine 3.8.11 (latest 3.8.11)
Analysis time 21 seconds
User runner
Project /home/runner/work/test-action/test-action
Package Manager(s) Maven

Open-Source Libraries
Total Libraries 50
Direct Libraries 23
Transitive Libraries 27
Vulnerable Libraries 19
Third Party Code 98.9%

Vulnerable Methods
2 vulnerable methods can be reached via the code's call graph

Call Source Method Name Library
xmlfilter.filterXMLSignature [line 26] CanonicalizerSpi.engineCanonicalize([B) Apache XML Security for Java : 1.5.1
xmlfilter.main [line 14] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m
xmlfilter.main [line 16] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m

Security
With Vulnerable Methods 2
High Risk Vulnerabilities 8
Medium Risk Vulnerabilities 30
Low Risk Vulnerabilities 5

Vulnerabilities - Public Data
CVE-2017-1000487 High Risk Command Line Shell Injection Plexus Common Utilities 1.0.4
CVE-2015-6420 High Risk Arbitrary Code Execution Apache Commons Collections 4.0
CVE-2015-4852 High Risk Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0
CVE-2015-0254 High Risk XML External Entity (XXE) Through An XSLT Extension jstl 1.2
CVE-2016-1000031 High Risk Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2
CVE-2022-22965 High Risk Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE
CVE-2022-23307 High Risk Remote Code Execution (RCE) Apache Log4j 1.2.17
CVE-2019-17571 High Risk Arbitrary Code Execution Apache Log4j 1.2.17
CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web 4.3.10.RELEASE
CVE-2018-11039 Medium Risk Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE
CVE-2022-22950 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE
CVE-2017-3586 Medium Risk Usable Expired Certificates mysql-connector-java 5.1.35
CVE-2022-21363 Medium Risk Privilege Escalation mysql-connector-java 5.1.35
CVE-2017-3523 Medium Risk Improper Automatic Deserialization mysql-connector-java 5.1.35
CVE-2022-22968 Medium Risk Binding Rules Bypass Spring Context 4.3.10.RELEASE
CVE-2018-1002200 Medium Risk Arbitrary File Write Plexus Archiver Component 1.0-alpha-3
CVE-2012-6153 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1
CVE-2012-5783 Medium Risk Man In The Middle (MitM) HttpClient 3.1
CVE-2015-0886 Medium Risk Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m
CVE-2021-22096 Medium Risk Log Injection Spring Core 4.3.10.RELEASE
CVE-2018-1272 Medium Risk Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE
CVE-2017-2646 Medium Risk Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final
CVE-2017-2582 Medium Risk Information Disclosure Keycloak SAML Core 1.8.1.Final
CVE-2021-29425 Medium Risk Directory Traversal Apache Commons IO 2.4
CVE-2021-40690 Medium Risk Bypass Of Secure Validation Apache XML Security for Java 1.5.1
CVE-2013-4517 Medium Risk Denial Of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1
CVE-2013-2172 Medium Risk Spoofable XML Signature Apache XML Security for Java 1.5.1
CVE-2015-2944 Medium Risk Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator
CVE-2022-23302 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17
CVE-2021-4104 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17
CVE-2022-23305 Medium Risk SQL Injection Apache Log4j 1.2.17
CVE-2020-9493 Medium Risk Remote Code Execution (RCE) Apache Log4j 1.2.17
CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE
CVE-2018-1271 Medium Risk Directory Traversal Spring Web MVC 4.3.10.RELEASE
CVE-2018-11040 Medium Risk Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE
CVE-2018-1199 Medium Risk Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE
CVE-2020-5421 Low Risk Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE
CVE-2020-2933 Low Risk Denial Of Service (DoS) mysql-connector-java 5.1.35
CVE-2019-2692 Low Risk Authorization Bypass mysql-connector-java 5.1.35
CVE-2017-3589 Low Risk Database Overwrite mysql-connector-java 5.1.35
CVE-2022-22970 Low Risk Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE

Vulnerabilities - Premium Data
NO-CVE Medium Risk SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final
NO-CVE Medium Risk Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4

Licenses
Unique Library Licenses 14
Libraries Using GPL 6
Libraries With High Risk License 6
Libraries With Medium Risk License 13
Libraries With Low Risk License 44
Libraries With Multiple Licenses 8
Libraries With Unassessable License 0
Libraries With Unrecognizable License 2

Issues
Issue ID Issue Type Severity Description Library Name & Version In Use
152544916 Vulnerability 7.5 CVE-2016-1000031: Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2
152544917 Vulnerability 5.8 CVE-2012-5783: Man In The Middle (MitM) HttpClient 3.1
152544918 Vulnerability 4.3 CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1
152544919 Vulnerability 5.8 CVE-2021-29425: Directory Traversal Apache Commons IO 2.4
152544920 Vulnerability 5.1 NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4
152544921 Vulnerability 7.5 CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension jstl 1.2
152544922 Vulnerability 9.0 CVE-2022-23307: Remote Code Execution (RCE) Apache Log4j 1.2.17
152544923 Vulnerability 7.5 CVE-2019-17571: Arbitrary Code Execution Apache Log4j 1.2.17
152544924 Vulnerability 6.8 CVE-2020-9493: Remote Code Execution (RCE) Apache Log4j 1.2.17
152544925 Vulnerability 6.8 CVE-2022-23305: SQL Injection Apache Log4j 1.2.17
152544926 Vulnerability 6.0 CVE-2021-4104: Deserialisation Of Untrusted Object Apache Log4j 1.2.17
152544927 Vulnerability 6.0 CVE-2022-23302: Deserialisation Of Untrusted Object Apache Log4j 1.2.17
152544928 Vulnerability 6.0 CVE-2022-21363: Privilege Escalation mysql-connector-java 5.1.35
152544929 Vulnerability 6.0 CVE-2017-3523: Improper Automatic Deserialization mysql-connector-java 5.1.35
152544930 Vulnerability 5.5 CVE-2017-3586: Usable Expired Certificates mysql-connector-java 5.1.35
152544931 Vulnerability 3.5 CVE-2020-2933: Denial Of Service (DoS) mysql-connector-java 5.1.35
152544932 Vulnerability 3.5 CVE-2019-2692: Authorization Bypass mysql-connector-java 5.1.35
152544933 Vulnerability 2.1 CVE-2017-3589: Database Overwrite mysql-connector-java 5.1.35
152544934 Vulnerability 7.5 CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0
152544935 Vulnerability 7.5 CVE-2015-6420: Arbitrary Code Execution Apache Commons Collections 4.0
152544936 Vulnerability 5.0 CVE-2021-40690: Bypass Of Secure Validation Apache XML Security for Java 1.5.1
152544937 Vulnerability 4.3 CVE-2013-4517: Denial of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1
152544938 Vulnerability 4.3 CVE-2013-2172: Spoofable XML Signature Apache XML Security for Java 1.5.1
152544939 Vulnerability 4.3 CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator
152544940 Vulnerability 4.3 CVE-2018-1002200: Arbitrary File Write Plexus Archiver Component 1.0-alpha-3
152544941 Vulnerability 7.5 CVE-2017-1000487: Command Line Shell Injection Plexus Common Utilities 1.0.4
152544942 Vulnerability 6.4 NO-CVE: SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final
152544943 Vulnerability 5.0 CVE-2017-2646: Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final
152544944 Vulnerability 4.0 CVE-2017-2582: Information Disclosure Keycloak SAML Core 1.8.1.Final
152544945 Vulnerability 5.0 CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m
152544946 Vulnerability 7.5 CVE-2022-22965: Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE
152544947 Vulnerability 3.5 CVE-2022-22970: Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE
152544948 Vulnerability 5.0 CVE-2022-22968: Binding Rules Bypass Spring Context 4.3.10.RELEASE
152544949 Vulnerability 6.0 CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE
152544950 Vulnerability 4.0 CVE-2021-22096: Log Injection Spring Core 4.3.10.RELEASE
152544951 Vulnerability 4.0 CVE-2022-22950: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE
152544952 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web 4.3.10.RELEASE
152544953 Vulnerability 4.3 CVE-2018-11039: Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE
152544954 Vulnerability 3.6 CVE-2020-5421: Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE
152544955 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE
152544956 Vulnerability 5.0 CVE-2018-1199: Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE
152544957 Vulnerability 4.3 CVE-2018-1271: Directory Traversal Spring Web MVC 4.3.10.RELEASE
152544958 Vulnerability 4.3 CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE
152544959 Outdated Library 3.0 Latest version at scan: 4.0.1 Old JAXB Core 2.3.0
152544960 Outdated Library 3.0 Latest version at scan: 4.0.1 Old JAXB Runtime 2.3.0
152544961 Outdated Library 3.0 Latest version at scan: 1.4 Apache Commons FileUpload 1.3.2
152544962 Outdated Library 3.0 Latest version at scan: 2.11.0 Apache Commons IO 2.4
152544963 Outdated Library 3.0 Latest version at scan: 1.5.0-b01 JavaMail API (compat) 1.4.7
152544964 Outdated Library 3.0 Latest version at scan: 4.0.1 Java Servlet API 3.0.1
152544965 Outdated Library 3.0 Latest version at scan: 2.4.0-b180830.0359 jaxb-api 2.3.0
152544966 Outdated Library 3.0 Latest version at scan: 8.0.31 mysql-connector-java 5.1.35
152544967 Outdated Library 3.0 Latest version at scan: 4.4 Apache Commons Collections 4.0
152544968 Outdated Library 3.0 Latest version at scan: 2.4.2 Apache Sling Maven Plugin Relocation 2.0.4-incubator
152544969 Outdated Library 3.0 Latest version at scan: 20.0.1 Keycloak SAML Core 1.8.1.Final
152544970 Outdated Library 3.0 Latest version at scan: 0.4 jBCrypt 0.3m
152544971 Outdated Library 3.0 Latest version at scan: 1.2.3 JSP Encoder 1.2.1
152544972 Outdated Library 3.0 Latest version at scan: 1.2.3 Java Encoder 1.2.1
152544973 Outdated Library 3.0 Latest version at scan: 2.0.5 SLF4J LOG4J-12 Binding relocated 1.7.7
152544974 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Context 4.3.10.RELEASE
152544975 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Core 4.3.10.RELEASE
152544976 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring JDBC 4.3.10.RELEASE
152544977 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Transaction 4.3.10.RELEASE
152544978 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Web 4.3.10.RELEASE
152544979 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Web MVC 4.3.10.RELEASE
152544980 License 9.0 Library Uses Unapproved License Old JAXB Core 2.3.0
152544981 License 9.0 Library Uses Unapproved License Old JAXB Runtime 2.3.0
152544982 License 9.0 Library Uses Unapproved License jstl 1.2
152544983 License 9.0 Library Uses Unapproved License mysql-connector-java 5.1.35

Full Report Details https://sca.analysiscenter.veracode.com/teams/PaaiORy/scans/43752466

---

===

[github-actions]

Veraocde SCA Scan failed with exit code 5

Veracode SCA Scan details

Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5479 lines of code Processing results... Processing results complete

Summary Report
Scan ID 04bc2453-93f3-4485-96c4-e758f0e2920b
Scan Date & Time Nov 26 2022 11:18AM UTC
Account type ENTERPRISE
Scan engine 3.8.11 (latest 3.8.11)
Analysis time 19 seconds
User runner
Project /home/runner/work/test-action/test-action
Package Manager(s) Maven

Open-Source Libraries
Total Libraries 50
Direct Libraries 23
Transitive Libraries 27
Vulnerable Libraries 19
Third Party Code 98.9%

Vulnerable Methods
2 vulnerable methods can be reached via the code's call graph

Call Source Method Name Library
xmlfilter.filterXMLSignature [line 26] CanonicalizerSpi.engineCanonicalize([B) Apache XML Security for Java : 1.5.1
xmlfilter.main [line 14] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m
xmlfilter.main [line 16] BCrypt.crypt_raw([B[BI) jBCrypt : 0.3m

Security
With Vulnerable Methods 2
High Risk Vulnerabilities 8
Medium Risk Vulnerabilities 30
Low Risk Vulnerabilities 5

Vulnerabilities - Public Data
CVE-2017-1000487 High Risk Command Line Shell Injection Plexus Common Utilities 1.0.4
CVE-2015-6420 High Risk Arbitrary Code Execution Apache Commons Collections 4.0
CVE-2015-4852 High Risk Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0
CVE-2015-0254 High Risk XML External Entity (XXE) Through An XSLT Extension jstl 1.2
CVE-2016-1000031 High Risk Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2
CVE-2022-22965 High Risk Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE
CVE-2022-23307 High Risk Remote Code Execution (RCE) Apache Log4j 1.2.17
CVE-2019-17571 High Risk Arbitrary Code Execution Apache Log4j 1.2.17
CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web 4.3.10.RELEASE
CVE-2018-11039 Medium Risk Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE
CVE-2022-22950 Medium Risk Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE
CVE-2017-3586 Medium Risk Usable Expired Certificates mysql-connector-java 5.1.35
CVE-2022-21363 Medium Risk Privilege Escalation mysql-connector-java 5.1.35
CVE-2017-3523 Medium Risk Improper Automatic Deserialization mysql-connector-java 5.1.35
CVE-2022-22968 Medium Risk Binding Rules Bypass Spring Context 4.3.10.RELEASE
CVE-2018-1002200 Medium Risk Arbitrary File Write Plexus Archiver Component 1.0-alpha-3
CVE-2012-6153 Medium Risk Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1
CVE-2012-5783 Medium Risk Man In The Middle (MitM) HttpClient 3.1
CVE-2015-0886 Medium Risk Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m
CVE-2021-22096 Medium Risk Log Injection Spring Core 4.3.10.RELEASE
CVE-2018-1272 Medium Risk Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE
CVE-2017-2646 Medium Risk Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final
CVE-2017-2582 Medium Risk Information Disclosure Keycloak SAML Core 1.8.1.Final
CVE-2021-29425 Medium Risk Directory Traversal Apache Commons IO 2.4
CVE-2021-40690 Medium Risk Bypass Of Secure Validation Apache XML Security for Java 1.5.1
CVE-2013-4517 Medium Risk Denial Of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1
CVE-2013-2172 Medium Risk Spoofable XML Signature Apache XML Security for Java 1.5.1
CVE-2015-2944 Medium Risk Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator
CVE-2022-23302 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17
CVE-2021-4104 Medium Risk Deserialisation Of Untrusted Object Apache Log4j 1.2.17
CVE-2022-23305 Medium Risk SQL Injection Apache Log4j 1.2.17
CVE-2020-9493 Medium Risk Remote Code Execution (RCE) Apache Log4j 1.2.17
CVE-2018-15756 Medium Risk Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE
CVE-2018-1271 Medium Risk Directory Traversal Spring Web MVC 4.3.10.RELEASE
CVE-2018-11040 Medium Risk Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE
CVE-2018-1199 Medium Risk Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE
CVE-2020-5421 Low Risk Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE
CVE-2020-2933 Low Risk Denial Of Service (DoS) mysql-connector-java 5.1.35
CVE-2019-2692 Low Risk Authorization Bypass mysql-connector-java 5.1.35
CVE-2017-3589 Low Risk Database Overwrite mysql-connector-java 5.1.35
CVE-2022-22970 Low Risk Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE

Vulnerabilities - Premium Data
NO-CVE Medium Risk SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final
NO-CVE Medium Risk Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4

Licenses
Unique Library Licenses 14
Libraries Using GPL 6
Libraries With High Risk License 6
Libraries With Medium Risk License 13
Libraries With Low Risk License 44
Libraries With Multiple Licenses 8
Libraries With Unassessable License 0
Libraries With Unrecognizable License 2

Issues
Issue ID Issue Type Severity Description Library Name & Version In Use
152544916 Vulnerability 7.5 CVE-2016-1000031: Remote Code Execution Via Serialization Apache Commons FileUpload 1.3.2
152544917 Vulnerability 5.8 CVE-2012-5783: Man In The Middle (MitM) HttpClient 3.1
152544918 Vulnerability 4.3 CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers HttpClient 3.1
152544919 Vulnerability 5.8 CVE-2021-29425: Directory Traversal Apache Commons IO 2.4
152544920 Vulnerability 5.1 NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization Apache Commons IO 2.4
152544921 Vulnerability 7.5 CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension jstl 1.2
152544922 Vulnerability 9.0 CVE-2022-23307: Remote Code Execution (RCE) Apache Log4j 1.2.17
152544923 Vulnerability 7.5 CVE-2019-17571: Arbitrary Code Execution Apache Log4j 1.2.17
152544924 Vulnerability 6.8 CVE-2020-9493: Remote Code Execution (RCE) Apache Log4j 1.2.17
152544925 Vulnerability 6.8 CVE-2022-23305: SQL Injection Apache Log4j 1.2.17
152544926 Vulnerability 6.0 CVE-2021-4104: Deserialisation Of Untrusted Object Apache Log4j 1.2.17
152544927 Vulnerability 6.0 CVE-2022-23302: Deserialisation Of Untrusted Object Apache Log4j 1.2.17
152544928 Vulnerability 6.0 CVE-2022-21363: Privilege Escalation mysql-connector-java 5.1.35
152544929 Vulnerability 6.0 CVE-2017-3523: Improper Automatic Deserialization mysql-connector-java 5.1.35
152544930 Vulnerability 5.5 CVE-2017-3586: Usable Expired Certificates mysql-connector-java 5.1.35
152544931 Vulnerability 3.5 CVE-2020-2933: Denial Of Service (DoS) mysql-connector-java 5.1.35
152544932 Vulnerability 3.5 CVE-2019-2692: Authorization Bypass mysql-connector-java 5.1.35
152544933 Vulnerability 2.1 CVE-2017-3589: Database Overwrite mysql-connector-java 5.1.35
152544934 Vulnerability 7.5 CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization Apache Commons Collections 4.0
152544935 Vulnerability 7.5 CVE-2015-6420: Arbitrary Code Execution Apache Commons Collections 4.0
152544936 Vulnerability 5.0 CVE-2021-40690: Bypass Of Secure Validation Apache XML Security for Java 1.5.1
152544937 Vulnerability 4.3 CVE-2013-4517: Denial of Service (DoS) Memory Consumption Apache XML Security for Java 1.5.1
152544938 Vulnerability 4.3 CVE-2013-2172: Spoofable XML Signature Apache XML Security for Java 1.5.1
152544939 Vulnerability 4.3 CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities Apache Sling API 2.0.2-incubator
152544940 Vulnerability 4.3 CVE-2018-1002200: Arbitrary File Write Plexus Archiver Component 1.0-alpha-3
152544941 Vulnerability 7.5 CVE-2017-1000487: Command Line Shell Injection Plexus Common Utilities 1.0.4
152544942 Vulnerability 6.4 NO-CVE: SAML Assertion Insertion Keycloak SAML Core 1.8.1.Final
152544943 Vulnerability 5.0 CVE-2017-2646: Denial Of Service (DoS) Keycloak SAML Core 1.8.1.Final
152544944 Vulnerability 4.0 CVE-2017-2582: Information Disclosure Keycloak SAML Core 1.8.1.Final
152544945 Vulnerability 5.0 CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw jBCrypt 0.3m
152544946 Vulnerability 7.5 CVE-2022-22965: Remote Code Execution (RCE) Spring Beans 4.3.10.RELEASE
152544947 Vulnerability 3.5 CVE-2022-22970: Denial Of Service (DoS) Spring Beans 4.3.10.RELEASE
152544948 Vulnerability 5.0 CVE-2022-22968: Binding Rules Bypass Spring Context 4.3.10.RELEASE
152544949 Vulnerability 6.0 CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution Spring Core 4.3.10.RELEASE
152544950 Vulnerability 4.0 CVE-2021-22096: Log Injection Spring Core 4.3.10.RELEASE
152544951 Vulnerability 4.0 CVE-2022-22950: Denial Of Service (DoS) Spring Expression Language (SpEL) 4.3.10.RELEASE
152544952 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web 4.3.10.RELEASE
152544953 Vulnerability 4.3 CVE-2018-11039: Cross-Site Tracing (XST) Spring Web 4.3.10.RELEASE
152544954 Vulnerability 3.6 CVE-2020-5421: Reflected File Download (RFD) Attack Spring Web 4.3.10.RELEASE
152544955 Vulnerability 5.0 CVE-2018-15756: Denial Of Service (DoS) Spring Web MVC 4.3.10.RELEASE
152544956 Vulnerability 5.0 CVE-2018-1199: Security Constraint Bypass Spring Web MVC 4.3.10.RELEASE
152544957 Vulnerability 4.3 CVE-2018-1271: Directory Traversal Spring Web MVC 4.3.10.RELEASE
152544958 Vulnerability 4.3 CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults Spring Web MVC 4.3.10.RELEASE
152544959 Outdated Library 3.0 Latest version at scan: 4.0.1 Old JAXB Core 2.3.0
152544960 Outdated Library 3.0 Latest version at scan: 4.0.1 Old JAXB Runtime 2.3.0
152544961 Outdated Library 3.0 Latest version at scan: 1.4 Apache Commons FileUpload 1.3.2
152544962 Outdated Library 3.0 Latest version at scan: 2.11.0 Apache Commons IO 2.4
152544963 Outdated Library 3.0 Latest version at scan: 1.5.0-b01 JavaMail API (compat) 1.4.7
152544964 Outdated Library 3.0 Latest version at scan: 4.0.1 Java Servlet API 3.0.1
152544965 Outdated Library 3.0 Latest version at scan: 2.4.0-b180830.0359 jaxb-api 2.3.0
152544966 Outdated Library 3.0 Latest version at scan: 8.0.31 mysql-connector-java 5.1.35
152544967 Outdated Library 3.0 Latest version at scan: 4.4 Apache Commons Collections 4.0
152544968 Outdated Library 3.0 Latest version at scan: 2.4.2 Apache Sling Maven Plugin Relocation 2.0.4-incubator
152544969 Outdated Library 3.0 Latest version at scan: 20.0.1 Keycloak SAML Core 1.8.1.Final
152544970 Outdated Library 3.0 Latest version at scan: 0.4 jBCrypt 0.3m
152544971 Outdated Library 3.0 Latest version at scan: 1.2.3 JSP Encoder 1.2.1
152544972 Outdated Library 3.0 Latest version at scan: 1.2.3 Java Encoder 1.2.1
152544973 Outdated Library 3.0 Latest version at scan: 2.0.5 SLF4J LOG4J-12 Binding relocated 1.7.7
152544974 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Context 4.3.10.RELEASE
152544975 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Core 4.3.10.RELEASE
152544976 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring JDBC 4.3.10.RELEASE
152544977 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Transaction 4.3.10.RELEASE
152544978 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Web 4.3.10.RELEASE
152544979 Outdated Library 3.0 Latest version at scan: 6.0.2 Spring Web MVC 4.3.10.RELEASE
152544980 License 9.0 Library Uses Unapproved License Old JAXB Core 2.3.0
152544981 License 9.0 Library Uses Unapproved License Old JAXB Runtime 2.3.0
152544982 License 9.0 Library Uses Unapproved License jstl 1.2
152544983 License 9.0 Library Uses Unapproved License mysql-connector-java 5.1.35

Full Report Details https://sca.analysiscenter.veracode.com/teams/PaaiORy/scans/43752518

[github-actions]

Veraocde SCA Scan failed with exit code 5

Veracode SCA Scan details

Veracode    SCA    agent    scanning    engine    ready Running    the    Maven    scanner Scanning    completed Found    5479    lines    of    code Processing    results... Processing    results    complete

Summary    Report
Scan    ID                                                                                                                                                                3d5b86be-47e5-4761-b88e-593c7cc010f4
Scan    Date    &    Time                                                                                                                            Nov    26    2022    11:22AM    UTC
Account    type                                                                                                                                            ENTERPRISE
Scan    engine                                                                                                                                                3.8.11    (latest    3.8.11)
Analysis    time                                                                                                                                        18    seconds
User                                                                                                                                                                            runner
Project                                                                                                                                                                /home/runner/work/test-action/test-action
Package    Manager(s)                                                                                                                    Maven

Open-Source    Libraries
Total    Libraries                                                                                                                                50
Direct    Libraries                                                                                                                            23
Transitive    Libraries                                                                                                            27
Vulnerable    Libraries                                                                                                            19
Third    Party    Code                                                                                                                            98.9%

Vulnerable    Methods
2    vulnerable    methods    can    be    reached    via    the    code's    call    graph

Call    Source                                                                                                                                                    Method    Name                                                                                                                                    Library
xmlfilter.filterXMLSignature    [line    26]                                        CanonicalizerSpi.engineCanonicalize([B)                    Apache    XML    Security    for    Java    :    1.5.1
xmlfilter.main    [line    14]                                                                                                BCrypt.crypt_raw([B[BI)                                                                                    jBCrypt    :    0.3m
xmlfilter.main    [line    16]                                                                                                BCrypt.crypt_raw([B[BI)                                                                                    jBCrypt    :    0.3m

Security
With    Vulnerable    Methods                                                                                                2
High    Risk    Vulnerabilities                                                                                        8
Medium    Risk    Vulnerabilities                                                                                30
Low    Risk    Vulnerabilities                                                                                            5

Vulnerabilities    -    Public    Data
CVE-2017-1000487                                                                                                                            High    Risk                            Command    Line    Shell    Injection                                                                                                                                                                                            Plexus    Common    Utilities    1.0.4
CVE-2015-6420                                                                                                                                        High    Risk                            Arbitrary    Code    Execution                                                                                                                                                                                                            Apache    Commons    Collections    4.0
CVE-2015-4852                                                                                                                                        High    Risk                            Potential    Remote    Code    Execution    Via    Java    Object    Deserialization                                                Apache    Commons    Collections    4.0
CVE-2015-0254                                                                                                                                        High    Risk                            XML    External    Entity    (XXE)    Through    An    XSLT    Extension                                                                                                jstl    1.2
CVE-2016-1000031                                                                                                                            High    Risk                            Remote    Code    Execution    Via    Serialization                                                                                                                                                Apache    Commons    FileUpload    1.3.2
CVE-2022-22965                                                                                                                                    High    Risk                            Remote    Code    Execution    (RCE)                                                                                                                                                                                                Spring    Beans    4.3.10.RELEASE
CVE-2022-23307                                                                                                                                    High    Risk                            Remote    Code    Execution    (RCE)                                                                                                                                                                                                Apache    Log4j    1.2.17
CVE-2019-17571                                                                                                                                    High    Risk                            Arbitrary    Code    Execution                                                                                                                                                                                                            Apache    Log4j    1.2.17
CVE-2018-15756                                                                                                                                    Medium    Risk                    Denial    Of    Service    (DoS)                                                                                                                                                                                                                Spring    Web    4.3.10.RELEASE
CVE-2018-11039                                                                                                                                    Medium    Risk                    Cross-Site    Tracing    (XST)                                                                                                                                                                                                            Spring    Web    4.3.10.RELEASE
CVE-2022-22950                                                                                                                                    Medium    Risk                    Denial    Of    Service    (DoS)                                                                                                                                                                                                                Spring    Expression    Language    (SpEL)    4.3.10.RELEASE
CVE-2017-3586                                                                                                                                        Medium    Risk                    Usable    Expired    Certificates                                                                                                                                                                                                mysql-connector-java    5.1.35
CVE-2022-21363                                                                                                                                    Medium    Risk                    Privilege    Escalation                                                                                                                                                                                                                            mysql-connector-java    5.1.35
CVE-2017-3523                                                                                                                                        Medium    Risk                    Improper    Automatic    Deserialization                                                                                                                                                                    mysql-connector-java    5.1.35
CVE-2022-22968                                                                                                                                    Medium    Risk                    Binding    Rules    Bypass                                                                                                                                                                                                                            Spring    Context    4.3.10.RELEASE
CVE-2018-1002200                                                                                                                            Medium    Risk                    Arbitrary    File    Write                                                                                                                                                                                                                            Plexus    Archiver    Component    1.0-alpha-3
CVE-2012-6153                                                                                                                                        Medium    Risk                    Man    In    The    Middle    (MitM)    Attacks    Are    Possible    With    Spoofed    SSL    Servers                    HttpClient    3.1
CVE-2012-5783                                                                                                                                        Medium    Risk                    Man    In    The    Middle    (MitM)                                                                                                                                                                                                            HttpClient    3.1
CVE-2015-0886                                                                                                                                        Medium    Risk                    Information    Disclosure    Of    Password    Hashes    Through    Crypt_raw                                                                jBCrypt    0.3m
CVE-2021-22096                                                                                                                                    Medium    Risk                    Log    Injection                                                                                                                                                                                                                                                        Spring    Core    4.3.10.RELEASE
CVE-2018-1272                                                                                                                                        Medium    Risk                    Privilege    Escalation    Through    Multipart    Content    Pollution                                                                            Spring    Core    4.3.10.RELEASE
CVE-2017-2646                                                                                                                                        Medium    Risk                    Denial    Of    Service    (DoS)                                                                                                                                                                                                                Keycloak    SAML    Core    1.8.1.Final
CVE-2017-2582                                                                                                                                        Medium    Risk                    Information    Disclosure                                                                                                                                                                                                                    Keycloak    SAML    Core    1.8.1.Final
CVE-2021-29425                                                                                                                                    Medium    Risk                    Directory    Traversal                                                                                                                                                                                                                                Apache    Commons    IO    2.4
CVE-2021-40690                                                                                                                                    Medium    Risk                    Bypass    Of    Secure    Validation                                                                                                                                                                                                Apache    XML    Security    for    Java    1.5.1
CVE-2013-4517                                                                                                                                        Medium    Risk                    Denial    Of    Service    (DoS)    Memory    Consumption                                                                                                                                    Apache    XML    Security    for    Java    1.5.1
CVE-2013-2172                                                                                                                                        Medium    Risk                    Spoofable    XML    Signature                                                                                                                                                                                                                Apache    XML    Security    for    Java    1.5.1
CVE-2015-2944                                                                                                                                        Medium    Risk                    Multiple    Cross-site    Scripting    (XSS)    Vulnerabilities                                                                                                Apache    Sling    API    2.0.2-incubator
CVE-2022-23302                                                                                                                                    Medium    Risk                    Deserialisation    Of    Untrusted    Object                                                                                                                                                                Apache    Log4j    1.2.17
CVE-2021-4104                                                                                                                                        Medium    Risk                    Deserialisation    Of    Untrusted    Object                                                                                                                                                                Apache    Log4j    1.2.17
CVE-2022-23305                                                                                                                                    Medium    Risk                    SQL    Injection                                                                                                                                                                                                                                                        Apache    Log4j    1.2.17
CVE-2020-9493                                                                                                                                        Medium    Risk                    Remote    Code    Execution    (RCE)                                                                                                                                                                                                Apache    Log4j    1.2.17
CVE-2018-15756                                                                                                                                    Medium    Risk                    Denial    Of    Service    (DoS)                                                                                                                                                                                                                Spring    Web    MVC    4.3.10.RELEASE
CVE-2018-1271                                                                                                                                        Medium    Risk                    Directory    Traversal                                                                                                                                                                                                                                Spring    Web    MVC    4.3.10.RELEASE
CVE-2018-11040                                                                                                                                    Medium    Risk                    Cross-Domain    Request    Through    Insecure    JSONP    Defaults                                                                                            Spring    Web    MVC    4.3.10.RELEASE
CVE-2018-1199                                                                                                                                        Medium    Risk                    Security    Constraint    Bypass                                                                                                                                                                                                    Spring    Web    MVC    4.3.10.RELEASE
CVE-2020-5421                                                                                                                                        Low    Risk                                Reflected    File    Download    (RFD)    Attack                                                                                                                                                            Spring    Web    4.3.10.RELEASE
CVE-2020-2933                                                                                                                                        Low    Risk                                Denial    Of    Service    (DoS)                                                                                                                                                                                                                mysql-connector-java    5.1.35
CVE-2019-2692                                                                                                                                        Low    Risk                                Authorization    Bypass                                                                                                                                                                                                                            mysql-connector-java    5.1.35
CVE-2017-3589                                                                                                                                        Low    Risk                                Database    Overwrite                                                                                                                                                                                                                                    mysql-connector-java    5.1.35
CVE-2022-22970                                                                                                                                    Low    Risk                                Denial    Of    Service    (DoS)                                                                                                                                                                                                                Spring    Beans    4.3.10.RELEASE

Vulnerabilities    -    Premium    Data
NO-CVE                                                                                                                                                                    Medium    Risk                    SAML    Assertion    Insertion                                                                                                                                                                                                            Keycloak    SAML    Core    1.8.1.Final
NO-CVE                                                                                                                                                                    Medium    Risk                    Remote    Code    Execution    (RCE)    Via    Java    Object    Deserialization                                                                Apache    Commons    IO    2.4

Licenses
Unique    Library    Licenses                                                                                                14
Libraries    Using    GPL                                                                                                                6
Libraries    With    High    Risk    License                                                            6
Libraries    With    Medium    Risk    License                                                    13
Libraries    With    Low    Risk    License                                                                44
Libraries    With    Multiple    Licenses                                                            8
Libraries    With    Unassessable    License                                                0
Libraries    With    Unrecognizable    License                                        2

Issues
Issue    ID                    Issue    Type                                        Severity                Description                                                                                                                                                                                                                                                                                                                        Library    Name    &    Version    In    Use
152544916                Vulnerability                            7.5                                    CVE-2016-1000031:    Remote    Code    Execution    Via    Serialization                                                                                                                                Apache    Commons    FileUpload    1.3.2
152544917                Vulnerability                            5.8                                    CVE-2012-5783:    Man    In    The    Middle    (MitM)                                                                                                                                                                                                        HttpClient    3.1
152544918                Vulnerability                            4.3                                    CVE-2012-6153:    Man    In    The    Middle    (MitM)    Attacks    Are    Possible    With    Spoofed    SSL    Servers                HttpClient    3.1
152544919                Vulnerability                            5.8                                    CVE-2021-29425:    Directory    Traversal                                                                                                                                                                                                                        Apache    Commons    IO    2.4
152544920                Vulnerability                            5.1                                    NO-CVE:    Remote    Code    Execution    (RCE)    Via    Java    Object    Deserialization                                                                                        Apache    Commons    IO    2.4
152544921                Vulnerability                            7.5                                    CVE-2015-0254:    XML    External    Entity    (XXE)    Through    An    XSLT    Extension                                                                                            jstl    1.2
152544922                Vulnerability                            9.0                                    CVE-2022-23307:    Remote    Code    Execution    (RCE)                                                                                                                                                                                        Apache    Log4j    1.2.17
152544923                Vulnerability                            7.5                                    CVE-2019-17571:    Arbitrary    Code    Execution                                                                                                                                                                                                    Apache    Log4j    1.2.17
152544924                Vulnerability                            6.8                                    CVE-2020-9493:    Remote    Code    Execution    (RCE)                                                                                                                                                                                            Apache    Log4j    1.2.17
152544925                Vulnerability                            6.8                                    CVE-2022-23305:    SQL    Injection                                                                                                                                                                                                                                                Apache    Log4j    1.2.17
152544926                Vulnerability                            6.0                                    CVE-2021-4104:    Deserialisation    Of    Untrusted    Object                                                                                                                                                            Apache    Log4j    1.2.17
152544927                Vulnerability                            6.0                                    CVE-2022-23302:    Deserialisation    Of    Untrusted    Object                                                                                                                                                        Apache    Log4j    1.2.17
152544928                Vulnerability                            6.0                                    CVE-2022-21363:    Privilege    Escalation                                                                                                                                                                                                                    mysql-connector-java    5.1.35
152544929                Vulnerability                            6.0                                    CVE-2017-3523:    Improper    Automatic    Deserialization                                                                                                                                                                mysql-connector-java    5.1.35
152544930                Vulnerability                            5.5                                    CVE-2017-3586:    Usable    Expired    Certificates                                                                                                                                                                                            mysql-connector-java    5.1.35
152544931                Vulnerability                            3.5                                    CVE-2020-2933:    Denial    Of    Service    (DoS)                                                                                                                                                                                                            mysql-connector-java    5.1.35
152544932                Vulnerability                            3.5                                    CVE-2019-2692:    Authorization    Bypass                                                                                                                                                                                                                        mysql-connector-java    5.1.35
152544933                Vulnerability                            2.1                                    CVE-2017-3589:    Database    Overwrite                                                                                                                                                                                                                                mysql-connector-java    5.1.35
152544934                Vulnerability                            7.5                                    CVE-2015-4852:    Potential    Remote    Code    Execution    Via    Java    Object    Deserialization                                            Apache    Commons    Collections    4.0
152544935                Vulnerability                            7.5                                    CVE-2015-6420:    Arbitrary    Code    Execution                                                                                                                                                                                                        Apache    Commons    Collections    4.0
152544936                Vulnerability                            5.0                                    CVE-2021-40690:    Bypass    Of    Secure    Validation                                                                                                                                                                                        Apache    XML    Security    for    Java    1.5.1
152544937                Vulnerability                            4.3                                    CVE-2013-4517:    Denial    of    Service    (DoS)    Memory    Consumption                                                                                                                                Apache    XML    Security    for    Java    1.5.1
152544938                Vulnerability                            4.3                                    CVE-2013-2172:    Spoofable    XML    Signature                                                                                                                                                                                                            Apache    XML    Security    for    Java    1.5.1
152544939                Vulnerability                            4.3                                    CVE-2015-2944:    Multiple    Cross-site    Scripting    (XSS)    Vulnerabilities                                                                                            Apache    Sling    API    2.0.2-incubator
152544940                Vulnerability                            4.3                                    CVE-2018-1002200:    Arbitrary    File    Write                                                                                                                                                                                                            Plexus    Archiver    Component    1.0-alpha-3
152544941                Vulnerability                            7.5                                    CVE-2017-1000487:    Command    Line    Shell    Injection                                                                                                                                                                            Plexus    Common    Utilities    1.0.4
152544942                Vulnerability                            6.4                                    NO-CVE:    SAML    Assertion    Insertion                                                                                                                                                                                                                                    Keycloak    SAML    Core    1.8.1.Final
152544943                Vulnerability                            5.0                                    CVE-2017-2646:    Denial    Of    Service    (DoS)                                                                                                                                                                                                            Keycloak    SAML    Core    1.8.1.Final
152544944                Vulnerability                            4.0                                    CVE-2017-2582:    Information    Disclosure                                                                                                                                                                                                                Keycloak    SAML    Core    1.8.1.Final
152544945                Vulnerability                            5.0                                    CVE-2015-0886:    Information    Disclosure    Of    Password    Hashes    Through    Crypt_raw                                                            jBCrypt    0.3m
152544946                Vulnerability                            7.5                                    CVE-2022-22965:    Remote    Code    Execution    (RCE)                                                                                                                                                                                        Spring    Beans    4.3.10.RELEASE
152544947                Vulnerability                            3.5                                    CVE-2022-22970:    Denial    Of    Service    (DoS)                                                                                                                                                                                                        Spring    Beans    4.3.10.RELEASE
152544948                Vulnerability                            5.0                                    CVE-2022-22968:    Binding    Rules    Bypass                                                                                                                                                                                                                    Spring    Context    4.3.10.RELEASE
152544949                Vulnerability                            6.0                                    CVE-2018-1272:    Privilege    Escalation    Through    Multipart    Content    Pollution                                                                        Spring    Core    4.3.10.RELEASE
152544950                Vulnerability                            4.0                                    CVE-2021-22096:    Log    Injection                                                                                                                                                                                                                                                Spring    Core    4.3.10.RELEASE
152544951                Vulnerability                            4.0                                    CVE-2022-22950:    Denial    Of    Service    (DoS)                                                                                                                                                                                                        Spring    Expression    Language    (SpEL)    4.3.10.RELEASE
152544952                Vulnerability                            5.0                                    CVE-2018-15756:    Denial    Of    Service    (DoS)                                                                                                                                                                                                        Spring    Web    4.3.10.RELEASE
152544953                Vulnerability                            4.3                                    CVE-2018-11039:    Cross-Site    Tracing    (XST)                                                                                                                                                                                                    Spring    Web    4.3.10.RELEASE
152544954                Vulnerability                            3.6                                    CVE-2020-5421:    Reflected    File    Download    (RFD)    Attack                                                                                                                                                        Spring    Web    4.3.10.RELEASE
152544955                Vulnerability                            5.0                                    CVE-2018-15756:    Denial    Of    Service    (DoS)                                                                                                                                                                                                        Spring    Web    MVC    4.3.10.RELEASE
152544956                Vulnerability                            5.0                                    CVE-2018-1199:    Security    Constraint    Bypass                                                                                                                                                                                                Spring    Web    MVC    4.3.10.RELEASE
152544957                Vulnerability                            4.3                                    CVE-2018-1271:    Directory    Traversal                                                                                                                                                                                                                            Spring    Web    MVC    4.3.10.RELEASE
152544958                Vulnerability                            4.3                                    CVE-2018-11040:    Cross-Domain    Request    Through    Insecure    JSONP    Defaults                                                                                    Spring    Web    MVC    4.3.10.RELEASE
152544959                Outdated    Library                3.0                                    Latest    version    at    scan:    4.0.1                                                                                                                                                                                                                                                Old    JAXB    Core    2.3.0
152544960                Outdated    Library                3.0                                    Latest    version    at    scan:    4.0.1                                                                                                                                                                                                                                                Old    JAXB    Runtime    2.3.0
152544961                Outdated    Library                3.0                                    Latest    version    at    scan:    1.4                                                                                                                                                                                                                                                        Apache    Commons    FileUpload    1.3.2
152544962                Outdated    Library                3.0                                    Latest    version    at    scan:    2.11.0                                                                                                                                                                                                                                            Apache    Commons    IO    2.4
152544963                Outdated    Library                3.0                                    Latest    version    at    scan:    1.5.0-b01                                                                                                                                                                                                                                JavaMail    API    (compat)    1.4.7
152544964                Outdated    Library                3.0                                    Latest    version    at    scan:    4.0.1                                                                                                                                                                                                                                                Java    Servlet    API    3.0.1
152544965                Outdated    Library                3.0                                    Latest    version    at    scan:    2.4.0-b180830.0359                                                                                                                                                                                            jaxb-api    2.3.0
152544966                Outdated    Library                3.0                                    Latest    version    at    scan:    8.0.31                                                                                                                                                                                                                                            mysql-connector-java    5.1.35
152544967                Outdated    Library                3.0                                    Latest    version    at    scan:    4.4                                                                                                                                                                                                                                                        Apache    Commons    Collections    4.0
152544968                Outdated    Library                3.0                                    Latest    version    at    scan:    2.4.2                                                                                                                                                                                                                                                Apache    Sling    Maven    Plugin    Relocation    2.0.4-incubator
152544969                Outdated    Library                3.0                                    Latest    version    at    scan:    20.0.1                                                                                                                                                                                                                                            Keycloak    SAML    Core    1.8.1.Final
152544970                Outdated    Library                3.0                                    Latest    version    at    scan:    0.4                                                                                                                                                                                                                                                        jBCrypt    0.3m
152544971                Outdated    Library                3.0                                    Latest    version    at    scan:    1.2.3                                                                                                                                                                                                                                                JSP    Encoder    1.2.1
152544972                Outdated    Library                3.0                                    Latest    version    at    scan:    1.2.3                                                                                                                                                                                                                                                Java    Encoder    1.2.1
152544973                Outdated    Library                3.0                                    Latest    version    at    scan:    2.0.5                                                                                                                                                                                                                                                SLF4J    LOG4J-12    Binding    relocated    1.7.7
152544974                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    Context    4.3.10.RELEASE
152544975                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    Core    4.3.10.RELEASE
152544976                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    JDBC    4.3.10.RELEASE
152544977                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    Transaction    4.3.10.RELEASE
152544978                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    Web    4.3.10.RELEASE
152544979                Outdated    Library                3.0                                    Latest    version    at    scan:    6.0.2                                                                                                                                                                                                                                                Spring    Web    MVC    4.3.10.RELEASE
152544980                License                                                    9.0                                    Library    Uses    Unapproved    License                                                                                                                                                                                                                                        Old    JAXB    Core    2.3.0
152544981                License                                                    9.0                                    Library    Uses    Unapproved    License                                                                                                                                                                                                                                        Old    JAXB    Runtime    2.3.0
152544982                License                                                    9.0                                    Library    Uses    Unapproved    License                                                                                                                                                                                                                                        jstl    1.2
152544983                License                                                    9.0                                    Library    Uses    Unapproved    License                                                                                                                                                                                                                                        mysql-connector-java    5.1.35

Full    Report    Details                                                                                                                https://sca.analysiscenter.veracode.com/teams/PaaiORy/scans/43752547

[github-actions]

Veraocde SCA Scan failed with exit code 5

Veracode SCA Scan details

Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5479 lines of code Processing results... Processing results complete

Summary Report
Scan ID                                        25045847-f5d0-4a40-b056-47884fb0e1a9
Scan Date & Time                             Nov 26 2022 11:24AM UTC
Account type                                 ENTERPRISE
Scan engine                                    3.8.11 (latest 3.8.11)
Analysis time                                 28 seconds
User                                         runner
Project                                        /home/runner/work/test-action/test-action
Package Manager(s)                             Maven

Open-Source Libraries
Total Libraries                                50
Direct Libraries                             23
Transitive Libraries                         27
Vulnerable Libraries                         19
Third Party Code                             98.9%

Vulnerable Methods
2 vulnerable methods can be reached via the code's call graph

Call Source                                     Method Name                                 Library
xmlfilter.filterXMLSignature [line 26]         CanonicalizerSpi.engineCanonicalize([B)     Apache XML Security for Java : 1.5.1
xmlfilter.main [line 14]                        BCrypt.crypt_raw([B[BI)                     jBCrypt : 0.3m
xmlfilter.main [line 16]                        BCrypt.crypt_raw([B[BI)                     jBCrypt : 0.3m

Security
With Vulnerable Methods                        2
High Risk Vulnerabilities                     8
Medium Risk Vulnerabilities                    30
Low Risk Vulnerabilities                     5

Vulnerabilities - Public Data
CVE-2017-1000487                             High Risk     Command Line Shell Injection                                             Plexus Common Utilities 1.0.4
CVE-2015-6420                                 High Risk     Arbitrary Code Execution                                                 Apache Commons Collections 4.0
CVE-2015-4852                                 High Risk     Potential Remote Code Execution Via Java Object Deserialization            Apache Commons Collections 4.0
CVE-2015-0254                                 High Risk     XML External Entity (XXE) Through An XSLT Extension                        jstl 1.2
CVE-2016-1000031                             High Risk     Remote Code Execution Via Serialization                                    Apache Commons FileUpload 1.3.2
CVE-2022-22965                                 High Risk     Remote Code Execution (RCE)                                                Spring Beans 4.3.10.RELEASE
CVE-2022-23307                                 High Risk     Remote Code Execution (RCE)                                                Apache Log4j 1.2.17
CVE-2019-17571                                 High Risk     Arbitrary Code Execution                                                 Apache Log4j 1.2.17
CVE-2018-15756                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Web 4.3.10.RELEASE
CVE-2018-11039                                 Medium Risk     Cross-Site Tracing (XST)                                                 Spring Web 4.3.10.RELEASE
CVE-2022-22950                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Expression Language (SpEL) 4.3.10.RELEASE
CVE-2017-3586                                 Medium Risk     Usable Expired Certificates                                                mysql-connector-java 5.1.35
CVE-2022-21363                                 Medium Risk     Privilege Escalation                                                     mysql-connector-java 5.1.35
CVE-2017-3523                                 Medium Risk     Improper Automatic Deserialization                                         mysql-connector-java 5.1.35
CVE-2022-22968                                 Medium Risk     Binding Rules Bypass                                                     Spring Context 4.3.10.RELEASE
CVE-2018-1002200                             Medium Risk     Arbitrary File Write                                                     Plexus Archiver Component 1.0-alpha-3
CVE-2012-6153                                 Medium Risk     Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers     HttpClient 3.1
CVE-2012-5783                                 Medium Risk     Man In The Middle (MitM)                                                 HttpClient 3.1
CVE-2015-0886                                 Medium Risk     Information Disclosure Of Password Hashes Through Crypt_raw                jBCrypt 0.3m
CVE-2021-22096                                 Medium Risk     Log Injection                                                             Spring Core 4.3.10.RELEASE
CVE-2018-1272                                 Medium Risk     Privilege Escalation Through Multipart Content Pollution                 Spring Core 4.3.10.RELEASE
CVE-2017-2646                                 Medium Risk     Denial Of Service (DoS)                                                    Keycloak SAML Core 1.8.1.Final
CVE-2017-2582                                 Medium Risk     Information Disclosure                                                     Keycloak SAML Core 1.8.1.Final
CVE-2021-29425                                 Medium Risk     Directory Traversal                                                        Apache Commons IO 2.4
CVE-2021-40690                                 Medium Risk     Bypass Of Secure Validation                                                Apache XML Security for Java 1.5.1
CVE-2013-4517                                 Medium Risk     Denial Of Service (DoS) Memory Consumption                                 Apache XML Security for Java 1.5.1
CVE-2013-2172                                 Medium Risk     Spoofable XML Signature                                                    Apache XML Security for Java 1.5.1
CVE-2015-2944                                 Medium Risk     Multiple Cross-site Scripting (XSS) Vulnerabilities                        Apache Sling API 2.0.2-incubator
CVE-2022-23302                                 Medium Risk     Deserialisation Of Untrusted Object                                        Apache Log4j 1.2.17
CVE-2021-4104                                 Medium Risk     Deserialisation Of Untrusted Object                                        Apache Log4j 1.2.17
CVE-2022-23305                                 Medium Risk     SQL Injection                                                             Apache Log4j 1.2.17
CVE-2020-9493                                 Medium Risk     Remote Code Execution (RCE)                                                Apache Log4j 1.2.17
CVE-2018-15756                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Web MVC 4.3.10.RELEASE
CVE-2018-1271                                 Medium Risk     Directory Traversal                                                        Spring Web MVC 4.3.10.RELEASE
CVE-2018-11040                                 Medium Risk     Cross-Domain Request Through Insecure JSONP Defaults                     Spring Web MVC 4.3.10.RELEASE
CVE-2018-1199                                 Medium Risk     Security Constraint Bypass                                                 Spring Web MVC 4.3.10.RELEASE
CVE-2020-5421                                 Low Risk        Reflected File Download (RFD) Attack                                     Spring Web 4.3.10.RELEASE
CVE-2020-2933                                 Low Risk        Denial Of Service (DoS)                                                    mysql-connector-java 5.1.35
CVE-2019-2692                                 Low Risk        Authorization Bypass                                                     mysql-connector-java 5.1.35
CVE-2017-3589                                 Low Risk        Database Overwrite                                                         mysql-connector-java 5.1.35
CVE-2022-22970                                 Low Risk        Denial Of Service (DoS)                                                    Spring Beans 4.3.10.RELEASE

Vulnerabilities - Premium Data
NO-CVE                                         Medium Risk     SAML Assertion Insertion                                                 Keycloak SAML Core 1.8.1.Final
NO-CVE                                         Medium Risk     Remote Code Execution (RCE) Via Java Object Deserialization                Apache Commons IO 2.4

Licenses
Unique Library Licenses                        14
Libraries Using GPL                            6
Libraries With High Risk License             6
Libraries With Medium Risk License             13
Libraries With Low Risk License                44
Libraries With Multiple Licenses             8
Libraries With Unassessable License            0
Libraries With Unrecognizable License         2

Issues
Issue ID     Issue Type         Severity    Description                                                                             Library Name & Version In Use
152544916    Vulnerability     7.5         CVE-2016-1000031: Remote Code Execution Via Serialization                                Apache Commons FileUpload 1.3.2
152544917    Vulnerability     5.8         CVE-2012-5783: Man In The Middle (MitM)                                                 HttpClient 3.1
152544918    Vulnerability     4.3         CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers    HttpClient 3.1
152544919    Vulnerability     5.8         CVE-2021-29425: Directory Traversal                                                     Apache Commons IO 2.4
152544920    Vulnerability     5.1         NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization                     Apache Commons IO 2.4
152544921    Vulnerability     7.5         CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension                     jstl 1.2
152544922    Vulnerability     9.0         CVE-2022-23307: Remote Code Execution (RCE)                                             Apache Log4j 1.2.17
152544923    Vulnerability     7.5         CVE-2019-17571: Arbitrary Code Execution                                                 Apache Log4j 1.2.17
152544924    Vulnerability     6.8         CVE-2020-9493: Remote Code Execution (RCE)                                             Apache Log4j 1.2.17
152544925    Vulnerability     6.8         CVE-2022-23305: SQL Injection                                                            Apache Log4j 1.2.17
152544926    Vulnerability     6.0         CVE-2021-4104: Deserialisation Of Untrusted Object                                     Apache Log4j 1.2.17
152544927    Vulnerability     6.0         CVE-2022-23302: Deserialisation Of Untrusted Object                                     Apache Log4j 1.2.17
152544928    Vulnerability     6.0         CVE-2022-21363: Privilege Escalation                                                     mysql-connector-java 5.1.35
152544929    Vulnerability     6.0         CVE-2017-3523: Improper Automatic Deserialization                                        mysql-connector-java 5.1.35
152544930    Vulnerability     5.5         CVE-2017-3586: Usable Expired Certificates                                             mysql-connector-java 5.1.35
152544931    Vulnerability     3.5         CVE-2020-2933: Denial Of Service (DoS)                                                 mysql-connector-java 5.1.35
152544932    Vulnerability     3.5         CVE-2019-2692: Authorization Bypass                                                     mysql-connector-java 5.1.35
152544933    Vulnerability     2.1         CVE-2017-3589: Database Overwrite                                                        mysql-connector-java 5.1.35
152544934    Vulnerability     7.5         CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization         Apache Commons Collections 4.0
152544935    Vulnerability     7.5         CVE-2015-6420: Arbitrary Code Execution                                                 Apache Commons Collections 4.0
152544936    Vulnerability     5.0         CVE-2021-40690: Bypass Of Secure Validation                                             Apache XML Security for Java 1.5.1
152544937    Vulnerability     4.3         CVE-2013-4517: Denial of Service (DoS) Memory Consumption                                Apache XML Security for Java 1.5.1
152544938    Vulnerability     4.3         CVE-2013-2172: Spoofable XML Signature                                                 Apache XML Security for Java 1.5.1
152544939    Vulnerability     4.3         CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities                     Apache Sling API 2.0.2-incubator
152544940    Vulnerability     4.3         CVE-2018-1002200: Arbitrary File Write                                                 Plexus Archiver Component 1.0-alpha-3
152544941    Vulnerability     7.5         CVE-2017-1000487: Command Line Shell Injection                                         Plexus Common Utilities 1.0.4
152544942    Vulnerability     6.4         NO-CVE: SAML Assertion Insertion                                                         Keycloak SAML Core 1.8.1.Final
152544943    Vulnerability     5.0         CVE-2017-2646: Denial Of Service (DoS)                                                 Keycloak SAML Core 1.8.1.Final
152544944    Vulnerability     4.0         CVE-2017-2582: Information Disclosure                                                    Keycloak SAML Core 1.8.1.Final
152544945    Vulnerability     5.0         CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw             jBCrypt 0.3m
152544946    Vulnerability     7.5         CVE-2022-22965: Remote Code Execution (RCE)                                             Spring Beans 4.3.10.RELEASE
152544947    Vulnerability     3.5         CVE-2022-22970: Denial Of Service (DoS)                                                 Spring Beans 4.3.10.RELEASE
152544948    Vulnerability     5.0         CVE-2022-22968: Binding Rules Bypass                                                     Spring Context 4.3.10.RELEASE
152544949    Vulnerability     6.0         CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution                 Spring Core 4.3.10.RELEASE
152544950    Vulnerability     4.0         CVE-2021-22096: Log Injection                                                            Spring Core 4.3.10.RELEASE
152544951    Vulnerability     4.0         CVE-2022-22950: Denial Of Service (DoS)                                                 Spring Expression Language (SpEL) 4.3.10.RELEASE
152544952    Vulnerability     5.0         CVE-2018-15756: Denial Of Service (DoS)                                                 Spring Web 4.3.10.RELEASE
152544953    Vulnerability     4.3         CVE-2018-11039: Cross-Site Tracing (XST)                                                 Spring Web 4.3.10.RELEASE
152544954    Vulnerability     3.6         CVE-2020-5421: Reflected File Download (RFD) Attack                                     Spring Web 4.3.10.RELEASE
152544955    Vulnerability     5.0         CVE-2018-15756: Denial Of Service (DoS)                                                 Spring Web MVC 4.3.10.RELEASE
152544956    Vulnerability     5.0         CVE-2018-1199: Security Constraint Bypass                                                Spring Web MVC 4.3.10.RELEASE
152544957    Vulnerability     4.3         CVE-2018-1271: Directory Traversal                                                     Spring Web MVC 4.3.10.RELEASE
152544958    Vulnerability     4.3         CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults                     Spring Web MVC 4.3.10.RELEASE
152544959    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Old JAXB Core 2.3.0
152544960    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Old JAXB Runtime 2.3.0
152544961    Outdated Library    3.0         Latest version at scan: 1.4                                                             Apache Commons FileUpload 1.3.2
152544962    Outdated Library    3.0         Latest version at scan: 2.11.0                                                         Apache Commons IO 2.4
152544963    Outdated Library    3.0         Latest version at scan: 1.5.0-b01                                                        JavaMail API (compat) 1.4.7
152544964    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Java Servlet API 3.0.1
152544965    Outdated Library    3.0         Latest version at scan: 2.4.0-b180830.0359                                             jaxb-api 2.3.0
152544966    Outdated Library    3.0         Latest version at scan: 8.0.31                                                         mysql-connector-java 5.1.35
152544967    Outdated Library    3.0         Latest version at scan: 4.4                                                             Apache Commons Collections 4.0
152544968    Outdated Library    3.0         Latest version at scan: 2.4.2                                                            Apache Sling Maven Plugin Relocation 2.0.4-incubator
152544969    Outdated Library    3.0         Latest version at scan: 20.0.1                                                         Keycloak SAML Core 1.8.1.Final
152544970    Outdated Library    3.0         Latest version at scan: 0.4                                                             jBCrypt 0.3m
152544971    Outdated Library    3.0         Latest version at scan: 1.2.3                                                            JSP Encoder 1.2.1
152544972    Outdated Library    3.0         Latest version at scan: 1.2.3                                                            Java Encoder 1.2.1
152544973    Outdated Library    3.0         Latest version at scan: 2.0.5                                                            SLF4J LOG4J-12 Binding relocated 1.7.7
152544974    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Context 4.3.10.RELEASE
152544975    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Core 4.3.10.RELEASE
152544976    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring JDBC 4.3.10.RELEASE
152544977    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Transaction 4.3.10.RELEASE
152544978    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Web 4.3.10.RELEASE
152544979    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Web MVC 4.3.10.RELEASE
152544980    License             9.0         Library Uses Unapproved License                                                         Old JAXB Core 2.3.0
152544981    License             9.0         Library Uses Unapproved License                                                         Old JAXB Runtime 2.3.0
152544982    License             9.0         Library Uses Unapproved License                                                         jstl 1.2
152544983    License             9.0         Library Uses Unapproved License                                                         mysql-connector-java 5.1.35

Full Report Details                            https://sca.analysiscenter.veracode.com/teams/PaaiORy/scans/43752564

[github-actions]

Veraocde SCA Scan failed with exit code 5

Veracode SCA Scan details

Veracode SCA agent scanning engine ready Running the Maven scanner Scanning completed Found 5479 lines of code Processing results... Processing results complete

Summary Report
Scan ID                                        166eb0d6-aeae-4874-a8bf-4c542fb62c43
Scan Date & Time                             Nov 26 2022 12:30PM UTC
Account type                                 ENTERPRISE
Scan engine                                    3.8.11 (latest 3.8.11)
Analysis time                                 16 seconds
User                                         runner
Project                                        /home/runner/work/test-action/test-action
Package Manager(s)                             Maven

Open-Source Libraries
Total Libraries                                50
Direct Libraries                             23
Transitive Libraries                         27
Vulnerable Libraries                         19
Third Party Code                             98.9%

Vulnerable Methods
2 vulnerable methods can be reached via the code's call graph

Call Source                                     Method Name                                 Library
xmlfilter.filterXMLSignature [line 26]         CanonicalizerSpi.engineCanonicalize([B)     Apache XML Security for Java : 1.5.1
xmlfilter.main [line 14]                        BCrypt.crypt_raw([B[BI)                     jBCrypt : 0.3m
xmlfilter.main [line 16]                        BCrypt.crypt_raw([B[BI)                     jBCrypt : 0.3m

Security
With Vulnerable Methods                        2
High Risk Vulnerabilities                     8
Medium Risk Vulnerabilities                    30
Low Risk Vulnerabilities                     5

Vulnerabilities - Public Data
CVE-2017-1000487                             High Risk     Command Line Shell Injection                                             Plexus Common Utilities 1.0.4
CVE-2015-6420                                 High Risk     Arbitrary Code Execution                                                 Apache Commons Collections 4.0
CVE-2015-4852                                 High Risk     Potential Remote Code Execution Via Java Object Deserialization            Apache Commons Collections 4.0
CVE-2015-0254                                 High Risk     XML External Entity (XXE) Through An XSLT Extension                        jstl 1.2
CVE-2016-1000031                             High Risk     Remote Code Execution Via Serialization                                    Apache Commons FileUpload 1.3.2
CVE-2022-22965                                 High Risk     Remote Code Execution (RCE)                                                Spring Beans 4.3.10.RELEASE
CVE-2022-23307                                 High Risk     Remote Code Execution (RCE)                                                Apache Log4j 1.2.17
CVE-2019-17571                                 High Risk     Arbitrary Code Execution                                                 Apache Log4j 1.2.17
CVE-2018-15756                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Web 4.3.10.RELEASE
CVE-2018-11039                                 Medium Risk     Cross-Site Tracing (XST)                                                 Spring Web 4.3.10.RELEASE
CVE-2022-22950                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Expression Language (SpEL) 4.3.10.RELEASE
CVE-2017-3586                                 Medium Risk     Usable Expired Certificates                                                mysql-connector-java 5.1.35
CVE-2022-21363                                 Medium Risk     Privilege Escalation                                                     mysql-connector-java 5.1.35
CVE-2017-3523                                 Medium Risk     Improper Automatic Deserialization                                         mysql-connector-java 5.1.35
CVE-2022-22968                                 Medium Risk     Binding Rules Bypass                                                     Spring Context 4.3.10.RELEASE
CVE-2018-1002200                             Medium Risk     Arbitrary File Write                                                     Plexus Archiver Component 1.0-alpha-3
CVE-2012-6153                                 Medium Risk     Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers     HttpClient 3.1
CVE-2012-5783                                 Medium Risk     Man In The Middle (MitM)                                                 HttpClient 3.1
CVE-2015-0886                                 Medium Risk     Information Disclosure Of Password Hashes Through Crypt_raw                jBCrypt 0.3m
CVE-2021-22096                                 Medium Risk     Log Injection                                                             Spring Core 4.3.10.RELEASE
CVE-2018-1272                                 Medium Risk     Privilege Escalation Through Multipart Content Pollution                 Spring Core 4.3.10.RELEASE
CVE-2017-2646                                 Medium Risk     Denial Of Service (DoS)                                                    Keycloak SAML Core 1.8.1.Final
CVE-2017-2582                                 Medium Risk     Information Disclosure                                                     Keycloak SAML Core 1.8.1.Final
CVE-2021-29425                                 Medium Risk     Directory Traversal                                                        Apache Commons IO 2.4
CVE-2021-40690                                 Medium Risk     Bypass Of Secure Validation                                                Apache XML Security for Java 1.5.1
CVE-2013-4517                                 Medium Risk     Denial Of Service (DoS) Memory Consumption                                 Apache XML Security for Java 1.5.1
CVE-2013-2172                                 Medium Risk     Spoofable XML Signature                                                    Apache XML Security for Java 1.5.1
CVE-2015-2944                                 Medium Risk     Multiple Cross-site Scripting (XSS) Vulnerabilities                        Apache Sling API 2.0.2-incubator
CVE-2022-23302                                 Medium Risk     Deserialisation Of Untrusted Object                                        Apache Log4j 1.2.17
CVE-2021-4104                                 Medium Risk     Deserialisation Of Untrusted Object                                        Apache Log4j 1.2.17
CVE-2022-23305                                 Medium Risk     SQL Injection                                                             Apache Log4j 1.2.17
CVE-2020-9493                                 Medium Risk     Remote Code Execution (RCE)                                                Apache Log4j 1.2.17
CVE-2018-15756                                 Medium Risk     Denial Of Service (DoS)                                                    Spring Web MVC 4.3.10.RELEASE
CVE-2018-1271                                 Medium Risk     Directory Traversal                                                        Spring Web MVC 4.3.10.RELEASE
CVE-2018-11040                                 Medium Risk     Cross-Domain Request Through Insecure JSONP Defaults                     Spring Web MVC 4.3.10.RELEASE
CVE-2018-1199                                 Medium Risk     Security Constraint Bypass                                                 Spring Web MVC 4.3.10.RELEASE
CVE-2020-5421                                 Low Risk        Reflected File Download (RFD) Attack                                     Spring Web 4.3.10.RELEASE
CVE-2020-2933                                 Low Risk        Denial Of Service (DoS)                                                    mysql-connector-java 5.1.35
CVE-2019-2692                                 Low Risk        Authorization Bypass                                                     mysql-connector-java 5.1.35
CVE-2017-3589                                 Low Risk        Database Overwrite                                                         mysql-connector-java 5.1.35
CVE-2022-22970                                 Low Risk        Denial Of Service (DoS)                                                    Spring Beans 4.3.10.RELEASE

Vulnerabilities - Premium Data
NO-CVE                                         Medium Risk     SAML Assertion Insertion                                                 Keycloak SAML Core 1.8.1.Final
NO-CVE                                         Medium Risk     Remote Code Execution (RCE) Via Java Object Deserialization                Apache Commons IO 2.4

Licenses
Unique Library Licenses                        14
Libraries Using GPL                            6
Libraries With High Risk License             6
Libraries With Medium Risk License             13
Libraries With Low Risk License                44
Libraries With Multiple Licenses             8
Libraries With Unassessable License            0
Libraries With Unrecognizable License         2

Issues
Issue ID     Issue Type         Severity    Description                                                                             Library Name & Version In Use
152544916    Vulnerability     7.5         CVE-2016-1000031: Remote Code Execution Via Serialization                                Apache Commons FileUpload 1.3.2
152544917    Vulnerability     5.8         CVE-2012-5783: Man In The Middle (MitM)                                                 HttpClient 3.1
152544918    Vulnerability     4.3         CVE-2012-6153: Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers    HttpClient 3.1
152544919    Vulnerability     5.8         CVE-2021-29425: Directory Traversal                                                     Apache Commons IO 2.4
152544920    Vulnerability     5.1         NO-CVE: Remote Code Execution (RCE) Via Java Object Deserialization                     Apache Commons IO 2.4
152544921    Vulnerability     7.5         CVE-2015-0254: XML External Entity (XXE) Through An XSLT Extension                     jstl 1.2
152544922    Vulnerability     9.0         CVE-2022-23307: Remote Code Execution (RCE)                                             Apache Log4j 1.2.17
152544923    Vulnerability     7.5         CVE-2019-17571: Arbitrary Code Execution                                                 Apache Log4j 1.2.17
152544924    Vulnerability     6.8         CVE-2020-9493: Remote Code Execution (RCE)                                             Apache Log4j 1.2.17
152544925    Vulnerability     6.8         CVE-2022-23305: SQL Injection                                                            Apache Log4j 1.2.17
152544926    Vulnerability     6.0         CVE-2021-4104: Deserialisation Of Untrusted Object                                     Apache Log4j 1.2.17
152544927    Vulnerability     6.0         CVE-2022-23302: Deserialisation Of Untrusted Object                                     Apache Log4j 1.2.17
152544928    Vulnerability     6.0         CVE-2022-21363: Privilege Escalation                                                     mysql-connector-java 5.1.35
152544929    Vulnerability     6.0         CVE-2017-3523: Improper Automatic Deserialization                                        mysql-connector-java 5.1.35
152544930    Vulnerability     5.5         CVE-2017-3586: Usable Expired Certificates                                             mysql-connector-java 5.1.35
152544931    Vulnerability     3.5         CVE-2020-2933: Denial Of Service (DoS)                                                 mysql-connector-java 5.1.35
152544932    Vulnerability     3.5         CVE-2019-2692: Authorization Bypass                                                     mysql-connector-java 5.1.35
152544933    Vulnerability     2.1         CVE-2017-3589: Database Overwrite                                                        mysql-connector-java 5.1.35
152544934    Vulnerability     7.5         CVE-2015-4852: Potential Remote Code Execution Via Java Object Deserialization         Apache Commons Collections 4.0
152544935    Vulnerability     7.5         CVE-2015-6420: Arbitrary Code Execution                                                 Apache Commons Collections 4.0
152544936    Vulnerability     5.0         CVE-2021-40690: Bypass Of Secure Validation                                             Apache XML Security for Java 1.5.1
152544937    Vulnerability     4.3         CVE-2013-4517: Denial of Service (DoS) Memory Consumption                                Apache XML Security for Java 1.5.1
152544938    Vulnerability     4.3         CVE-2013-2172: Spoofable XML Signature                                                 Apache XML Security for Java 1.5.1
152544939    Vulnerability     4.3         CVE-2015-2944: Multiple Cross-site Scripting (XSS) Vulnerabilities                     Apache Sling API 2.0.2-incubator
152544940    Vulnerability     4.3         CVE-2018-1002200: Arbitrary File Write                                                 Plexus Archiver Component 1.0-alpha-3
152544941    Vulnerability     7.5         CVE-2017-1000487: Command Line Shell Injection                                         Plexus Common Utilities 1.0.4
152544942    Vulnerability     6.4         NO-CVE: SAML Assertion Insertion                                                         Keycloak SAML Core 1.8.1.Final
152544943    Vulnerability     5.0         CVE-2017-2646: Denial Of Service (DoS)                                                 Keycloak SAML Core 1.8.1.Final
152544944    Vulnerability     4.0         CVE-2017-2582: Information Disclosure                                                    Keycloak SAML Core 1.8.1.Final
152544945    Vulnerability     5.0         CVE-2015-0886: Information Disclosure Of Password Hashes Through Crypt_raw             jBCrypt 0.3m
152544946    Vulnerability     7.5         CVE-2022-22965: Remote Code Execution (RCE)                                             Spring Beans 4.3.10.RELEASE
152544947    Vulnerability     3.5         CVE-2022-22970: Denial Of Service (DoS)                                                 Spring Beans 4.3.10.RELEASE
152544948    Vulnerability     5.0         CVE-2022-22968: Binding Rules Bypass                                                     Spring Context 4.3.10.RELEASE
152544949    Vulnerability     6.0         CVE-2018-1272: Privilege Escalation Through Multipart Content Pollution                 Spring Core 4.3.10.RELEASE
152544950    Vulnerability     4.0         CVE-2021-22096: Log Injection                                                            Spring Core 4.3.10.RELEASE
152544951    Vulnerability     4.0         CVE-2022-22950: Denial Of Service (DoS)                                                 Spring Expression Language (SpEL) 4.3.10.RELEASE
152544952    Vulnerability     5.0         CVE-2018-15756: Denial Of Service (DoS)                                                 Spring Web 4.3.10.RELEASE
152544953    Vulnerability     4.3         CVE-2018-11039: Cross-Site Tracing (XST)                                                 Spring Web 4.3.10.RELEASE
152544954    Vulnerability     3.6         CVE-2020-5421: Reflected File Download (RFD) Attack                                     Spring Web 4.3.10.RELEASE
152544955    Vulnerability     5.0         CVE-2018-15756: Denial Of Service (DoS)                                                 Spring Web MVC 4.3.10.RELEASE
152544956    Vulnerability     5.0         CVE-2018-1199: Security Constraint Bypass                                                Spring Web MVC 4.3.10.RELEASE
152544957    Vulnerability     4.3         CVE-2018-1271: Directory Traversal                                                     Spring Web MVC 4.3.10.RELEASE
152544958    Vulnerability     4.3         CVE-2018-11040: Cross-Domain Request Through Insecure JSONP Defaults                     Spring Web MVC 4.3.10.RELEASE
152544959    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Old JAXB Core 2.3.0
152544960    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Old JAXB Runtime 2.3.0
152544961    Outdated Library    3.0         Latest version at scan: 1.4                                                             Apache Commons FileUpload 1.3.2
152544962    Outdated Library    3.0         Latest version at scan: 2.11.0                                                         Apache Commons IO 2.4
152544963    Outdated Library    3.0         Latest version at scan: 1.5.0-b01                                                        JavaMail API (compat) 1.4.7
152544964    Outdated Library    3.0         Latest version at scan: 4.0.1                                                            Java Servlet API 3.0.1
152544965    Outdated Library    3.0         Latest version at scan: 2.4.0-b180830.0359                                             jaxb-api 2.3.0
152544966    Outdated Library    3.0         Latest version at scan: 8.0.31                                                         mysql-connector-java 5.1.35
152544967    Outdated Library    3.0         Latest version at scan: 4.4                                                             Apache Commons Collections 4.0
152544968    Outdated Library    3.0         Latest version at scan: 2.4.2                                                            Apache Sling Maven Plugin Relocation 2.0.4-incubator
152544969    Outdated Library    3.0         Latest version at scan: 20.0.1                                                         Keycloak SAML Core 1.8.1.Final
152544970    Outdated Library    3.0         Latest version at scan: 0.4                                                             jBCrypt 0.3m
152544971    Outdated Library    3.0         Latest version at scan: 1.2.3                                                            JSP Encoder 1.2.1
152544972    Outdated Library    3.0         Latest version at scan: 1.2.3                                                            Java Encoder 1.2.1
152544973    Outdated Library    3.0         Latest version at scan: 2.0.5                                                            SLF4J LOG4J-12 Binding relocated 1.7.7
152544974    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Context 4.3.10.RELEASE
152544975    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Core 4.3.10.RELEASE
152544976    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring JDBC 4.3.10.RELEASE
152544977    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Transaction 4.3.10.RELEASE
152544978    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Web 4.3.10.RELEASE
152544979    Outdated Library    3.0         Latest version at scan: 6.0.2                                                            Spring Web MVC 4.3.10.RELEASE
152544980    License             9.0         Library Uses Unapproved License                                                         Old JAXB Core 2.3.0
152544981    License             9.0         Library Uses Unapproved License                                                         Old JAXB Runtime 2.3.0
152544982    License             9.0         Library Uses Unapproved License                                                         jstl 1.2
152544983    License             9.0         Library Uses Unapproved License                                                         mysql-connector-java 5.1.35

Full Report Details                            https://sca.analysiscenter.veracode.com/teams/PaaiORy/scans/43753098

[github-actions]

Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues

[github-actions]

Veracode SCA Scan finished with exit code: 5. Please review created and linked issues