Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New vulns #9

Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

New vulns #9

wants to merge 24 commits into from

Conversation

PavelLinearB
Copy link
Member

workerB

Description

A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.

Resolved or fixed issue:

Affirmation

Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Jit has detected 11 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.

package.json Outdated
@@ -119,17 +119,20 @@
"cookie-parser": "^1.4.5",
"cors": "^2.8.5",
"dottie": "^2.0.2",
"download": "^8.0.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Got Allows A Redirect To A Unix Socket

Description: download>got

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#jit_ignore_fp

package.json Outdated
"express-rate-limit": "^5.3.0",
"express-robots-txt": "^0.4.1",
"express-security.txt": "^2.0.0",
"feature-policy": "^0.5.0",
"file-stream-rotator": "^0.5.7",
"file-type": "^16.1.0",
"filesniffer": "^1.0.3",
"finale-rest": "^1.1.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Regular Expression Denial Of Service In Moment

Description: finale-rest>moment

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

package.json Outdated
"express-rate-limit": "^5.3.0",
"express-robots-txt": "^0.4.1",
"express-security.txt": "^2.0.0",
"feature-policy": "^0.5.0",
"file-stream-rotator": "^0.5.7",
"file-type": "^16.1.0",
"filesniffer": "^1.0.3",
"finale-rest": "^1.1.1",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Regular Expression Denial Of Service (Redos) In Lodash

Description: finale-rest>lodash

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

package.json Outdated
"errorhandler": "^1.5.1",
"exif": "^0.6.0",
"express": "^4.17.1",
"express-ipfilter": "^1.2.0",
"express-jwt": "0.1.3",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Authorization Bypass In Express-Jwt

Description: express-jwt

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

package.json Outdated
"errorhandler": "^1.5.1",
"exif": "^0.6.0",
"express": "^4.17.1",
"express-ipfilter": "^1.2.0",
"express-jwt": "0.1.3",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage

Description: express-jwt>jsonwebtoken

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

package.json Outdated
@@ -119,17 +119,20 @@
"cookie-parser": "^1.4.5",
"cors": "^2.8.5",
"dottie": "^2.0.2",
"download": "^8.0.0",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Software Component Analysis Js

Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service

Description: download>got>cacheable-request>http-cache-semantics

Severity: HIGH

Learn more about this issue


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge
{ $set: { message: req.body.message } },
{ multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge
).then(
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Static Code Analysis Js

Type: Codsec.Javascriptnosql-Injection.Nosql-Injection

Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

@@ -20,6 +20,7 @@ import * as utils from './utils'
import * as z85 from 'z85'

export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key'
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----'
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection

Type: Private-Key

Description: Private Key

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

@@ -147,6 +147,8 @@
email: wurstbrot
username: wurstbrot
password: 'EinBelegtesBrotMitSchinkenSCHINKEN!'
totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH
key: timo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Secret Detection

Type: Generic-Api-Key

Description: Generic API Key

Severity: HIGH


Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

@@ -1,3 +1,4 @@
FROM alpine
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security control: Docker Scan

Type: Image User Should Not Be 'Root'

Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

Severity: HIGH

Learn more about this issue

Fix suggestion:

This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.

Suggestion guidelines

  • First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:
    • If a non-root user already exists in your container, consider using it.
    • If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.
Suggested change
FROM alpine
FROM alpine
RUN addgroup --system <group>
RUN adduser --system <user> --ingroup <group>
USER <user>:<group>

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

  • #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”
  • #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”
  • #jit_undo_ignore Undo ignore command

@linear-b linear-b deleted a comment from gitstream-cm bot Jun 6, 2023
@linear-b linear-b deleted a comment from gitstream-cm bot Jun 6, 2023
Copy link

@jit-ci jit-ci bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Jit has detected 10 important findings in this PR that you should review.
The findings are detailed as separate comments.
It’s highly recommended that you fix these security issues before merge.

Until now, you ignored/fixed 1 finding.

@gitstream-cm
Copy link

gitstream-cm bot commented Jun 6, 2023

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"Quality Gate failed\n\nFailed condition 0.0% 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\n### Coverage and Duplications\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"gitStream.cm","status":"COMPLETED","summary":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","title":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Comment added","title":"Comment added","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Reviewers assigned: Dudu-linb","title":"Reviewers assigned: Dudu-linb","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"🤫 PR with secrets","title":"🤫 PR with secrets","text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:10Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

@gitstream-cm
Copy link

gitstream-cm bot commented Jun 6, 2023

This PR failed due to High severity vulnerability finding, if you don't fix it please select:

  • I need help with that fix.
  • I want to accept the risk, please approve.
  • This is false positive, please approve.
  • This is a test / simulator environment, please exclude.

@gitstream-cm
Copy link

gitstream-cm bot commented Jun 6, 2023

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"Quality Gate failed\n\nFailed condition 0.0% 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\n### Coverage and Duplications\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:42Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

@gitstream-cm
Copy link

gitstream-cm bot commented Jun 6, 2023

PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"Quality Gate failed\n\nFailed condition 0.0% 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\n### Coverage and Duplications\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:56Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"workerB\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n

\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [x] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed.    Quality Gate failed\n\nBug A 0 Bugs \nVulnerability A 0 Vulnerabilities \nSecurity Hotspot E 2 Security Hotspots \nCode Smell A 0 Code Smells\n\nNo Coverage information No Coverage information \n0.0% 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]},{"commenter":"jit-ci","content":"❌ Jit has detected 10 important findings in this PR that you should review.\n_The findings are detailed as separate comments.\n_It’s highly recommended that you fix these security issues before merge.\n\nUntil now, you ignored/fixed 1 finding.","state":"commented","conversations":[]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: docker run <image> whoami. If it returns root, then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name>.\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n\n\n---\n
\nJit Bot commands and options (e.g., ignore issue)\n
\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n
\n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}

@sonarcloud
Copy link

sonarcloud bot commented Jun 6, 2023

SonarCloud Quality Gate failed.    Quality Gate failed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot E 2 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant