-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New vulns #9
base: master
Are you sure you want to change the base?
New vulns #9
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Jit has detected 11 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.
package.json
Outdated
@@ -119,17 +119,20 @@ | |||
"cookie-parser": "^1.4.5", | |||
"cors": "^2.8.5", | |||
"dottie": "^2.0.2", | |||
"download": "^8.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Got Allows A Redirect To A Unix Socket
Description: download>got
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
#jit_ignore_fp
package.json
Outdated
"express-rate-limit": "^5.3.0", | ||
"express-robots-txt": "^0.4.1", | ||
"express-security.txt": "^2.0.0", | ||
"feature-policy": "^0.5.0", | ||
"file-stream-rotator": "^0.5.7", | ||
"file-type": "^16.1.0", | ||
"filesniffer": "^1.0.3", | ||
"finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service In Moment
Description: finale-rest>moment
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
package.json
Outdated
"express-rate-limit": "^5.3.0", | ||
"express-robots-txt": "^0.4.1", | ||
"express-security.txt": "^2.0.0", | ||
"feature-policy": "^0.5.0", | ||
"file-stream-rotator": "^0.5.7", | ||
"file-type": "^16.1.0", | ||
"filesniffer": "^1.0.3", | ||
"finale-rest": "^1.1.1", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Regular Expression Denial Of Service (Redos) In Lodash
Description: finale-rest>lodash
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
package.json
Outdated
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Authorization Bypass In Express-Jwt
Description: express-jwt
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
package.json
Outdated
"errorhandler": "^1.5.1", | ||
"exif": "^0.6.0", | ||
"express": "^4.17.1", | ||
"express-ipfilter": "^1.2.0", | ||
"express-jwt": "0.1.3", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage
Description: express-jwt>jsonwebtoken
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
package.json
Outdated
@@ -119,17 +119,20 @@ | |||
"cookie-parser": "^1.4.5", | |||
"cors": "^2.8.5", | |||
"dottie": "^2.0.2", | |||
"download": "^8.0.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Software Component Analysis Js
Type: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service
Description: download>got>cacheable-request>http-cache-semantics
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
routes/updateProductReviews.ts
Outdated
{ _id: req.body.id }, // vuln-code-snippet vuln-line noSqlReviewsChallenge forgedReviewChallenge | ||
{ $set: { message: req.body.message } }, | ||
{ multi: true } // vuln-code-snippet vuln-line noSqlReviewsChallenge | ||
).then( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Static Code Analysis Js
Type: Codsec.Javascriptnosql-Injection.Nosql-Injection
Description: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query.
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
lib/insecurity.ts
Outdated
@@ -20,6 +20,7 @@ import * as utils from './utils' | |||
import * as z85 from 'z85' | |||
|
|||
export const publicKey = fs ? fs.readFileSync('encryptionkeys/jwt.pub', 'utf8') : 'placeholder-public-key' | |||
const privateKey = '-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Secret Detection
Type: Private-Key
Description: Private Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
data/static/users.yml
Outdated
@@ -147,6 +147,8 @@ | |||
email: wurstbrot | |||
username: wurstbrot | |||
password: 'EinBelegtesBrotMitSchinkenSCHINKEN!' | |||
totpSecret: IFTXE3SPOEYVURT2MRYGI52TKJ4HC3KH | |||
key: timo |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Secret Detection
Type: Generic-Api-Key
Description: Generic API Key
Severity: HIGH
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
test/smoke/Dockerfile
Outdated
@@ -1,3 +1,4 @@ | |||
FROM alpine |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security control: Docker Scan
Type: Image User Should Not Be 'Root'
Description: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.
Severity: HIGH
Fix suggestion:
This fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.
Suggestion guidelines
- First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this:
docker run <image> whoami
. If it returnsroot
, then you should consider using a non-root user, by following one of the next steps:- If a non-root user already exists in your container, consider using it.
- If not, you can create a new user by adding a
USER
command to the Dockerfile, with a non-root user as argument, for example:USER <non-root-user-name>
.
FROM alpine | |
FROM alpine | |
RUN addgroup --system <group> | |
RUN adduser --system <user> --ingroup <group> | |
USER <user>:<group> | |
Jit Bot commands and options (e.g., ignore issue)
You can trigger Jit actions by commenting on this PR review:
#jit_ignore_fp
Ignore and mark this specific single instance of finding as “False Positive”#jit_ignore_accept
Ignore and mark this specific single instance of finding as “Accept Risk”#jit_undo_ignore
Undo ignore command
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Jit has detected 10 important findings in this PR that you should review.
The findings are detailed as separate comments.
It’s highly recommended that you fix these security issues before merge.
Until now, you ignored/fixed 1 finding.
PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"gitStream.cm","status":"COMPLETED","summary":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","title":"SecurityManager/debug, SecurityManager/Security_comment, jit-and-sonar/mark_security_hotspots, jit-and-sonar/jit_vulns, jit-and-sonar/jit_secretss","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Comment added","title":"Comment added","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Reviewers assigned: Dudu-linb","title":"Reviewers assigned: Dudu-linb","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"🤫 PR with secrets","title":"🤫 PR with secrets","text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:10Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n
Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n |
This PR failed due to High severity vulnerability finding, if you don't fix it please select:
|
PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:42Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n
Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [ ] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n |
PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[{"name":"Jit Security","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Docker Scan","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Software Component Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Static Code Analysis Js","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"Secret Detection","status":"COMPLETED","summary":null,"title":null,"text":null},{"name":"SonarCloud Code Analysis","status":"COMPLETED","summary":"\n\n 0.0% Security Hotspots Reviewed on New Code (is less than 100%) \n\nSee analysis details on SonarCloud\n\n## Additional information\n\nThe following metrics might not affect the Quality Gate status but improving \nthem will improve your project code quality.\n\n### 0 Issues\n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n### Coverage and Duplications\n\n No Coverage information \n 0.0% Duplication (3.2% Estimated after merge)\n\n","title":"Quality Gate failed","text":null},{"name":"- add-comment@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-reviewers@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"- add-label@v1","status":"COMPLETED","summary":"Skipping outdated action","title":"Skipping outdated action","text":null},{"name":"gitStream.cm","status":"IN_PROGRESS","summary":null,"title":null,"text":null},{"name":"SonarCloud","status":"COMPLETED","summary":"#### No new alerts\n\nView all branch alerts.","title":"No new alerts","text":null}],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:28:56Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"gitstream-cm","content":"PR: {"isFullyInstalled":false,"title":"New vulns","approvals":[],"requested_changes":[],"author":"PavelLinearB","description":"\r\n\r\n\r\n### Description\r\n\r\n\r\nA clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.\r\n\r\nResolved or fixed issue: \r\n\r\n### Affirmation\r\n\r\n- [ ] My code follows the CONTRIBUTING.md guidelines\r\n","checks":[],"created_at":"2023-06-06T10:06:44Z","draft":false,"mergeable":true,"labels":["🤫 PR with secrets","2 Security hotspots 🌶️","🛡️ x 11 High vulnerabilities"],"reviewers":["Dudu-linb"],"status":"open","updated_at":"2023-06-06T10:24:57Z","assignees":[],"contributors":[{"login":"vim-zz","name":"Ofer Affias"},{"login":"almog27","name":"Almog Ben David"},{"login":"yishaibeeri","name":"Yishai Beeri"},{"login":"orielz","name":"Oriel Zaken"},{"login":"amitmohleji","name":"Amit Mohleji"},{"login":"vscabral","name":"Val Cabral"},{"login":"BenLloydPearson","name":"Ben Lloyd Pearson"},{"login":"flomermer","name":"Tomer Flom"},{"login":"Yaarash","name":"Yaara Shoham"},{"login":"omarcovitch","name":"Omri Marcovitch"},{"login":"ShakedZrihen","name":"shaked zohar"},{"login":"Fadikhayo1995","name":"Fadi Khayo"},{"login":"emasuary","name":"Eitan Masuary"},{"login":"orikrn","name":"Ori Keren"},{"login":"linknfg182","name":"Dan Lines"},{"login":"saharavishag","name":"Avishag Sahar"},{"login":"linearbci","name":"LinearB Automation"},{"login":"ariel-linearb","name":"Ariel Illouz"},{"login":"yeelali14","name":"Yeela Lifshitz"},{"login":"zuki-linB","name":"Zuki Sarusi"},{"login":"mavery-linb","name":"Mike Avery"},{"login":"KerenLinearB","name":"Keren Shiloah"},{"login":"LiorF-BDBQ","name":null},{"login":"lisa-linearb","name":"Lisa Messelt"},{"login":"lb-ronyeh","name":"Ron Yehuda"},{"login":"YovelElad","name":"Yovel Elad"},{"login":"stas-linearb","name":"Stas Onichak "},{"login":"BetsyRogers","name":"Betsy Rogers"},{"login":"Hadarbitan149","name":"hadar bitan"},{"login":"shirels","name":"Shirel Lugasi"},{"login":"negevyoav","name":"Yoav Negev"},{"login":"RoyKulik","name":"Roy Kulik"},{"login":"yoni-amikam","name":"Yoni Amikam"},{"login":"alexChernovLinearB","name":"Alexander Chernov"},{"login":"ZWLinearB","name":"Zach Westall"},{"login":"urikochav","name":"Uri Kochavi"},{"login":"ShaniBelisha","name":"Shani"},{"login":"orenylinearb","name":"oren yosef"},{"login":"alongalperin-lb","name":"Alon Galperin"},{"login":"GuyRahamim","name":null},{"login":"Dudu-linb","name":"Dudu Yosef"},{"login":"EladKohavi","name":"Elad Kohavi"},{"login":"nivSwisa1","name":null},{"login":"b-sims","name":"Brandon Sims"},{"login":"rotemshynes","name":"Rotem Shynes"},{"login":"mark-linearb","name":"Mark Bulgakov"},{"login":"shaisorek","name":null},{"login":"chen-weizmann","name":"Chen Weizmann"},{"login":"ZionSoferLinearB","name":"Zion Sofer"},{"login":"GabiC-LinearB","name":"Gabriel Cherniavsky"},{"login":"imanuel-leibo","name":"Imanuel Leibovitch"},{"login":"mosheia","name":null},{"login":"PavelLinearB","name":null},{"login":"eidellav","name":"Lev Eidelman Nagar"},{"login":"avielLB","name":null},{"login":"mikolinearb","name":null},{"login":"OferSmart","name":null}],"paths":[{"name":"jit.cm"}],"author_teams":["Developers"],"comments":[{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:21:49Z","id":1578368654}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n
Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on","created_at":"2023-06-06T10:26:08Z","id":1578380078},{"commenter":"gitstream-cm","content":"This PR failed due to High severity vulnerability finding, if you don't fix it please select:\n- [x] I need help with that fix.\n- [ ] I want to accept the risk, please approve. \n- [ ] This is false positive, please approve.\n- [ ] This is a test / simulator environment, please exclude.\n","created_at":"2023-06-06T10:26:21Z","id":1578380638},{"commenter":"sonarcloud","content":"SonarCloud Quality Gate failed. \n\n 0 Bugs \n 0 Vulnerabilities \n 2 Security Hotspots \n 0 Code Smells\n\n No Coverage information \n 0.0% Duplication\n\n","created_at":"2023-06-06T10:28:10Z","id":1578384996}],"reviews":[{"commenter":"jit-ci","content":"❌ Jit has detected 11 important findings in this PR that you should review.\n_The findings are detailed below as separate comments.\n_It’s highly recommended that you fix these security issues before merge.","state":"commented","conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\n \n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345353},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345361},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345367},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345376},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345381},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345387},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:56Z","state":"submitted","id":1219345394},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345402},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345410},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345416},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","created_at":"2023-06-06T10:08:57Z","state":"submitted","id":1219345423}]},{"commenter":"PavelLinearB","content":"","state":"commented","conversations":[{"commenter":"PavelLinearB","content":"#jit_ignore_fp","created_at":"2023-06-06T10:28:41Z","state":"submitted","id":1219378096}]},{"commenter":"jit-ci","content":"❌ Jit has detected 10 important findings in this PR that you should review.\n_The findings are detailed as separate comments.\n_It’s highly recommended that you fix these security issues before merge.\n\nUntil now, you ignored/fixed 1 finding.","state":"commented","conversations":[]}],"conversations":[{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Got Allows A Redirect To A Unix Socket\n\nDescription: download>got \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"PavelLinearB","content":"#jit_ignore_fp","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service In Moment\n\nDescription: finale-rest>moment \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Regular Expression Denial Of Service (Redos) In Lodash\n\nDescription: finale-rest>lodash \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":135,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Authorization Bypass In Express-Jwt\n\nDescription: express-jwt \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Jsonwebtoken Unrestricted Key Type Could Lead To Legacy Keys Usage \n\nDescription: express-jwt>jsonwebtoken \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Forgeable Public/Private Tokens In Jws\n\nDescription: express-jwt>jsonwebtoken>jws \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":127,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Software Component Analysis Js\n\nType: Http-Cache-Semantics Vulnerable To Regular Expression Denial Of Service\n\nDescription: download>got>cacheable-request>http-cache-semantics \n\nSeverity: HIGH\n\nLearn more about this issue\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":122,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Static Code Analysis Js\n\nType: Codsec.Javascriptnosql-Injection.Nosql-Injection\n\nDescription: Putting request data into a mongo query can leadto a NoSQL Injection. Be sure to properly sanitize thedata if you absolutely must pass request data into a query. \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":21,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Private-Key\n\nDescription: Private Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":23,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Secret Detection\n\nType: Generic-Api-Key\n\nDescription: Generic API Key \n\nSeverity: HIGH\n\n---\nJit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n\n \n\n","start_line":null,"end_line":151,"is_resolved":false},{"commenter":"jit-ci","content":"Security control: Docker Scan\n\nType: Image User Should Not Be 'Root'\n\nDescription: Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. \n\nSeverity: HIGH\n\nLearn more about this issue\n\n\nFix suggestion: \n\nThis fix suggestion was generated by Jit. Please note that the suggestion might not always fit every use case. It is highly recommended that you check and review it before merging.\n\nSuggestion guidelines\n\n* First of all, check if your container is running as a root user. In most of the cases, you can do it by running a command like this: Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\ndocker run <image> whoami . If it returns root , then you should consider using a non-root user, by following one of the next steps:\n * If a non-root user already exists in your container, consider using it.\n * If not, you can create a new user by adding a USER command to the Dockerfile, with a non-root user as argument, for example: USER <non-root-user-name> .\n\n\nsuggestion\nFROM alpine\n\nRUN addgroup --system <group>\nRUN adduser --system <user> --ingroup <group>\nUSER <user>:<group>\n\n \n\n---\n\n \n\n","start_line":null,"end_line":1,"is_resolved":false}],"isPrivate":false,"target":"master"}Jit Bot commands and options (e.g., ignore issue)\n\n\nYou can trigger Jit actions by commenting on this PR review:\n- #jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”\n- #jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”\n- #jit_undo_ignore Undo ignore command\n |
SonarCloud Quality Gate failed. 0 Bugs No Coverage information |
95de275
to
39b4686
Compare
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolved or fixed issue:
Affirmation