Security scan result

[bonfim-sanofi]

Security Scan Report: PharmaLedger-IMI/fgt-workspace

Commit: fdd7c03

Executive summary

You'll find below a list of vulnerabilities identified by our service on both Static Application Security Testing and Software Composition Analysis dimensions:

• SCA analyzes open source and 3rd party libraries (vulnerabilities and legal risks)
• SAST focuses on custom code (built by the development team)

🔴 NO-GO for production 🔴		🔶 to be remediated within 90 days 🔶
SCA	SAST	SAST
45	0	31

---

🔴 NO-GO for production alerts

SCA Alerts

List of Packages with HIGH CVEs

Packages detected

HIGH - Npm-debug-2.6.9

location: fgt-api/package.json

origin: > Npm-express-4.18.1 > Npm-debug-2.6.9 > Npm-@ionic/cli-6.20.1 > Npm-leek-0.0.24 > Npm-debug-2.6.9 > Npm-swagger-ui-express-4.5.0 > Npm-express-4.18.1 > Npm-debug-2.6.9

Vulnerabilities:

• (RECURRENT) Cx89601373-08db:
  debug before 4.3.0 has a memory leak when creating debug instances.
• (RECURRENT) Cx8bc4df28-fcf5:
  debug accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a denial of service attack on the user's browser.

HIGH - Npm-inflight-1.0.6

location: package.json

origin: > Npm-goodparts-1.3.0 > Npm-eslint-6.8.0 > Npm-file-entry-cache-5.0.1 > Npm-flat-cache-2.0.1 > Npm-rimraf-2.6.3 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-@ionic/cli-6.20.1 > Npm-@ionic/cli-framework-5.1.3 > Npm-rimraf-3.0.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-istanbul-0.4.5 > Npm-glob-5.0.15 > Npm-inflight-1.0.6 > Npm-jest-27.5.1 > Npm-@jest/core-27.5.1 > Npm-@jest/reporters-27.5.1 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-mocha-9.2.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-phonegap-plugin-barcodescanner-8.1.0 > Npm-shelljs-0.8.5 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-rimraf-3.0.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-workbox-cli-6.5.3 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-yamljs-0.3.0 > Npm-glob-7.2.0 > Npm-inflight-1.0.6

Vulnerabilities:

• (RECURRENT) Cxdca8e59f-8bfe:
  In npm inflight there is a memory leak because some resources are not freed correctly after being used. It appears to affect all versions.

List of Container Packages with HIGH CVEs

Container Packages detected

HIGH - procps

• (RECURRENT) cve-2018-1126: procps-ng before version 3.3.15 is vulnerable to an incorrect integer size in proc/alloc.* leading to truncation/integer overflow issues. This flaw is related to CVE-2018-1124.
• (RECURRENT) cve-2018-1122: procps-ng before version 3.3.15 is vulnerable to a local privilege escalation in top. If a user runs top with HOME unset in an attacker-controlled directory, the attacker could achieve privilege escalation by exploiting one of several vulnerabilities in the config_file() function.
• (RECURRENT) cve-2018-1123: procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Inbuilt protection in ps maps a guard page at the end of the overflowed buffer, ensuring that the impact of this flaw is limited to a crash (temporary denial of service).
• (RECURRENT) cve-2018-1124: procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. This allows a privilege escalation for a local attacker who can create entries in procfs by starting processes, which could result in crashes or arbitrary code execution in proc utilities run by other users.
• (RECURRENT) cve-2018-1125: procps-ng before version 3.3.15 is vulnerable to a stack buffer overflow in pgrep. This vulnerability is mitigated by FORTIFY, as it involves strncat() to a stack-allocated string. When pgrep is compiled with FORTIFY (as on Red Hat Enterprise Linux and Fedora), the impact is limited to a crash.

HIGH - file

• (RECURRENT) cve-2003-1092: Unknown vulnerability in the "Automatic File Content Type Recognition (AFCTR) Tool version of the file package before 3.41, related to "a memory allocation problem," has unknown impact.
• (RECURRENT) cve-2004-1304: Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.
• (RECURRENT) cve-2007-1536: Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow.
• (RECURRENT) cve-2007-2026: The gnu regular expression code in file 4.20 allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted document with a large number of line feed characters, which is not well handled by OS/2 REXX regular expressions that use wildcards, as originally reported for AMaViS.
• (RECURRENT) cve-2009-0947: Multiple integer overflows in the (1) cdf_read_property_info and (2) cdf_read_sat functions in file before 5.02.
• (RECURRENT) cve-2009-0948: Multiple buffer overflows in the (1) cdf_read_sat, (2) cdf_read_long_sector_chain, and (3) cdf_read_ssat function in file before 5.02.
• (RECURRENT) cve-2009-3930: Multiple integer overflows in Christos Zoulas file before 5.02 allow user-assisted remote attackers to have an unspecified impact via a malformed compound document (aka cdf) file that triggers a buffer overflow.
• (RECURRENT) cve-2014-0236: file before 5.18, as used in the Fileinfo component in PHP before 5.6.0, allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a zero root_storage value in a CDF file, related to cdf.c and readcdf.c.
• (RECURRENT) cve-2014-9653: readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory access) or possibly have unspecified other impact via a crafted ELF file.
• (RECURRENT) cve-2015-8865: The file_check_mem function in funcs.c in file before 5.23, as used in the Fileinfo component in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5, mishandles continuation-level jumps, which allows context-dependent attackers to cause a denial of service (buffer overflow and application crash) or possibly execute arbitrary code via a crafted magic file.
• (RECURRENT) cve-2019-18218: cdf_read_property_info in cdf.c in file through 5.37 does not restrict the number of CDF_VECTOR elements, which allows a heap-based buffer overflow (4-byte out-of-bounds write).
• (RECURRENT) cve-2019-8904: do_bid_note in readelf.c in libmagic.a in file 5.35 has a stack-based buffer over-read, related to file_printf and file_vprintf.
• (RECURRENT) cve-2019-8907: do_core_note in readelf.c in libmagic.a in file 5.35 allows remote attackers to cause a denial of service (stack corruption and application crash) or possibly have unspecified other impact.

HIGH - git

• (RECURRENT) cve-2014-9390: Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; mine all versions before 08-12-2014; libgit2 all versions up to 0.21.2; Egit all versions before 08-12-2014; and JGit all versions before 08-12-2014 allow remote Git servers to execute arbitrary commands via a tree containing a crafted .git/config file with (1) an ignorable Unicode codepoint, (2) a git~1/config representation, or (3) mixed case that is improperly handled on a case-insensitive filesystem.
• (RECURRENT) cve-2014-9938: contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.
• (RECURRENT) cve-2015-7545: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
• (RECURRENT) cve-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
• (RECURRENT) cve-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.
• (RECURRENT) cve-2017-1000117: A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL can result in any program that exists on the victim's machine being executed. Such a URL could be placed in the .gitmodules file of a malicious project, and an unsuspecting victim could be tricked into running "git clone --recurse-submodules" to trigger the vulnerability.
• (RECURRENT) cve-2017-14867: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
• (RECURRENT) cve-2017-8386: git-shell in git before 2.4.12, 2.5.x before 2.5.6, 2.6.x before 2.6.7, 2.7.x before 2.7.5, 2.8.x before 2.8.5, 2.9.x before 2.9.4, 2.10.x before 2.10.3, 2.11.x before 2.11.2, and 2.12.x before 2.12.3 might allow remote authenticated users to gain privileges via a repository name that starts with a - (dash) character.
• (RECURRENT) cve-2018-11233: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, code to sanity-check pathnames on NTFS can result in reading out-of-bounds memory.
• (RECURRENT) cve-2018-11235: In Git before 2.13.7, 2.14.x before 2.14.4, 2.15.x before 2.15.2, 2.16.x before 2.16.4, and 2.17.x before 2.17.1, remote code execution can occur. With a crafted .gitmodules file, a malicious project can execute an arbitrary script on a machine that runs "git clone --recurse-submodules" because submodule "names" are obtained from this file, and then appended to $GIT_DIR/modules, leading to directory traversal with "../" in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server.
• (RECURRENT) cve-2018-17456: Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.1 allows remote code execution during processing of a recursive "git clone" of a superproject if a .gitmodules file has a URL field beginning with a '-' character.
• (RECURRENT) cve-2018-19486: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
• (RECURRENT) cve-2019-1349: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1350, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
• (RECURRENT) cve-2019-1350: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1352, CVE-2019-1354, CVE-2019-1387.
• (RECURRENT) cve-2019-1351: A tampering vulnerability exists when Git for Visual Studio improperly handles virtual drive paths, aka 'Git for Visual Studio Tampering Vulnerability'.
• (RECURRENT) cve-2019-1352: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1354, CVE-2019-1387.
• (RECURRENT) cve-2019-1353: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. When running Git in the Windows Subsystem for Linux (also known as "WSL") while accessing a working directory on a regular Windows drive, none of the NTFS protections were active.
• (RECURRENT) cve-2019-1354: A remote code execution vulnerability exists when Git for Visual Studio improperly sanitizes input, aka 'Git for Visual Studio Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1349, CVE-2019-1350, CVE-2019-1352, CVE-2019-1387.
• (RECURRENT) cve-2019-1387: An issue was found in Git before v2.24.1, v2.23.1, v2.22.2, v2.21.1, v2.20.2, v2.19.3, v2.18.2, v2.17.3, v2.16.6, v2.15.4, and v2.14.6. Recursive clones are currently affected by a vulnerability that is caused by too-lax validation of submodule names, allowing very targeted attacks via remote code execution in recursive clones.
• (RECURRENT) cve-2019-19604: Arbitrary command execution is possible in Git before 2.20.2, 2.21.x before 2.21.1, 2.22.x before 2.22.2, 2.23.x before 2.23.1, and 2.24.x before 2.24.1 because a "git submodule update" operation can run commands found in the .gitmodules file of a malicious repository.
• (RECURRENT) cve-2020-11008: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. This bug is similar to CVE-2020-5260(GHSA-qm7j-c969-7j4q). The fix for that bug still left the door open for an exploit where some credential is leaked (but the attacker cannot control which one). Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that are considered illegal as of the recently published Git versions can cause Git to send a "blank" pattern to helpers, missing hostname and protocol fields. Many helpers will interpret this as matching any URL, and will return some unspecified stored password, leaking the password to an attacker's server. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The root of the problem is in Git itself, which should not be feeding blank input to helpers. However, the ability to exploit the vulnerability in practice depends on which helpers are in use. Credential helpers which are known to trigger the vulnerability: - Git's "store" helper - Git's "cache" helper - the "osxkeychain" helper that ships in Git's "contrib" directory Credential helpers which are known to be safe even with vulnerable versions of Git: - Git Credential Manager for Windows Any helper not in this list should be assumed to trigger the vulnerability.
• (RECURRENT) cve-2020-5260: Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1.

HIGH - openssl

• (RECURRENT) cve-2018-0732: During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

List of Packages with HIGH Legal risks

Packages detected

xmldom - 0.1.15

location: pdm-web-components/package.json

origin: > Npm-stencil-0.0.5 > Npm-xmldom-0.1.15

Risks:

• Issue Name: GPL - Copyright risk score: 6 - Patent risk score: 3 - Copyleft: Full

SAST Alerts

🔶 to be remediated within 90 days

SAST Alerts

(2) MEDIUM - Client_Privacy_Violation

CWE: 359

(NEW) Description:Method Cx31abc8fe at line 92 of /tests/wallet-test/AppBuilderTest.js sends user information outside the application. This may constitute a Privacy Violation.

                throw err;
            console.log(`App ${env.appName} created with credentials ${JSON.stringify(credentials, undefined, 2)}.\nSSI: ${{keySII}}`);
            testFinished();
        });

origin: /tests/wallet-test/AppBuilderTest.js - log line 129

(NEW) Description:Method Cx31abc8fe at line 96 of /tests/wallet-test/AppBuilderTest.js sends user information outside the application. This may constitute a Privacy Violation.

                throw err;
            console.log(`App ${env.appName} created with credentials ${JSON.stringify(credentials, undefined, 2)}.\nSSI: ${{keySII}}`);
            testFinished();
        });

origin: /tests/wallet-test/AppBuilderTest.js - log line 129

(4) MEDIUM - Missing_Encryption_of_Sensitive_Data

CWE: 311

(NEW) Description:The sensitive data in credentialsFilePath at /fgt-api/tests/controls/utils.js in line 23 is stored in plain-text by readFileSync at /fgt-api/tests/controls/utils.js in line 23.

    try {
        credentials = fs.readFileSync(credentialsFilePath);
        credentials = JSON.parse(credentials);
    } catch (e) {

origin: /fgt-api/tests/controls/utils.js - readFileSync line 23

(NEW) Description:The sensitive data in credentialsFilePath at /fgt-api/tests/controls/utils.js in line 10 is stored in plain-text by readFileSync at /fgt-api/tests/controls/utils.js in line 10.

    try {
        credentials = fs.readFileSync(credentialsFilePath);
        credentials = JSON.parse(credentials);
    } catch (e) {

origin: /fgt-api/tests/controls/utils.js - readFileSync line 10

(NEW) Description:The sensitive data in secret at /dashboard-wizard/credential-export.js in line 88 is stored in plain-text by writeFile at /dashboard-wizard/credential-export.js in line 100.

        return new Promise((resolve, reject) => {
        fs.writeFile(path.join(process.cwd(), "apihub-root/dashboard/identity.json"), JSON.stringify(data), err => err
            ? reject(err)
            : resolve(data))

origin: /dashboard-wizard/credential-export.js - writeFile line 100

(NEW) Description:The sensitive data in CREDENTIALS_FILE at /fgt-api/server.js in line 74 is stored in plain-text by copyFileSync at /fgt-api/server.js in line 74.

function overWriteCredentialsByRole(){
    fs.copyFileSync(path.join(currentPath, "..", "docker", "api", "env", CREDENTIALS_FILE),
        path.join(currentPath, "config", `fgt-${getWallet()}-wallet`, "credentials.json"))
}

origin: /fgt-api/server.js - copyFileSync line 74

(1) MEDIUM - Missing_HSTS_Header

CWE: 346

(NEW) Description:The web-application does not define an HSTS header, leaving it vulnerable to attack.

                try {
                    response = await response.json();
                } catch (e) {
                    return callback(e)

origin: /dashboard-wizard/managers/ApiBaseManager.js - json line 224

(21) LOW - Client_Hardcoded_Domain

CWE: 829

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" in /static-pages/add-product.html at line 8 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/add-product.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" line 8

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" in /static-pages/index.html at line 8 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/index.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" line 8

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" in /static-pages/add-product.html at line 13 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

    <link rel="stylesheet" href="./src/assets/css/styles.css"/>

origin: /static-pages/add-product.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" line 13

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" in /static-pages/add-product.html at line 9 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/add-product.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" line 9

(NEW) Description:The JavaScript file imported in https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css in /static-pages/tree-view/tree-view.html at line 10 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>

origin: /static-pages/tree-view/tree-view.html - https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css line 10

(NEW) Description:The JavaScript file imported in https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css in /static-pages/products.html at line 10 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>

origin: /static-pages/products.html - https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css line 10

(NEW) Description:The JavaScript file imported in https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css in /static-pages/index.html at line 10 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>

origin: /static-pages/index.html - https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css line 10

(NEW) Description:The JavaScript file imported in https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css in /static-pages/add-product.html at line 10 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>

origin: /static-pages/add-product.html - https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css line 10

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" in /static-pages/tree-view/tree-view.html at line 13 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

    <link rel="stylesheet" href="./../src/assets/css/styles.css"/>

origin: /static-pages/tree-view/tree-view.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" line 13

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" in /static-pages/tree-view/tree-view.html at line 12 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

origin: /static-pages/tree-view/tree-view.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" line 12

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" in /static-pages/tree-view/tree-view.html at line 9 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/tree-view/tree-view.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" line 9

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" in /static-pages/tree-view/tree-view.html at line 8 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/tree-view/tree-view.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" line 8

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" in /static-pages/products.html at line 13 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

    <link rel="stylesheet" href="./src/assets/css/styles.css"/>

origin: /static-pages/products.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" line 13

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" in /static-pages/products.html at line 12 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

origin: /static-pages/products.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" line 12

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" in /static-pages/products.html at line 9 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/products.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" line 9

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" in /static-pages/products.html at line 8 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/products.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js" line 8

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" in /static-pages/index.html at line 13 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

    <link rel="stylesheet" href="./src/assets/css/styles.css"/>

origin: /static-pages/index.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js" line 13

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" in /static-pages/add-product.html at line 12 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

origin: /static-pages/add-product.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" line 12

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js" in /apihub-root/index.html at line 14 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    </script>
    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
</head>
<body>

origin: /apihub-root/index.html - "https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js" line 14

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" in /static-pages/index.html at line 12 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.js"></script>

origin: /static-pages/index.html - "https://cdn.jsdelivr.net/npm/ionicons/dist/ionicons/ionicons.esm.js" line 12

(NEW) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" in /static-pages/index.html at line 9 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    <script type="module" src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.esm.js"></script>
    <script nomodule src="https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js"></script>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@ionic/core/css/ionic.bundle.css"/>

origin: /static-pages/index.html - "https://cdn.jsdelivr.net/npm/@ionic/core/dist/ionic/ionic.js" line 9

(1) LOW - Client_Use_Of_Iframe_Without_Sandbox

CWE: 829

(NEW) Description:The application employs an HTML iframe at whose contents are not properly sandboxed

    const buildContainerIframe = (useSeedForIframeSource) => {
        const iframe = document.createElement("iframe");

        //iframe.setAttribute("sandbox", "allow-scripts allow-same-origin allow-forms");

origin: /pdm-trust-loader/src/scripts/services/WalletRunner.js - iframe line 45

(1) LOW - Missing_CSP_Header

CWE: 346

(NEW) Description:A Content Security Policy is not explicitly defined within the web-application.

        if (bodyToSend) {
            req.write(bodyToSend);
        }
        req.end();

origin: /bin/environment/wsCreateStuff.js - write line 225

(1) LOW - React_Deprecated

CWE: 477

(NEW) Description:Method getInputElement in /pdm-web-components/src/components/managed-stock-product-input/managed-stock-product-input.tsx, at line 264, calls an obsolete API, CxAssociativeArray_1daa212e. This has been deprecated, and should not be used in a modern codebase.

    return (
      <input name={this.name} required={this.required} hidden={true} value={this.value}></input>
    )
  }

origin: /pdm-web-components/src/components/managed-stock-product-input/managed-stock-product-input.tsx - CxAssociativeArray_1daa212e line 264

[joaoluis-pdm]

Regarding the vulnerability scan given by Sanofi received on 2022-07-26, here is the status report at 2022-07-28 for the "HIGH CVEs" and "Legal risks" only.

HIGH - Npm-debug-2.6.9 - #95 - the dependency has been overriden by debug-4.3.4 or higher, and has passed the automated tests for the future v0.10.3 candidate version. Although this situation is not desirable (the only "good" fix would be a fix by the upstream package express), the workaround does not seem to break so far.

HIGH - Npm-inflight-1.0.6 - #96 - under analysis. There could be some workarounds, but the lead developer must be involved.

HIGH - (OS packages) procps #97, file #98, git #101, openSSL #102 - None of these OS packages are in use in the runtime image since v0.9.6 (2022-06-01 - Docker base images changed from debian to alpine linux). So we are a bit confused where does this report comes from.

HIGH Legal risks - xmldom - 0.1.15 - #103 - The requiring package was removed, and no additional visual defects where found on the future candidate release v0.10.3 (currently on https://fgt-dev.pharmaledger.pdmfc.com/ ).

[joaoluis-pdm]

Removed old Dockerfiles ( a856314 ) as it might be confusing the scan tool.

[TiagoV-PDMFC]

Regarding the SAST Alerts:

(2) MEDIUM - Client_Privacy_Violation : Those outputs belong in test scripts, and are therefore are not ran in the docker images. Also, the credentials output are randomly generated for each test and have absolutely no relation with the actual credentials used to generate the wallets. Due to these reasons we intend to take no action since this does not pose any kind of security risk. If that important to the business we can delete the test files from the docker image;

(4) MEDIUM - Missing_Encryption_of_Sensitive_Data - #106 - it's the responsibility of each participant to override these default credentials for their own. We will however convert this mechanism to an environment variable and use the credentials file as a fallback. this will probably force an update to the helm charts (the fallback mechanism allows for the current version to keep working until that change)

(1) MEDIUM - Missing_HSTS_Header - #107 - The code is designed for http (not https). Makes no sense to add an Strict-Transport-Security header on an http response in this situation. When deploying a production environment, the solution will probably be wrapped by a reverse https-to-http proxy. It is up to that proxy to add the Strict-Transport-Security header if desired.

(21) LOW - Client_Hardcoded_Domain - #108 - not a security problem at all. The files are never exposed to the web and exist only for testing purposes for CSS. we will however delete that folder to stop the false positives

(1) LOW - Client_Use_Of_Iframe_Without_Sandbox - #109 - under analysis. we will add the adequate sandbox configs (this code comes from Romsoft and therefore should be extended to EPI and all other use cases)

1. LOW - Missing_CSP_Header - The referred script is only used in development to quickly create products/batches, etc and is not used in production. No action will be taken

(1) LOW - React_Deprecated - the provided example:

return (
      <input name={this.name} required={this.required} hidden={true} value={this.value}></input>
    )
  }

is standard code for Stencil based applications according to the documentation and examples. We have no indication of deprecation of any kind. Additional clarifications are required here. Until then, no actions will be taken

[bonfim-sanofi]

Regarding the SAST Alerts:

(2) MEDIUM - Client_Privacy_Violation : Those outputs belong in test scripts, and are therefore are not ran in the docker images. Also, the credentials output are randomly generated for each test and have absolutely no relation with the actual credentials used to generate the wallets. Due to these reasons we intend to take no action since this does not pose any kind of security risk. If that important to the business we can delete the test files from the docker image;

(4) MEDIUM - Missing_Encryption_of_Sensitive_Data - #106 - it's the responsibility of each participant to override these default credentials for their own. We will however convert this mechanism to an environment variable and use the credentials file as a fallback. this will probably force an update to the helm charts (the fallback mechanism allows for the current version to keep working until that change)

(1) MEDIUM - Missing_HSTS_Header - #107 - under analysis

(21) LOW - Client_Hardcoded_Domain - #108 - not a security problem at all. The files are never exposed to the web and exist only for testing purposes for CSS. we will however delete that folder to stop the false positives

(1) LOW - Client_Use_Of_Iframe_Without_Sandbox - #109 - under analysis. we will add the adequate sandbox configs (this code comes from Romsoft and therefore should be extended to EPI and all other use cases)

1. LOW - Missing_CSP_Header - The referred script is only used in development to quickly create products/batches, etc and is not used in production. No action will be taken

(1) LOW - React_Deprecated - the provided example:

return (
      <input name={this.name} required={this.required} hidden={true} value={this.value}></input>
    )
  }

is standard code for Stencil based applications according to the documentation and examples. We have no indication of deprecation of any kind. Additional clarifications are required here. Until then, no actions will be taken

Folders and files that are used only for testing purposes and are not exposed on the web are now filtered out from the security scan: tests/**, static-pages/** and bin/environment/wsCreateStuff.js.

[bonfim-sanofi]

Security scan results on commit 34ae845 filtering out test code mentioned above:

Security Scan Report: PharmaLedger-IMI/fgt-workspace

Commit: 34ae845

Executive summary

You'll find below a list of vulnerabilities identified by our service on both Static Application Security Testing and Software Composition Analysis dimensions:

• SCA analyzes open source and 3rd party libraries (vulnerabilities and legal risks)
• SAST focuses on custom code (built by the development team)

🔴 NO-GO for production 🔴		🔶 to be remediated within 90 days 🔶
SCA	SAST	SAST
2	0	9

---

🔴 NO-GO for production alerts

SCA Alerts

List of Packages with HIGH CVEs

Packages detected

HIGH - Npm-debug-4.3.4

location: fgt-api/package.json

origin: > Npm-@capacitor/cli-3.7.0 > Npm-debug-4.3.4 > Npm-express-4.18.1 > Npm-debug-4.3.4 > Npm-goodparts-1.3.0 > Npm-eslint-6.8.0 > Npm-debug-4.3.4 > Npm-@ionic/cli-6.20.1 > Npm-debug-4.3.4 > Npm-jest-27.5.1 > Npm-@jest/core-27.5.1 > Npm-@jest/reporters-27.5.1 > Npm-istanbul-lib-source-maps-4.0.1 > Npm-debug-4.3.4 > Npm-swagger-ui-express-4.5.0 > Npm-express-4.18.1 > Npm-debug-4.3.4 > Npm-workbox-cli-6.5.4 > Npm-workbox-build-6.5.4 > Npm-@babel/core-7.18.10 > Npm-debug-4.3.4

Vulnerabilities:

• (RECURRENT) Cx8bc4df28-fcf5:
  In NPM debug, the enable function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service).

HIGH - Npm-inflight-1.0.6

location: package.json

origin: > Npm-goodparts-1.3.0 > Npm-eslint-6.8.0 > Npm-file-entry-cache-5.0.1 > Npm-flat-cache-2.0.1 > Npm-rimraf-2.6.3 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-@ionic/cli-6.20.1 > Npm-@ionic/cli-framework-5.1.3 > Npm-rimraf-3.0.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-istanbul-0.4.5 > Npm-glob-5.0.15 > Npm-inflight-1.0.6 > Npm-jest-27.5.1 > Npm-@jest/core-27.5.1 > Npm-@jest/reporters-27.5.1 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-mocha-9.2.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-phonegap-plugin-barcodescanner-8.1.0 > Npm-shelljs-0.8.5 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-rimraf-3.0.2 > Npm-glob-7.2.0 > Npm-inflight-1.0.6 > Npm-workbox-cli-6.5.4 > Npm-glob-7.2.3 > Npm-inflight-1.0.6 > Npm-yamljs-0.3.0 > Npm-glob-7.2.0 > Npm-inflight-1.0.6

Vulnerabilities:

• (RECURRENT) Cxdca8e59f-8bfe:
  In npm inflight there is a memory leak because some resources are not freed correctly after being used. It appears to affect all versions.

List of Container Packages with HIGH CVEs

NO Container Packages detected

List of Packages with HIGH Legal risks

NO Packages detected

SAST Alerts

🔶 to be remediated within 90 days

SAST Alerts

(4) MEDIUM - Missing_Encryption_of_Sensitive_Data

CWE: 311

(RECURRENT) Description:The sensitive data in credentialsFilePath at /fgt-api/tests/controls/utils.js in line 10 is stored in plain-text by readFileSync at /fgt-api/tests/controls/utils.js in line 10.

    try {
        credentials = fs.readFileSync(credentialsFilePath);
        credentials = JSON.parse(credentials);
    } catch (e) {

origin: /fgt-api/tests/controls/utils.js - readFileSync line 10

(RECURRENT) Description:The sensitive data in credentialsFilePath at /fgt-api/tests/controls/utils.js in line 23 is stored in plain-text by readFileSync at /fgt-api/tests/controls/utils.js in line 23.

    try {
        credentials = fs.readFileSync(credentialsFilePath);
        credentials = JSON.parse(credentials);
    } catch (e) {

origin: /fgt-api/tests/controls/utils.js - readFileSync line 23

(RECURRENT) Description:The sensitive data in CREDENTIALS_FILE at /fgt-api/server.js in line 74 is stored in plain-text by copyFileSync at /fgt-api/server.js in line 74.

function overWriteCredentialsByRole(){
    fs.copyFileSync(path.join(currentPath, "..", "docker", "api", "env", CREDENTIALS_FILE),
        path.join(currentPath, "config", `fgt-${getWallet()}-wallet`, "credentials.json"))
}

origin: /fgt-api/server.js - copyFileSync line 74

(RECURRENT) Description:The sensitive data in secret at /dashboard-wizard/credential-export.js in line 88 is stored in plain-text by writeFile at /dashboard-wizard/credential-export.js in line 100.

        return new Promise((resolve, reject) => {
        fs.writeFile(path.join(process.cwd(), "apihub-root/dashboard/identity.json"), JSON.stringify(data), err => err
            ? reject(err)
            : resolve(data))

origin: /dashboard-wizard/credential-export.js - writeFile line 100

(1) MEDIUM - Missing_HSTS_Header

CWE: 346

(RECURRENT) Description:The web-application does not define an HSTS header, leaving it vulnerable to attack.

                try {
                    response = await response.json();
                } catch (e) {
                    return callback(e)

origin: /dashboard-wizard/managers/ApiBaseManager.js - json line 224

(1) LOW - Client_Hardcoded_Domain

CWE: 829

(RECURRENT) Description:The JavaScript file imported in "https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js" in /apihub-root/index.html at line 14 is from a remote domain, which may allow attackers to replace its contents with malicious code.

    </script>
    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
</head>
<body>

origin: /apihub-root/index.html - "https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js" line 14

(1) LOW - Client_Use_Of_Iframe_Without_Sandbox

CWE: 829

(RECURRENT) Description:The application employs an HTML iframe at whose contents are not properly sandboxed

    const buildContainerIframe = (useSeedForIframeSource) => {
        const iframe = document.createElement("iframe");

        //iframe.setAttribute("sandbox", "allow-scripts allow-same-origin allow-forms");

origin: /pdm-trust-loader/src/scripts/services/WalletRunner.js - iframe line 45

(1) LOW - Missing_CSP_Header

CWE: 346

(NEW) Description:A Content Security Policy is not explicitly defined within the web-application.

        res.statusCode = err.statusCode;
        res.write(JSON.stringify({
            status: err.statusCode,
            error: err.message,

origin: /fgt-api/middleware.js - write line 8

(1) LOW - React_Deprecated

CWE: 477

(RECURRENT) Description:Method getInputElement in /pdm-web-components/src/components/managed-stock-product-input/managed-stock-product-input.tsx, at line 297, calls an obsolete API, CxAssociativeArray_55eeafc5. This has been deprecated, and should not be used in a modern codebase.

    return (
      <input name={this.name} required={this.required} hidden={true} value={this.value}></input>
    )
  }

origin: /pdm-web-components/src/components/managed-stock-product-input/managed-stock-product-input.tsx - CxAssociativeArray_55eeafc5 line 297

[TiagoV-PDMFC]

(1) LOW - Missing_CSP_Header - issue #110

[bonfim-sanofi]

Action points for medium and low SAS alerts:

@bonfim-sanofi

• Missing_Encryption_of_Sensitive_Data
  • Ignore /fgt-api/tests folder
• React_Deprecated
  • Ignore rule
• Missing_HSTS_Header
  • Ignore rule

PDM

• /dashboard-wizard/credential-export.js
  • Rename the file, use environment variable
• Client_Hardcoded_Domain
  • /apihub-root/index.html
• Client_Use_Of_Iframe_Without_Sandbox
  • Under analysis
• Missing_CSP_Header
  • Under analysis

[TiagoV-PDMFC]

(1) LOW - Client_Hardcoded_Domain - issue #111 - fixed

[joaoluis-pdm]

Current PDM status (see the sub-issue for details):

• /dashboard-wizard/credential-export.js - Security Risk - (4) MEDIUM - Missing_Encryption_of_Sensitive_Data  #106 - Released to TST on v0.10.4.
• Client_Hardcoded_Domain - From #94 - (1) LOW - Client_Hardcoded_Domain #111 - Released to TST on v0.10.4.
• Client_Use_Of_Iframe_Without_Sandbox - (1) LOW - Client_Use_Of_Iframe_Without_Sandbox  #109 - Under analysis
• Missing_CSP_Header - From #94 - Description:A Content Security Policy is not explicitly defined within the web-application. #110 - Released to TST on v0.10.4.