Skip to content

Instantly share code, notes, and snippets.

@nyrahul

nyrahul/og.json

Created November 18, 2025 06:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save nyrahul/99358993ae17c8b65594d6738c575c3b to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save nyrahul/99358993ae17c8b65594d6738c575c3b to your computer and use it in GitHub Desktop.
Download ZIP
AccuKnox Frontend Code with AI Analysis of SAST Analysis
Raw
og.json
{
"version": "1.11.5",
"scan_date": "2025-11-18T03:23:29.531Z",
"total_findings": 18,
"false_positives_count": 5,
"true_positives_count": 13,
"priority_breakdown": {
"critical": 0,
"high": 8,
"medium": 5,
"low": 5
},
"results": [
{
"check_id": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"path": ".github/workflows/pr-check.yaml",
"start": {
"line": 60,
"col": 9,
"offset": 1865
},
"end": {
"line": 64,
"col": 45,
"offset": 2029
},
"extra": {
"metavars": {
"$JOBNAME": {
"start": {
"line": 11,
"col": 3,
"offset": 128
},
"end": {
"line": 11,
"col": 20,
"offset": 145
},
"abstract_content": "validate-pr-title"
},
"$ACTION": {
"start": {
"line": 61,
"col": 15,
"offset": 1894
},
"end": {
"line": 61,
"col": 34,
"offset": 1913
},
"abstract_content": "actions/checkout@v4"
},
"$EXPR": {
"start": {
"line": 63,
"col": 16,
"offset": 1943
},
"end": {
"line": 63,
"col": 57,
"offset": 1984
},
"abstract_content": "${{ github.event.pull_request.head.sha }}"
}
},
"message": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.",
"metadata": {
"category": "security",
"owasp": [
"A01:2021 - Broken Access Control"
],
"cwe": [
"CWE-913: Improper Control of Dynamically-Managed Code Resources"
],
"references": [
"https://securitylab.github.com/research/github-actions-preventing-pwn-requests/",
"https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md"
],
"technology": [
"github-actions"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Code Injection"
],
"source": "https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"shortlink": "https://sg.run/jkdn",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13365,
"rule_id": "d8Ulkd",
"rv_id": 947043,
"url": "https://semgrep.dev/playground/r/rxT6kwW/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout",
"version_id": "rxT6kwW"
}
}
},
"severity": "WARNING",
"fingerprint": "ae8dd65093f78913d9509a2d91c5e1585800f31968ebc87bec21e05a740728bc41674bc9a94bf1d5526219ee46d8a91629dde6892b446f7a113e6d6c13f315cc_0",
"lines": " - name: Checkout\n uses: actions/checkout@v4\n with:\n ref: ${{ github.event.pull_request.head.sha }}\n token: ${{ secrets.GH_ORG_TOKEN }}",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.75,
"positive_reasoning": "The workflow uses pull_request_target trigger and checks out code from the incoming PR. While the checkout itself uses the PR head SHA, this workflow needs careful review to ensure no untrusted code is executed with repository secrets access. The workflow runs npm build which could execute arbitrary code from package.json scripts.",
"mitigation_recommendation": "Review the workflow to ensure: 1) No npm install/build commands execute code from the PR, 2) Use pull_request trigger instead if secrets are not needed, 3) If secrets are required, run untrusted code in a separate job without secret access, 4) Consider using workflow_run trigger for two-stage approach.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/helper/globalRegex.ts",
"start": {
"line": 9,
"col": 24,
"offset": 299
},
"end": {
"line": 9,
"col": 100,
"offset": 375
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 8,
"col": 39,
"offset": 256
},
"end": {
"line": 8,
"col": 44,
"offset": 261
},
"abstract_content": "input"
}
},
"message": "RegExp() called with a `input` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "a5200deb718939582287e10b892cc3d913aa12d6e303c31ba82fb6ce7da52f5c7f2d105e8606e93298b159d84e0976a211d550147e86c9249b8f5356ace22ebf_0",
"lines": " const regexPattern = new RegExp(input?.replace(/(^|\\/)-(?=\\S)/g, \"$1\").replace(/\\*/g, \".*\"), \"i\");",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/helper/globalRegex.ts",
"start": {
"line": 8,
"col": 39,
"offset": 256
},
"end": {
"line": 8,
"col": 44,
"offset": 261
}
},
"input"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/helper/globalRegex.ts",
"start": {
"line": 8,
"col": 39,
"offset": 256
},
"end": {
"line": 8,
"col": 44,
"offset": 261
}
},
"content": "input"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/helper/globalRegex.ts",
"start": {
"line": 9,
"col": 24,
"offset": 299
},
"end": {
"line": 9,
"col": 100,
"offset": 375
}
},
"new RegExp(input?.replace(/(^|\\/)-(?=\\S)/g, \"$1\").replace(/\\*/g, \".*\"), \"i\")"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.6,
"positive_reasoning": "Creating RegExp from user input can lead to ReDoS (Regular Expression Denial of Service) attacks. In globalRegex.ts, functions like ClusterNamespaceRegex() and ReplaceAsterisk() create RegExp objects from input parameters without validation. If user-controlled input reaches these functions, attackers could craft malicious regex patterns causing excessive CPU usage.",
"mitigation_recommendation": "Validate and sanitize input before creating RegExp objects. Implement input length limits, whitelist allowed characters, and consider using a safe regex library. Add timeout mechanisms for regex execution. If the input comes from trusted sources only (e.g., configuration files), document this assumption clearly.",
"priority": "medium"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/helper/globalRegex.ts",
"start": {
"line": 36,
"col": 10,
"offset": 1144
},
"end": {
"line": 36,
"col": 45,
"offset": 1179
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 35,
"col": 33,
"offset": 1119
},
"end": {
"line": 35,
"col": 34,
"offset": 1120
},
"abstract_content": "r"
}
},
"message": "RegExp() called with a `r` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "02fb395c843f408915d944d32afe8b9e939e040cbdd7b3ac9a876b0307ecf8a652d57e896bb41674140be2fc81d3eb5d5f0e3bcfddd2c6118abc99c38f0e7917_0",
"lines": " return new RegExp(r?.replace(/\\*/g, \".*\"));",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/helper/globalRegex.ts",
"start": {
"line": 35,
"col": 33,
"offset": 1119
},
"end": {
"line": 35,
"col": 34,
"offset": 1120
}
},
"r"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/helper/globalRegex.ts",
"start": {
"line": 35,
"col": 33,
"offset": 1119
},
"end": {
"line": 35,
"col": 34,
"offset": 1120
}
},
"content": "r"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/helper/globalRegex.ts",
"start": {
"line": 36,
"col": 10,
"offset": 1144
},
"end": {
"line": 36,
"col": 45,
"offset": 1179
}
},
"new RegExp(r?.replace(/\\*/g, \".*\"))"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.6,
"positive_reasoning": "Creating RegExp from user input can lead to ReDoS (Regular Expression Denial of Service) attacks. In globalRegex.ts, functions like ClusterNamespaceRegex() and ReplaceAsterisk() create RegExp objects from input parameters without validation. If user-controlled input reaches these functions, attackers could craft malicious regex patterns causing excessive CPU usage.",
"mitigation_recommendation": "Validate and sanitize input before creating RegExp objects. Implement input length limits, whitelist allowed characters, and consider using a safe regex library. Add timeout mechanisms for regex execution. If the input comes from trusted sources only (e.g., configuration files), document this assumption clearly.",
"priority": "medium"
}
},
{
"check_id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"path": "src/helper/hooks/userMetaDataHooks/useUpdateModuleConfig.tsx",
"start": {
"line": 14,
"col": 7,
"offset": 468
},
"end": {
"line": 14,
"col": 29,
"offset": 490
},
"extra": {
"metavars": {
"$X": {
"start": {
"line": 7,
"col": 3,
"offset": 196
},
"end": {
"line": 7,
"col": 7,
"offset": 200
},
"abstract_content": "keys",
"propagated_value": {
"svalue_start": {
"line": 4,
"col": 16,
"offset": 155
},
"svalue_end": {
"line": 4,
"col": 31,
"offset": 170
},
"svalue_abstract_content": "path.split(\".\")"
}
},
"$SMTH": {
"start": {
"line": 14,
"col": 7,
"offset": 468
},
"end": {
"line": 14,
"col": 14,
"offset": 475
},
"abstract_content": "current"
},
"$A": {
"start": {
"line": 14,
"col": 25,
"offset": 486
},
"end": {
"line": 14,
"col": 28,
"offset": 489
},
"abstract_content": "key"
}
},
"message": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"category": "security",
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"technology": [
"typescript"
],
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Mass Assignment"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"shortlink": "https://sg.run/w1DB",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13373,
"rule_id": "QrUpbJ",
"rv_id": 945877,
"url": "https://semgrep.dev/playground/r/YDTvRjl/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"version_id": "YDTvRjl"
}
}
},
"severity": "WARNING",
"fingerprint": "e42ad2773e84d07aa0f3815dd52f117a3fedabfc9752236d85ac631e4d8bf55e9897527ab38df6726a27c2a564f5e47b42ea3a8c7ec7026fb39ca793076d528b_0",
"lines": " current = current[key];",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.65,
"positive_reasoning": "The code uses a loop to assign properties to an object without checking for prototype pollution. If the keys come from untrusted sources (e.g., API responses, user input), attackers could inject keys like \"__proto__\", \"constructor\", or \"prototype\" to pollute the Object prototype chain, potentially leading to security vulnerabilities across the application.",
"mitigation_recommendation": "Use Object.create(null) to create objects without prototype, validate/sanitize object keys before assignment, use Map instead of plain objects for dynamic keys, or use Object.hasOwnProperty() checks. Consider using libraries like \"prototype-pollution-check\" or implement a safelist of allowed keys.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField.tsx",
"start": {
"line": 43,
"col": 25,
"offset": 1784
},
"end": {
"line": 43,
"col": 49,
"offset": 1808
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 10,
"col": 28,
"offset": 529
},
"end": {
"line": 10,
"col": 94,
"offset": 595
},
"abstract_content": "{label label placeholder placeholder required required value value validation validation name name control control}"
}
},
"message": "RegExp() called with a `{ label, placeholder, required, value, validation, name, control }` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "1f73cb0f26073d9df950d8831573d8718088e8e72ae1cb65244f272c617b77bc52a61f830667f51631769d2d2680d63dafe9beb12c3a812f5bb5a54eea75ac0b_0",
"lines": " const regex = new RegExp(regexPattern);",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField.tsx",
"start": {
"line": 10,
"col": 28,
"offset": 529
},
"end": {
"line": 10,
"col": 94,
"offset": 595
}
},
"{ label, placeholder, required, value, validation, name, control }"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField.tsx",
"start": {
"line": 10,
"col": 67,
"offset": 568
},
"end": {
"line": 10,
"col": 77,
"offset": 578
}
},
"content": "validation"
},
{
"location": {
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField.tsx",
"start": {
"line": 12,
"col": 9,
"offset": 677
},
"end": {
"line": 12,
"col": 21,
"offset": 689
}
},
"content": "regexPattern"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField.tsx",
"start": {
"line": 43,
"col": 25,
"offset": 1784
},
"end": {
"line": 43,
"col": 49,
"offset": 1808
}
},
"new RegExp(regexPattern)"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.7,
"positive_reasoning": "The RegexField component creates RegExp from user input for validation purposes. This is a potential ReDoS vulnerability if users can provide arbitrarily complex regex patterns that cause catastrophic backtracking.",
"mitigation_recommendation": "Implement regex complexity validation, set maximum length limits for regex patterns, add execution timeout for regex test operations, and consider using a safe-regex library to detect potentially dangerous patterns before execution.",
"priority": "medium"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField/utils/regexValidation.ts",
"start": {
"line": 3,
"col": 12,
"offset": 78
},
"end": {
"line": 3,
"col": 31,
"offset": 97
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 1,
"col": 33,
"offset": 32
},
"end": {
"line": 1,
"col": 40,
"offset": 39
},
"abstract_content": "pattern"
}
},
"message": "RegExp() called with a `pattern` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "6823bc233c9a42e869b19413c681f25a36f2a131a9c440b5f9a569ee082bf835c1343bd74539d03975db3d9a7fae7491366347ff02e5f4cb8d4be4bf14f7eb20_0",
"lines": " return new RegExp(pattern);",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField/utils/regexValidation.ts",
"start": {
"line": 1,
"col": 33,
"offset": 32
},
"end": {
"line": 1,
"col": 40,
"offset": 39
}
},
"pattern"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField/utils/regexValidation.ts",
"start": {
"line": 1,
"col": 33,
"offset": 32
},
"end": {
"line": 1,
"col": 40,
"offset": 39
}
},
"content": "pattern"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/screens/Collectors/CreateCollector/ConfigureTarget/Parameters/ComponentGenerator/Components/RegexField/utils/regexValidation.ts",
"start": {
"line": 3,
"col": 12,
"offset": 78
},
"end": {
"line": 3,
"col": 31,
"offset": 97
}
},
"new RegExp(pattern)"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.7,
"positive_reasoning": "The RegexField component creates RegExp from user input for validation purposes. This is a potential ReDoS vulnerability if users can provide arbitrarily complex regex patterns that cause catastrophic backtracking.",
"mitigation_recommendation": "Implement regex complexity validation, set maximum length limits for regex patterns, add execution timeout for regex test operations, and consider using a safe-regex library to detect potentially dangerous patterns before execution.",
"priority": "medium"
}
},
{
"check_id": "generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"path": "src/screens/Compliance/CSPM/mockdata.jsx",
"start": {
"line": 63,
"col": 9,
"offset": 1385
},
"end": {
"line": 63,
"col": 40,
"offset": 1416
},
"extra": {
"metavars": {
"$2": {
"start": {
"line": 1,
"col": 1,
"offset": 0
},
"end": {
"line": 1,
"col": 8,
"offset": 7
},
"abstract_content": "Account"
},
"$ACCOUNT_ID": {
"start": {
"line": 63,
"col": 10,
"offset": 1386
},
"end": {
"line": 63,
"col": 23,
"offset": 1399
},
"abstract_content": "AccountNumber"
},
"$SECRET": {
"start": {
"line": 63,
"col": 27,
"offset": 1403
},
"end": {
"line": 63,
"col": 39,
"offset": 1415
},
"abstract_content": "338407444948"
}
},
"message": "AWS Account ID detected. While not considered sensitive information, it is important to use them and share them carefully. For that reason it would be preferrable avoiding to hardcoded it here. Instead, read the value from an environment variable or keep the value in a separate, private file.",
"metadata": {
"cwe": [
"CWE-798: Use of Hard-coded Credentials"
],
"source-rule-url": "https://github.com/grab/secret-scanner/blob/master/scanner/signatures/pattern.go",
"category": "security",
"technology": [
"secrets",
"aws"
],
"confidence": "LOW",
"owasp": [
"A07:2021 - Identification and Authentication Failures"
],
"references": [
"https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures"
],
"cwe2022-top25": true,
"cwe2021-top25": true,
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Hard-coded Secrets"
],
"source": "https://semgrep.dev/r/generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"shortlink": "https://sg.run/Ro22",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 9049,
"rule_id": "zdUkdd",
"rv_id": 1032973,
"url": "https://semgrep.dev/playground/r/GxT60Oy/generic.secrets.security.detected-aws-account-id.detected-aws-account-id",
"version_id": "GxT60Oy"
}
}
},
"severity": "INFO",
"fingerprint": "1d45a8dcf7332dcaf2c772797c26df98386b6a1a024cd6ee51393e7064304e20b84c90564b34eebfab8084e165cbc8c407bf95c249bc4e06fed418fa1e2c0408_0",
"lines": " \"AccountNumber\": \"338407444948\",",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": true,
"confidence": 0.95,
"positive_reasoning": "The AWS Account ID (338407444948) is found in a mock data file used for testing/development purposes. Mock data is not used in production and does not represent real credentials or sensitive information. This is standard practice for frontend development.",
"mitigation_recommendation": "No action required. This is mock data for testing. However, ensure this file is not accidentally deployed to production or exposed publicly. Consider adding comments to clearly mark this as test data. Verify that real AWS credentials are never committed to the repository.",
"priority": "low"
}
},
{
"check_id": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"path": "src/screens/DashboardV2/components/widgets/aspm/TopSecretsByContributor.tsx",
"start": {
"line": 45,
"col": 35,
"offset": 1981
},
"end": {
"line": 45,
"col": 58,
"offset": 2004
},
"extra": {
"metavars": {
"$1": {
"start": {
"line": 1,
"col": 2,
"offset": 1
},
"end": {
"line": 1,
"col": 3,
"offset": 2
},
"abstract_content": ">"
},
"$STR": {
"start": {
"line": 45,
"col": 35,
"offset": 1981
},
"end": {
"line": 45,
"col": 42,
"offset": 1988
},
"abstract_content": "email?."
},
"$CHAR": {
"start": {
"line": 45,
"col": 50,
"offset": 1996
},
"end": {
"line": 45,
"col": 53,
"offset": 1999
},
"abstract_content": "\">\""
}
},
"message": "`email?..replace` method will only replace the first occurrence when used with a string argument (\">\"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.",
"metadata": {
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"category": "security",
"technology": [
"javascript"
],
"owasp": [
"A03:2021 - Injection"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Improper Encoding"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"shortlink": "https://sg.run/1GbQ",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13466,
"rule_id": "d8UlRq",
"rv_id": 945873,
"url": "https://semgrep.dev/playground/r/0bT15RE/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"version_id": "0bT15RE"
}
}
},
"severity": "WARNING",
"fingerprint": "685323dd11b0a00f205d03aba053eb2ad3df17f6e9ac10d48492d9d708b4dad5b2fcd5cfb225d656b8697cf87e18fa5224015ad0f20b803d2116ae2491635df6_0",
"lines": " <DarkTooltip title={email?.replace(\">\", \"\")} placement=\"top\">",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.75,
"positive_reasoning": "The code uses .replace(\">\", \"\") which is incomplete sanitization. If the email field contains user-controlled data that is later rendered in the DOM, this minimal sanitization is insufficient to prevent XSS attacks. Only removing \">\" character leaves many attack vectors open (e.g., <script>, onerror attributes, javascript: URLs, etc.).",
"mitigation_recommendation": "Use a proper sanitization library like DOMPurify for HTML content, or better yet, use React's built-in escaping by rendering text content directly. If displaying email addresses, use textContent instead of innerHTML. Implement Content Security Policy (CSP) headers to provide defense in depth.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 896,
"col": 9,
"offset": 28291
},
"end": {
"line": 896,
"col": 66,
"offset": 28348
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
},
"abstract_content": "delimiters"
}
},
"message": "RegExp() called with a `delimiters` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "a73e1330cf23854d1e56a987c297fd9738fc5b9ad4b900487d22427320032bac636e1a6c47cb3401d65420193c3bec86bfd1a924c0205e2f10ca0f4327399e01_0",
"lines": " ? new RegExp(delimiters.map(d => escapeRegex(d)).join(\"|\"))",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
}
},
"delimiters"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
}
},
"content": "delimiters"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 896,
"col": 9,
"offset": 28291
},
"end": {
"line": 896,
"col": 66,
"offset": 28348
}
},
"new RegExp(delimiters.map(d => escapeRegex(d)).join(\"|\"))"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": true,
"confidence": 0.8,
"positive_reasoning": "The RegExp creation in helpers.tsx appears to be for internal string manipulation with controlled patterns. The context suggests these are utility functions that use dynamic regex for legitimate purposes like filtering or formatting, with input from controlled sources.",
"mitigation_recommendation": "While this appears to be a false positive, ensure that any input to these helper functions is validated. Document that these functions should not receive untrusted user input directly. Consider refactoring to use literal regex patterns where possible.",
"priority": "low"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 897,
"col": 9,
"offset": 28357
},
"end": {
"line": 897,
"col": 44,
"offset": 28392
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
},
"abstract_content": "delimiters"
}
},
"message": "RegExp() called with a `delimiters` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "a73e1330cf23854d1e56a987c297fd9738fc5b9ad4b900487d22427320032bac636e1a6c47cb3401d65420193c3bec86bfd1a924c0205e2f10ca0f4327399e01_1",
"lines": " : new RegExp(escapeRegex(delimiters));",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
}
},
"delimiters"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 885,
"col": 3,
"offset": 27889
},
"end": {
"line": 885,
"col": 13,
"offset": 27899
}
},
"content": "delimiters"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/screens/DashboardV2/utils/helpers.tsx",
"start": {
"line": 897,
"col": 9,
"offset": 28357
},
"end": {
"line": 897,
"col": 44,
"offset": 28392
}
},
"new RegExp(escapeRegex(delimiters))"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": true,
"confidence": 0.8,
"positive_reasoning": "The RegExp creation in helpers.tsx appears to be for internal string manipulation with controlled patterns. The context suggests these are utility functions that use dynamic regex for legitimate purposes like filtering or formatting, with input from controlled sources.",
"mitigation_recommendation": "While this appears to be a false positive, ensure that any input to these helper functions is validated. Document that these functions should not receive untrusted user input directly. Consider refactoring to use literal regex patterns where possible.",
"priority": "low"
}
},
{
"check_id": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"path": "src/screens/DashboardV3/components/widgets/aspm/TopSecretsByContributor.tsx",
"start": {
"line": 50,
"col": 35,
"offset": 2251
},
"end": {
"line": 50,
"col": 58,
"offset": 2274
},
"extra": {
"metavars": {
"$1": {
"start": {
"line": 1,
"col": 2,
"offset": 1
},
"end": {
"line": 1,
"col": 3,
"offset": 2
},
"abstract_content": ">"
},
"$STR": {
"start": {
"line": 50,
"col": 35,
"offset": 2251
},
"end": {
"line": 50,
"col": 42,
"offset": 2258
},
"abstract_content": "email?."
},
"$CHAR": {
"start": {
"line": 50,
"col": 50,
"offset": 2266
},
"end": {
"line": 50,
"col": 53,
"offset": 2269
},
"abstract_content": "\">\""
}
},
"message": "`email?..replace` method will only replace the first occurrence when used with a string argument (\">\"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.",
"metadata": {
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"category": "security",
"technology": [
"javascript"
],
"owasp": [
"A03:2021 - Injection"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Improper Encoding"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"shortlink": "https://sg.run/1GbQ",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13466,
"rule_id": "d8UlRq",
"rv_id": 945873,
"url": "https://semgrep.dev/playground/r/0bT15RE/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"version_id": "0bT15RE"
}
}
},
"severity": "WARNING",
"fingerprint": "e684b99f0dc2d44ff938d77af3b60757c8fec8d1f52d040243bb2fa48fdf448b9def01a04b2b973836d8159dce0f8f2d98740825ca87f0b5ea31d30af4a1b226_0",
"lines": " <DarkTooltip title={email?.replace(\">\", \"\")} arrow placement=\"top\">",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.75,
"positive_reasoning": "The code uses .replace(\">\", \"\") which is incomplete sanitization. If the email field contains user-controlled data that is later rendered in the DOM, this minimal sanitization is insufficient to prevent XSS attacks. Only removing \">\" character leaves many attack vectors open (e.g., <script>, onerror attributes, javascript: URLs, etc.).",
"mitigation_recommendation": "Use a proper sanitization library like DOMPurify for HTML content, or better yet, use React's built-in escaping by rendering text content directly. If displaying email addresses, use textContent instead of innerHTML. Implement Content Security Policy (CSP) headers to provide defense in depth.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"path": "src/screens/DashboardV3/utils/helpers.tsx",
"start": {
"line": 528,
"col": 17,
"offset": 17272
},
"end": {
"line": 528,
"col": 41,
"offset": 17296
},
"extra": {
"metavars": {
"$ARG": {
"start": {
"line": 525,
"col": 43,
"offset": 17103
},
"end": {
"line": 525,
"col": 52,
"offset": 17112
},
"abstract_content": "toReplace"
}
},
"message": "RegExp() called with a `toReplace` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.",
"metadata": {
"owasp": [
"A05:2021 - Security Misconfiguration",
"A06:2017 - Security Misconfiguration"
],
"cwe": [
"CWE-1333: Inefficient Regular Expression Complexity"
],
"references": [
"https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"
],
"source-rule-url": "https://github.com/nodesecurity/eslint-plugin-security/blob/master/rules/detect-non-literal-regexp.js",
"category": "security",
"technology": [
"javascript"
],
"subcategory": [
"vuln"
],
"likelihood": "MEDIUM",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Denial-of-Service (DoS)"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"shortlink": "https://sg.run/gr65",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 12685,
"rule_id": "zdU1gD",
"rv_id": 945869,
"url": "https://semgrep.dev/playground/r/A8TJz19/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp",
"version_id": "A8TJz19"
}
}
},
"severity": "WARNING",
"fingerprint": "8ecd5f64df2988cd09673915254d1dab053b800edb42719522515a90eb7bc5dd9767ea117d497318bf2b5c05f82cd5ac2537a5efe8fe0977dbd64d43e0a8d88c_0",
"lines": " const regex = new RegExp(escaped, \"g\");",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "src/screens/DashboardV3/utils/helpers.tsx",
"start": {
"line": 525,
"col": 43,
"offset": 17103
},
"end": {
"line": 525,
"col": 52,
"offset": 17112
}
},
"toReplace"
]
],
"intermediate_vars": [
{
"location": {
"path": "src/screens/DashboardV3/utils/helpers.tsx",
"start": {
"line": 525,
"col": 43,
"offset": 17103
},
"end": {
"line": 525,
"col": 52,
"offset": 17112
}
},
"content": "toReplace"
},
{
"location": {
"path": "src/screens/DashboardV3/utils/helpers.tsx",
"start": {
"line": 527,
"col": 9,
"offset": 17196
},
"end": {
"line": 527,
"col": 16,
"offset": 17203
}
},
"content": "escaped"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "src/screens/DashboardV3/utils/helpers.tsx",
"start": {
"line": 528,
"col": 17,
"offset": 17272
},
"end": {
"line": 528,
"col": 41,
"offset": 17296
}
},
"new RegExp(escaped, \"g\")"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": true,
"confidence": 0.8,
"positive_reasoning": "The RegExp creation in helpers.tsx appears to be for internal string manipulation with controlled patterns. The context suggests these are utility functions that use dynamic regex for legitimate purposes like filtering or formatting, with input from controlled sources.",
"mitigation_recommendation": "While this appears to be a false positive, ensure that any input to these helper functions is validated. Document that these functions should not receive untrusted user input directly. Consider refactoring to use literal regex patterns where possible.",
"priority": "low"
}
},
{
"check_id": "javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"path": "src/screens/Issues/Findings/DetailModal/FindingsDetails/FindingslDrawerTabs/FindingsDetailsMarkdownProcessor.tsx",
"start": {
"line": 68,
"col": 33,
"offset": 1707
},
"end": {
"line": 68,
"col": 58,
"offset": 1732
},
"extra": {
"metavars": {
"$1": {
"start": {
"line": 1,
"col": 2,
"offset": 1
},
"end": {
"line": 1,
"col": 3,
"offset": 2
},
"abstract_content": "]"
},
"$STR": {
"start": {
"line": 68,
"col": 33,
"offset": 1707
},
"end": {
"line": 68,
"col": 41,
"offset": 1715
},
"abstract_content": "indexStr",
"propagated_value": {
"svalue_start": {
"line": 62,
"col": 28,
"offset": 1586
},
"svalue_end": {
"line": 62,
"col": 42,
"offset": 1600
},
"svalue_abstract_content": "splitResult[1]"
}
},
"$CHAR": {
"start": {
"line": 68,
"col": 50,
"offset": 1724
},
"end": {
"line": 68,
"col": 53,
"offset": 1727
},
"abstract_content": "\"]\""
}
},
"message": "`indexStr.replace` method will only replace the first occurrence when used with a string argument (\"]\"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.",
"metadata": {
"cwe": [
"CWE-116: Improper Encoding or Escaping of Output"
],
"category": "security",
"technology": [
"javascript"
],
"owasp": [
"A03:2021 - Injection"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Improper Encoding"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"shortlink": "https://sg.run/1GbQ",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13466,
"rule_id": "d8UlRq",
"rv_id": 945873,
"url": "https://semgrep.dev/playground/r/0bT15RE/javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization",
"version_id": "0bT15RE"
}
}
},
"severity": "WARNING",
"fingerprint": "d9b0ad9b443dc1c157c24336a330cd61ca23f8c8abf9d35c3903baa55e08313c47767edf6aa26264a1d50f23bce66e98d53d82b36cf4af67957c1ed49fbe05a1_0",
"lines": " const cleanIndexStr = indexStr.replace(\"]\", \"\");",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.8,
"positive_reasoning": "Markdown processing with incomplete sanitization can lead to XSS vulnerabilities. The processor may not adequately sanitize markdown input before rendering as HTML, allowing attackers to inject malicious scripts through markdown syntax or HTML embedded in markdown.",
"mitigation_recommendation": "Use a well-tested markdown library with built-in sanitization (e.g., marked with DOMPurify, or react-markdown with rehype-sanitize). Ensure all HTML output is sanitized. Implement CSP headers. Consider using a markdown renderer that outputs React components instead of raw HTML.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"path": "src/screens/Issues/Findings/DetailModal/FindingsDetails/FindingslDrawerTabs/FindingsDetailsMarkdownProcessor.tsx",
"start": {
"line": 86,
"col": 11,
"offset": 2341
},
"end": {
"line": 86,
"col": 63,
"offset": 2393
},
"extra": {
"metavars": {
"$SMTH": {
"start": {
"line": 86,
"col": 11,
"offset": 2341
},
"end": {
"line": 86,
"col": 18,
"offset": 2348
},
"abstract_content": "current"
},
"$A": {
"start": {
"line": 86,
"col": 58,
"offset": 2388
},
"end": {
"line": 86,
"col": 62,
"offset": 2392
},
"abstract_content": "part"
}
},
"message": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"category": "security",
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"technology": [
"typescript"
],
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Mass Assignment"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"shortlink": "https://sg.run/w1DB",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13373,
"rule_id": "QrUpbJ",
"rv_id": 945877,
"url": "https://semgrep.dev/playground/r/YDTvRjl/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"version_id": "YDTvRjl"
}
}
},
"severity": "WARNING",
"fingerprint": "339a0d64206b4c8fb1c8089bf3aa23780623a078cfd0333f71c31160a9661984a4f83dc6e9403d5e1a7100988f31c5c823253954d8551922f0a90465647c0aab_0",
"lines": " current = (current as Record<string, unknown>)[part];",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.65,
"positive_reasoning": "The code uses a loop to assign properties to an object without checking for prototype pollution. If the keys come from untrusted sources (e.g., API responses, user input), attackers could inject keys like \"__proto__\", \"constructor\", or \"prototype\" to pollute the Object prototype chain, potentially leading to security vulnerabilities across the application.",
"mitigation_recommendation": "Use Object.create(null) to create objects without prototype, validate/sanitize object keys before assignment, use Map instead of plain objects for dynamic keys, or use Object.hasOwnProperty() checks. Consider using libraries like \"prototype-pollution-check\" or implement a safelist of allowed keys.",
"priority": "high"
}
},
{
"check_id": "javascript.browser.security.insecure-document-method.insecure-document-method",
"path": "src/screens/SBOM/features/sbom/sbomDetails/tabs/dependencyGraph/MermaidRenderer.tsx",
"start": {
"line": 49,
"col": 11,
"offset": 988
},
"end": {
"line": 49,
"col": 46,
"offset": 1023
},
"extra": {
"metavars": {
"$EL": {
"start": {
"line": 49,
"col": 11,
"offset": 988
},
"end": {
"line": 49,
"col": 29,
"offset": 1006
},
"abstract_content": "elementRef.current"
},
"$HTML": {
"start": {
"line": 49,
"col": 42,
"offset": 1019
},
"end": {
"line": 49,
"col": 45,
"offset": 1022
},
"abstract_content": "svg"
}
},
"message": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities",
"metadata": {
"cwe": [
"CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
],
"owasp": [
"A07:2017 - Cross-Site Scripting (XSS)",
"A03:2021 - Injection"
],
"category": "security",
"technology": [
"browser"
],
"cwe2022-top25": true,
"cwe2021-top25": true,
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"references": [
"https://owasp.org/Top10/A03_2021-Injection"
],
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Cross-Site-Scripting (XSS)"
],
"source": "https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method",
"shortlink": "https://sg.run/LwA9",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 9239,
"rule_id": "ReUg41",
"rv_id": 945779,
"url": "https://semgrep.dev/playground/r/zyTlk9P/javascript.browser.security.insecure-document-method.insecure-document-method",
"version_id": "zyTlk9P"
}
}
},
"severity": "ERROR",
"fingerprint": "e0728c05d06469071fb5edca27270dffd3a1a9a7e539f6601746423b2811fdebee1a13e2d5f70b86fcd1b06bdcc4cd05e900f5c8cf45e026e1ee87c74a070470_0",
"lines": " elementRef.current.innerHTML = svg;",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.55,
"positive_reasoning": "The code uses innerHTML to render Mermaid diagrams. While Mermaid library has built-in sanitization for SVG output, directly setting innerHTML can be risky if the SVG content is not properly validated. The risk is lower because Mermaid generates the content, but vulnerabilities in Mermaid or configuration issues could still lead to XSS.",
"mitigation_recommendation": "Verify that the Mermaid library version is up-to-date and includes security fixes. Consider using DOMPurify to sanitize the SVG output before setting innerHTML. Alternatively, use safer DOM methods like creating elements programmatically. Implement CSP to restrict inline scripts. Review Mermaid configuration to ensure secure rendering options.",
"priority": "medium"
}
},
{
"check_id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"path": "src/store/entities/policyEditor/NetworkPolicyEditor/slice.js",
"start": {
"line": 176,
"col": 7,
"offset": 6841
},
"end": {
"line": 176,
"col": 25,
"offset": 6859
},
"extra": {
"metavars": {
"$X": {
"start": {
"line": 175,
"col": 5,
"offset": 6813
},
"end": {
"line": 175,
"col": 9,
"offset": 6817
},
"abstract_content": "keys"
},
"$SMTH": {
"start": {
"line": 176,
"col": 7,
"offset": 6841
},
"end": {
"line": 176,
"col": 12,
"offset": 6846
},
"abstract_content": "value"
},
"$A": {
"start": {
"line": 176,
"col": 21,
"offset": 6855
},
"end": {
"line": 176,
"col": 24,
"offset": 6858
},
"abstract_content": "key"
}
},
"message": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"category": "security",
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"technology": [
"typescript"
],
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Mass Assignment"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"shortlink": "https://sg.run/w1DB",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13373,
"rule_id": "QrUpbJ",
"rv_id": 945877,
"url": "https://semgrep.dev/playground/r/YDTvRjl/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"version_id": "YDTvRjl"
}
}
},
"severity": "WARNING",
"fingerprint": "ef16820c06fe6c189ee99490c608dd2f8f3dbdac533c9b675bb3fc7fba9f032bf1bc76f7a0c751e768bc71fbbc978e71b20ea03b095e996de311c532c7615372_0",
"lines": " value = value[key];",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.7,
"positive_reasoning": "Policy editor code performs object property assignment in loops. If policy data comes from API or user input without proper validation, this could be exploited for prototype pollution attacks, potentially affecting the entire application state.",
"mitigation_recommendation": "Validate all keys before object assignment, use Object.create(null) for data objects, implement key sanitization to reject dangerous keys (__proto__, constructor, prototype), and use safer data structures like Map for dynamic key-value storage.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"path": "src/store/entities/policyEditor/index.js",
"start": {
"line": 26,
"col": 7,
"offset": 798
},
"end": {
"line": 26,
"col": 25,
"offset": 816
},
"extra": {
"metavars": {
"$X": {
"start": {
"line": 25,
"col": 5,
"offset": 770
},
"end": {
"line": 25,
"col": 9,
"offset": 774
},
"abstract_content": "keys"
},
"$SMTH": {
"start": {
"line": 26,
"col": 7,
"offset": 798
},
"end": {
"line": 26,
"col": 12,
"offset": 803
},
"abstract_content": "value"
},
"$A": {
"start": {
"line": 26,
"col": 21,
"offset": 812
},
"end": {
"line": 26,
"col": 24,
"offset": 815
},
"abstract_content": "key"
}
},
"message": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.",
"metadata": {
"cwe": [
"CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"
],
"category": "security",
"references": [
"https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf"
],
"technology": [
"typescript"
],
"owasp": [
"A08:2021 - Software and Data Integrity Failures"
],
"subcategory": [
"audit"
],
"likelihood": "LOW",
"impact": "LOW",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Mass Assignment"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"shortlink": "https://sg.run/w1DB",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 13373,
"rule_id": "QrUpbJ",
"rv_id": 945877,
"url": "https://semgrep.dev/playground/r/YDTvRjl/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop",
"version_id": "YDTvRjl"
}
}
},
"severity": "WARNING",
"fingerprint": "c0a4bc7a6e5fa993e856dda2a280feff7ae73deb0b8ec0997caebdd230229af3eaa41fbeb21d6cdfc0ec3ce22d4185b59d2283959c3a734739bb5e5d01843ecc_0",
"lines": " value = value[key];",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": false,
"confidence": 0.7,
"positive_reasoning": "Policy editor code performs object property assignment in loops. If policy data comes from API or user input without proper validation, this could be exploited for prototype pollution attacks, potentially affecting the entire application state.",
"mitigation_recommendation": "Validate all keys before object assignment, use Object.create(null) for data objects, implement key sanitization to reject dangerous keys (__proto__, constructor, prototype), and use safer data structures like Map for dynamic key-value storage.",
"priority": "high"
}
},
{
"check_id": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"path": "vite.config.js",
"start": {
"line": 13,
"col": 49,
"offset": 494
},
"end": {
"line": 13,
"col": 50,
"offset": 495
},
"extra": {
"metavars": {
"$X": {
"start": {
"line": 13,
"col": 22,
"offset": 467
},
"end": {
"line": 13,
"col": 23,
"offset": 468
},
"abstract_content": "p"
},
"$PATH": {
"start": {
"line": 13,
"col": 27,
"offset": 472
},
"end": {
"line": 13,
"col": 31,
"offset": 476
},
"abstract_content": "path"
},
"$SINK": {
"start": {
"line": 13,
"col": 49,
"offset": 494
},
"end": {
"line": 13,
"col": 50,
"offset": 495
},
"abstract_content": "p"
}
},
"message": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.",
"metadata": {
"owasp": [
"A05:2017 - Broken Access Control",
"A01:2021 - Broken Access Control"
],
"cwe": [
"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
],
"category": "security",
"references": [
"https://owasp.org/www-community/attacks/Path_Traversal"
],
"technology": [
"javascript",
"node.js"
],
"cwe2022-top25": true,
"cwe2021-top25": true,
"subcategory": [
"vuln"
],
"likelihood": "HIGH",
"impact": "MEDIUM",
"confidence": "LOW",
"license": "Semgrep Rules License v1.0. For more details, visit semgrep.dev/legal/rules-license",
"vulnerability_class": [
"Path Traversal"
],
"source": "https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"shortlink": "https://sg.run/OPqk",
"semgrep.dev": {
"rule": {
"origin": "community",
"r_id": 9331,
"rule_id": "8GUjrq",
"rv_id": 945875,
"url": "https://semgrep.dev/playground/r/qkT4jzX/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal",
"version_id": "qkT4jzX"
}
}
},
"severity": "WARNING",
"fingerprint": "f1978e573297ca03b2d76f30bb2fed5a1e37b81bd8b6b799829ece01402b34cebda213328ae49ee1218d3d0d5e4f18ec2e3bb3dc9f467ef7df43318117b6bd58_0",
"lines": "const getAliasPath = p => path.resolve(srcPath, p);",
"is_ignored": false,
"validation_state": "NO_VALIDATOR",
"dataflow_trace": {
"taint_source": [
"CliLoc",
[
{
"path": "vite.config.js",
"start": {
"line": 13,
"col": 22,
"offset": 467
},
"end": {
"line": 13,
"col": 23,
"offset": 468
}
},
"p"
]
],
"intermediate_vars": [
{
"location": {
"path": "vite.config.js",
"start": {
"line": 13,
"col": 22,
"offset": 467
},
"end": {
"line": 13,
"col": 23,
"offset": 468
}
},
"content": "p"
}
],
"taint_sink": [
"CliLoc",
[
{
"path": "vite.config.js",
"start": {
"line": 13,
"col": 49,
"offset": 494
},
"end": {
"line": 13,
"col": 50,
"offset": 495
}
},
"p"
]
]
},
"engine_kind": "OSS"
},
"security_analysis": {
"is_false_positive": true,
"confidence": 0.9,
"positive_reasoning": "The path.resolve() usage in vite.config.js is using __dirname which is a Node.js built-in that refers to the current directory of the module. This is not user-controlled input and is a standard practice in build configuration files. There is no path traversal risk as the paths are static and determined at build time.",
"mitigation_recommendation": "No action required. This is standard build configuration practice. However, ensure that any dynamic path operations in the application runtime (not build config) properly validate user input to prevent path traversal attacks.",
"priority": "low"
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment