sast-scan dep-scan

SAST scan status

Report from the scan performed on   2020-03-15 at 21:47:33 for https://github.com/AppThreat/WebGoat

Repository Details
https://github.com/AppThreat/WebGoat
Branch develop
Commit 2edd84b77e39ae9e20dba319f64c6c9c42f4045e
Invocation Details
Static code analysis by PMD
Run Id 85bd11a5-4d71-4bc3-ac78-b47d03762fd2
Directory file:///Users/prabhu/work/WebGoat
Executive Summary

This report was generated by AppThreat from the SAST scan invocation on 2020-03-15 at 21:47:33. The scan used the open source tool Static code analysis by PMD to scan the source code repository https://github.com/AppThreat/WebGoat.

Below is a summary of the issues identified:

Severity Count
CRITICAL 0
HIGH 0
MEDIUM 0
LOW 92
TOTAL 92

 

  Based on this report, the application is certified as ready for deployment to test and production environments. Please refer to the dependency and container scan reports (if available) for additional context.

All Issues (92)

Rule Severity Source location Message
Performance LOW WebWolfMacro.java String.indexOf(char) is faster than String.indexOf(String). 
host = request.getHeader("Host");
        int semicolonIndex = host.indexOf(":");
Performance LOW Lesson.java Avoid using redundant field initializer for 'id'. 
private static int count = 1;
    private Integer id = null;
Performance LOW LessonMenuItem.java StringBuffer constructor is initialized with size 16, but has at least 18 characters appended. 
public String toString() {
        StringBuilder bldr = new StringBuilder();
Performance LOW LessonMenuItem.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
StringBuilder bldr = new StringBuilder();
        bldr.append("Name: ").append(name).append(" | ");
Performance LOW LessonMenuItem.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
StringBuilder bldr = new StringBuilder();
        bldr.append("Name: ").append(name).append(" | ");
Performance LOW LessonMenuService.java Avoid instantiating new objects inside loops. 
for (Category category : categories) {
            LessonMenuItem categoryItem = new LessonMenuItem();
Performance LOW LessonMenuService.java Avoid instantiating new objects inside loops. 
for (Lesson lesson : lessons) {
                LessonMenuItem lessonItem = new LessonMenuItem();
Performance LOW LessonProgressService.java Avoid instantiating new objects inside loops. 
storedAssignment.setPath(lessonAssignment.getPath());
                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
Performance LOW LessonProgressService.java Avoid instantiating new objects inside loops. 
} else if (lessonAssignment.getName().equals(storedAssignment.getName())) {
                    result.add(new LessonOverview(storedAssignment, entry.getValue()));
Performance LOW ReportCardService.java Avoid instantiating new objects inside loops. 
LessonTracker lessonTracker = userTracker.getLessonTracker(lesson);
            LessonStatistics lessonStatistics = new LessonStatistics();
Performance LOW SessionService.java StringBuffer constructor is initialized with size 16, but has at least 145 characters appended. 
String showSession(HttpServletRequest request, HttpSession session) {
        StringBuilder sb = new StringBuilder();
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
StringBuilder sb = new StringBuilder();
        sb.append("id").append(" = ").append(session.getId()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
StringBuilder sb = new StringBuilder();
        sb.append("id").append(" = ").append(session.getId()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
StringBuilder sb = new StringBuilder();
        sb.append("id").append(" = ").append(session.getId()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
StringBuilder sb = new StringBuilder();
        sb.append("id").append(" = ").append(session.getId()).append("\n");
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
sb.append("id").append(" = ").append(session.getId()).append("\n");
        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
sb.append("id").append(" = ").append(session.getId()).append("\n");
        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("id").append(" = ").append(session.getId()).append("\n");
        sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("created").append(" = ").append(new Date(session.getCreationTime())).append("\n");
        sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("last access").append(" = ").append(new Date(session.getLastAccessedTime())).append("\n");
        sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("timeout (secs)").append(" = ").append(session.getMaxInactiveInterval()).append("\n");
        sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
Performance LOW SessionService.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("session from cookie?").append(" = ").append(request.isRequestedSessionIdFromCookie()).append("\n");
        sb.append("session from url?").append(" = ").append(request.isRequestedSessionIdFromURL()).append("\n");
Performance LOW SessionService.java Do not add empty strings. 
for (String attribute : attributes) {
            String value = session.getAttribute(attribute) + "";
Performance LOW SessionService.java Avoid appending characters as strings in StringBuffer.append. 
String value = session.getAttribute(attribute) + "";
            sb.append(attribute).append(" = ").append(value).append("\n");
Performance LOW LabelDebugger.java Avoid using redundant field initializer for 'enabled'. 

    private boolean enabled = false;
Performance LOW LessonTracker.java Avoid using redundant field initializer for 'numberOfAttempts'. 
@Getter
    private int numberOfAttempts = 0;
Performance LOW Scoreboard.java Avoid instantiating new objects inside loops. 
UserTracker userTracker = userTrackerRepository.findByUser(user.getUsername());
            rankings.add(new Ranking(user.getUsername(), challengesSolved(userTracker)));
Performance LOW Assignment7.java String.indexOf(char) is faster than String.indexOf(String). 
if (StringUtils.hasText(email)) {
            String username = email.substring(0, email.indexOf("@"));
Performance LOW MD5.java Avoid instantiating new objects inside loops. 
try {
                    System.out.println(MD5.getHashString(new File(element)) + " " + element);
Performance LOW MD5.java Avoid instantiating FileInputStream, FileOutputStream, FileReader, or FileWriter. 
public static byte[] getHash(File f) throws IOException {
        InputStream is = new FileInputStream(f);
Performance LOW MD5.java Avoid instantiating FileInputStream, FileOutputStream, FileReader, or FileWriter. 
public static String getHashString(File f) throws IOException {
        InputStream is = new FileInputStream(f);
Performance LOW MD5.java Avoid appending characters as strings in StringBuffer.append. 
// number to make it two digits.
                buf.append("0");
Performance LOW Assignment8.java Do not add empty strings. 
public ResponseEntity getVotes() {
        return ResponseEntity.ok(votes.entrySet().stream().collect(Collectors.toMap(e -> "" + e.getKey(), e -> e.getValue())));
Performance LOW Salaries.java Avoid instantiating FileInputStream, FileOutputStream, FileReader, or FileWriter. 
try {
            FileCopyUtils.copy(classPathResource.getInputStream(), new FileOutputStream(new File(targetDirectory, "employees.xml")));
Performance LOW Salaries.java Avoid instantiating FileInputStream, FileOutputStream, FileReader, or FileWriter. 
XPath path = factory.newXPath();
        InputSource inputSource = new InputSource(new FileInputStream(d));
Performance LOW Salaries.java StringBuffer constructor is initialized with size 16, but has at least 145 characters appended. 

        StringBuffer sb = new StringBuffer();
Performance LOW Salaries.java StringBuffer (or StringBuilder).append is called 5 consecutive times with literals. Use a single append with a single combined String. 

        sb.append("/Employees/Employee/UserID | ");
Performance LOW Salaries.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 

        sb.append("/Employees/Employee/UserID | ");
Performance LOW Salaries.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("/Employees/Employee/UserID | ");
        sb.append("/Employees/Employee/FirstName | ");
Performance LOW Salaries.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("/Employees/Employee/FirstName | ");
        sb.append("/Employees/Employee/LastName | ");
Performance LOW Salaries.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
sb.append("/Employees/Employee/LastName | ");
        sb.append("/Employees/Employee/SSN | ");
Performance LOW Salaries.java Avoid instantiating new objects inside loops. 
if (i % columns == 0) {
                employeeJson = new HashMap<>();
Performance LOW CrossSiteScriptingLesson1.java Avoid calling toString() on String objects; this is unnecessary. 
public AttackResult completed(@RequestParam String answer_xss_1) {
        if (answer_xss_1.toString().toLowerCase().equals("yes")) {
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer constructor is initialized with size 16, but has at least 200 characters appended. 
userSessionData.setValue("xss-reflected1-complete", (Object) "false");
        StringBuffer cart = new StringBuffer();
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
StringBuffer cart = new StringBuffer();
        cart.append("Thank you for shopping at WebGoat. 
You're support is appreciated
");
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
StringBuffer cart = new StringBuffer();
        cart.append("Thank you for shopping at WebGoat. 
You're support is appreciated
");
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer (or StringBuilder).append is called 3 consecutive times with literals. Use a single append with a single combined String. 
cart.append("Thank you for shopping at WebGoat. 
You're support is appreciated
");
        cart.append("
We have charged credit card:" + field1 + "
");
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
cart.append("Thank you for shopping at WebGoat. 
You're support is appreciated
");
        cart.append("
We have charged credit card:" + field1 + "
");
Performance LOW CrossSiteScriptingLesson5a.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
cart.append("
We have charged credit card:" + field1 + "
");
        cart.append("                             ------------------- 
");
Performance LOW CrossSiteScriptingLesson5a.java Avoid concatenating nonliterals in a StringBuffer/StringBuilder constructor or append(). 
cart.append("                             ------------------- 
");
        cart.append("                               $" + totalSale);
Performance LOW CryptoUtil.java Prefer StringBuilder (non-synchronized) or StringBuffer (synchronized) over += for concatenating strings. 
String encodedString = "-----BEGIN PRIVATE KEY-----\n";
        encodedString = encodedString+new String(Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),Charset.forName("UTF-8"))+"\n";
Performance LOW CryptoUtil.java Prefer StringBuilder (non-synchronized) or StringBuffer (synchronized) over += for concatenating strings. 
encodedString = encodedString+new String(Base64.getEncoder().encode(keyPair.getPrivate().getEncoded()),Charset.forName("UTF-8"))+"\n";
        encodedString = encodedString+"-----END PRIVATE KEY-----\n";
Performance LOW InsecureLoginTask.java Avoid calling toString() on String objects; this is unnecessary. 
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
    	if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
Performance LOW InsecureLoginTask.java Avoid calling toString() on String objects; this is unnecessary. 
public AttackResult completed(@RequestParam String username, @RequestParam String password) {
    	if (username.toString().equals("CaptainJack") && password.toString().equals("BlackPearl")) {
Performance LOW Vote.java Avoid using redundant field initializer for 'average'. 
@JsonView(Views.UserView.class)
    private long average = 0;
Performance LOW MissingFunctionACUsers.java Avoid instantiating new objects inside loops. 
for (WebGoatUser user : allUsers) {
            displayUsers.add(new DisplayUser(user));
Performance LOW MissingFunctionACUsers.java Avoid instantiating new objects inside loops. 
for (WebGoatUser user : allUsers) {
            displayUsers.add(new DisplayUser(user));
Performance LOW Users.java Avoid instantiating new objects inside loops. 
while (results.next()) {
                        HashMap userMap = new HashMap<>();
Performance LOW ResetLinkAssignmentForgotPassword.java String.indexOf(char) is faster than String.indexOf(String). 
private void sendMailToUser(String email, String host, String resetLink) {
        int index = email.indexOf("@");
Performance LOW SimpleMailAssignment.java String.indexOf(char) is faster than String.indexOf(String). 
private String extractUsername(String email) {
        int index = email.indexOf("@");
Performance LOW SecurePasswordsAssignment.java StringBuffer constructor is initialized with size 16, but has at least 415 characters appended. 
Zxcvbn zxcvbn = new Zxcvbn();
        StringBuffer output = new StringBuffer();
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 

        output.append("Your Password: *******
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 

        output.append("Your Password: *******
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
output.append("Your Password: *******
");
        output.append("Length: " + password.length() + "
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
output.append("Your Password: *******
");
        output.append("Length: " + password.length() + "
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
output.append("Length: " + password.length() + "
");
        output.append("Estimated guesses needed to crack your password: " + df.format(strength.getGuesses()) + "
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
output.append("Length: " + password.length() + "
");
        output.append("Estimated guesses needed to crack your password: " + df.format(strength.getGuesses()) + "
");
Performance LOW SecurePasswordsAssignment.java Avoid concatenating nonliterals in a StringBuffer/StringBuilder constructor or append(). 
}
        output.append("Estimated cracking time: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
Performance LOW SecurePasswordsAssignment.java Avoid concatenating nonliterals in a StringBuffer/StringBuilder constructor or append(). 
if (strength.getFeedback().getWarning().length() != 0)
            output.append("
Warning: " + strength.getFeedback().getWarning());
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called 2 consecutive times with literals. Use a single append with a single combined String. 
}
        output.append("Score: " + strength.getScore() + "/5 
");
Performance LOW SecurePasswordsAssignment.java StringBuffer (or StringBuilder).append is called consecutively without reusing the target variable. 
}
        output.append("Score: " + strength.getScore() + "/5 
");
Performance LOW SecurePasswordsAssignment.java Avoid concatenating nonliterals in a StringBuffer/StringBuilder constructor or append(). 
output.append("Score: " + strength.getScore() + "/5 
");
        output.append("Estimated cracking time in seconds: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
Performance LOW SqlInjectionLesson4.java StringBuffer constructor is initialized with size 16, but has at least 39 characters appended. 
ResultSet results = statement.executeQuery("SELECT phone from employees;");
                StringBuffer output = new StringBuffer();
Performance LOW SqlInjectionLesson5.java StringBuffer constructor is initialized with size 16, but has at least 39 characters appended. 
String regex = "(?i)^(grant alter table to [']?unauthorizedUser[']?)(?:[;]?)$";
            StringBuffer output = new StringBuffer();
Performance LOW SqlInjectionLesson5a.java StringBuffer constructor is initialized with size 16, but has at least 70 characters appended. 
results.beforeFirst();
        StringBuilder t = new StringBuilder();
Performance LOW SqlInjectionLesson8.java StringBuffer constructor is initialized with size 16, but has at least 78 characters appended. 
results.beforeFirst();
        StringBuffer table = new StringBuffer();
Performance LOW Servers.java Avoid instantiating new objects inside loops. 
while (rs.next()) {
                Server server = new Server(rs.getString(1), rs.getString(2), rs.getString(3), rs.getString(4), rs.getString(5), rs.getString(6));
Performance LOW SqlInjectionLesson10b.java Prefer StringBuilder (non-synchronized) or StringBuffer (synchronized) over += for concatenating strings. 
for (Diagnostic d : hasCompiled) {
                    errors += d.getMessage(null) + "
";
Performance LOW SqlInjectionLesson10b.java Avoid using redundant field initializer for 'contents'. 
class JavaObjectFromString extends SimpleJavaFileObject {
        private String contents = null;
Performance LOW SSRFTask1.java StringBuffer constructor is initialized with size 16, but has at least 62 characters appended. 
try {
            StringBuffer html = new StringBuffer();
Performance LOW SSRFTask2.java StringBuffer constructor is initialized with size 16, but has at least 63 characters appended. 
try {
            StringBuffer html = new StringBuffer();
Performance LOW MailAssignment.java String.indexOf(char) is faster than String.indexOf(String). 
public AttackResult sendEmail(@RequestParam String email) {
        String username = email.substring(0, email.indexOf("@"));
Performance LOW FileServer.java Avoid instantiating new objects inside loops. 
String link = String.format("files/%s/%s", username, file.getName());
                uploadedFiles.add(new UploadedFile(file.getName(), size, link));
Performance LOW Email.java String.indexOf(char) is faster than String.indexOf(String). 
public String getShortSender() {
        return sender.substring(0, sender.indexOf("@"));

Thank you for supporting AppThreat