From 5bfea8593e64cd44f668a04e7562e7b8df4f41a2 Mon Sep 17 00:00:00 2001 From: manufacturist <15235526+manufacturist@users.noreply.github.com> Date: Tue, 15 Jul 2025 14:40:47 +0300 Subject: [PATCH 1/3] feat: support for high severity --- build.sbt | 3 ++- .../scala/com/codacy/analysis/cli/formatter/Sarif.scala | 2 ++ .../scala/com/codacy/analysis/cli/formatter/Text.scala | 1 + project/Dependencies.scala | 4 ++-- project/plugins.sbt | 2 +- .../toolRespository/remote/ToolRepositoryRemoteSpec.scala | 7 +++++++ 6 files changed, 15 insertions(+), 4 deletions(-) diff --git a/build.sbt b/build.sbt index b87efb8a..55160f1e 100644 --- a/build.sbt +++ b/build.sbt @@ -97,7 +97,8 @@ lazy val downloadCodacyToolsSwaggerFile = Def.task[Unit] { if (!Files.exists(apiSwaggerFile.toPath)) { val result: String = scala.io.Source - .fromURL(url(s"https://artifacts.codacy.com/api/codacy-api/${Dependencies.codacyApiVersion}/apiv3.yaml")) + .fromURL( + url(s"https://artifacts.codacy.com/api/codacy-api/${Dependencies.codacyApiVersion}/apiv3-bundled.yaml")) .mkString IO.write(apiSwaggerFile, result) } diff --git a/cli/src/main/scala/com/codacy/analysis/cli/formatter/Sarif.scala b/cli/src/main/scala/com/codacy/analysis/cli/formatter/Sarif.scala index 6ac0a91b..1fd6581d 100644 --- a/cli/src/main/scala/com/codacy/analysis/cli/formatter/Sarif.scala +++ b/cli/src/main/scala/com/codacy/analysis/cli/formatter/Sarif.scala @@ -172,6 +172,7 @@ private[formatter] class Sarif(val stream: PrintStream, val executionDirectory: private def securityIssueSeverity(level: results.Result.Level.Value): SarifReport.Level.Value = { level match { case results.Result.Level.Err => SarifReport.Level.Error + case results.Result.Level.High => SarifReport.Level.Error case results.Result.Level.Warn => SarifReport.Level.Warning case _ => SarifReport.Level.Note } @@ -181,6 +182,7 @@ private[formatter] class Sarif(val stream: PrintStream, val executionDirectory: private def nonSecurityIssueSeverity(level: results.Result.Level.Value): SarifReport.Level.Value = { level match { case results.Result.Level.Err => SarifReport.Level.Warning + case results.Result.Level.High => SarifReport.Level.Warning case results.Result.Level.Warn => SarifReport.Level.Note case _ => SarifReport.Level.None } diff --git a/cli/src/main/scala/com/codacy/analysis/cli/formatter/Text.scala b/cli/src/main/scala/com/codacy/analysis/cli/formatter/Text.scala index 4806af13..e216a60d 100644 --- a/cli/src/main/scala/com/codacy/analysis/cli/formatter/Text.scala +++ b/cli/src/main/scala/com/codacy/analysis/cli/formatter/Text.scala @@ -99,6 +99,7 @@ private[formatter] class Text(val stream: PrintStream) extends Formatter { level match { case results.Result.Level.Info => Console.BLUE case results.Result.Level.Warn => Console.YELLOW + case results.Result.Level.High => Console.RED case results.Result.Level.Err => Console.RED } } diff --git a/project/Dependencies.scala b/project/Dependencies.scala index d3a9ab36..03f50c0a 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -5,7 +5,7 @@ object Dependencies { val codacyPluginsVersion = "26.2.6_play_2.7" val circeVersion = "0.12.3" val specs2Version = "4.8.1" - val codacyApiVersion = "26.20.0" + val codacyApiVersion = "49.31.14" val silencerVersion = "1.7.19" lazy val circe = List( @@ -30,7 +30,7 @@ object Dependencies { val codacyPlugins = Seq("codacy-plugins", "codacy-plugins-runner-binary").map("com.codacy" %% _ % codacyPluginsVersion) - lazy val pluginsApi = "com.codacy" %% "codacy-plugins-api" % "8.1.1" + lazy val pluginsApi = "com.codacy" %% "codacy-plugins-api" % "9.1.6" lazy val pprint = "com.lihaoyi" %% "pprint" % "0.5.7" diff --git a/project/plugins.sbt b/project/plugins.sbt index 8928b7c4..3dd313e7 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -11,7 +11,7 @@ addSbtPlugin("ch.epfl.scala" % "sbt-scalafix" % "0.9.34") addSbtPlugin("com.eed3si9n" % "sbt-assembly" % "2.1.5") // Swagger code generation -addSbtPlugin("com.twilio" % "sbt-guardrail" % "0.59.0") +addSbtPlugin("dev.guardrail" % "sbt-guardrail" % "0.75.2") ThisBuild / libraryDependencySchemes += "org.scala-lang.modules" %% "scala-xml" % VersionScheme.Always diff --git a/toolRepository-remote/src/test/scala/com/codacy/toolRespository/remote/ToolRepositoryRemoteSpec.scala b/toolRepository-remote/src/test/scala/com/codacy/toolRespository/remote/ToolRepositoryRemoteSpec.scala index 462f7661..375ed85f 100644 --- a/toolRepository-remote/src/test/scala/com/codacy/toolRespository/remote/ToolRepositoryRemoteSpec.scala +++ b/toolRepository-remote/src/test/scala/com/codacy/toolRespository/remote/ToolRepositoryRemoteSpec.scala @@ -319,6 +319,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])).thenReturn( eitherListToolPatternsResponse(ListPatternsResponse.OK(PatternListResponse(Vector(patternA), None))), eitherListToolPatternsResponse(ListPatternsResponse.OK(PatternListResponse(Vector(patternB), None)))) @@ -347,6 +348,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])).thenReturn( eitherListToolPatternsResponse( ListPatternsResponse.OK(PatternListResponse(Vector(patternA), Some(paginationInfo)))), @@ -375,6 +377,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])) .thenReturn(eitherListToolPatternsResponse(ListPatternsResponse.BadRequest(BadRequest("error")))) @@ -399,6 +402,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])) .thenReturn(eitherListToolPatternsResponse(ListPatternsResponse.BadRequest(BadRequest("error")))) @@ -423,6 +427,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])) .thenReturn(eitherListToolPatternsResponse(ListPatternsResponse.BadRequest(BadRequest("error")))) @@ -443,6 +448,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])) .thenReturn(eitherListToolPatternsResponse(ListPatternsResponse.NotFound(NotFound("error")))) @@ -464,6 +470,7 @@ class ToolRepositoryRemoteSpec extends Specification with Mockito with EitherMat toolUuid = ArgumentMatchers.any[String], cursor = ArgumentMatchers.any[Option[String]], limit = ArgumentMatchers.any[Option[Int]], + enabled = ArgumentMatchers.any[Option[Boolean]], headers = ArgumentMatchers.any[List[HttpHeader]])).thenReturn( eitherListToolPatternsResponse(ListPatternsResponse.InternalServerError(InternalServerError("error")))) From 501c3c78a69e3f3f190bfe1847cb8daa166288eb Mon Sep 17 00:00:00 2001 From: manufacturist <15235526+manufacturist@users.noreply.github.com> Date: Tue, 15 Jul 2025 15:15:23 +0300 Subject: [PATCH 2/3] fix: use high severities in brakeman test --- .../com/codacy/analysis/cli/cli-output-brakeman-rails4.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json index e2a6ac66..02af8a05 100644 --- a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json +++ b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json @@ -1 +1 @@ -[{"Issue":{"patternId":{"value":"Redirect"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible unprotected redirect"},"level":"Warning","category":null,"location":{"LineLocation":{"line":74}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"Detailed exceptions may be enabled in 'show_detailed_exceptions?'"},"level":"Warning","category":null,"location":{"LineLocation":{"line":7}}}},{"Issue":{"patternId":{"value":"SessionSettings"},"filename":"src/main/resources/docs/directory-tests/rails4/config/initializers/secret_token.rb","message":{"text":"Session secret should not be included in version control"},"level":"Warning","category":null,"location":{"LineLocation":{"line":14}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"SQLCVEs"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"DefaultRoutes"},"filename":"src/main/resources/docs/directory-tests/rails4/config/routes.rb","message":{"text":"Rails 4.0.0 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 4.0.5"},"level":"Warning","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":5}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":99}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":94}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/user.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"HeaderDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":41}}}},{"Issue":{"patternId":{"value":"MimeTypeDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":35}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 4.0.2"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":90}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"Warning","category":null,"location":{"LineLocation":{"line":16}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":50}}}},{"Issue":{"patternId":{"value":"Send"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"User controlled method execution"},"level":"Warning","category":null,"location":{"LineLocation":{"line":85}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"RegexDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Parameter value used in regex"},"level":"Warning","category":null,"location":{"LineLocation":{"line":46}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":28}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":55}}}},{"Issue":{"patternId":{"value":"SkipBeforeFilter"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Use whitelist (:only => [..]) when skipping CSRF check"},"level":"Warning","category":null,"location":{"LineLocation":{"line":13}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":62}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":60}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":68}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":48}}}},{"Issue":{"patternId":{"value":"ContentTag"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":27}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"Warning","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"FileDisclosure"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a file existence disclosure. Upgrade to 4.0.12 or disable serving static assets"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ModelAttrAccessible"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Potentially dangerous attribute available for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":42}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ValidationRegex"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/email.rb","message":{"text":"Insufficient validation for 'email' using /^[a-z0-9]+@[a-z0-9]+\\.[a-z]+$/. Use \\A and \\z as anchors"},"level":"Warning","category":null,"location":{"LineLocation":{"line":10}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":34}}}},{"Issue":{"patternId":{"value":"SimpleFormat"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":59}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":32}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/config/environments/production.rb","message":{"text":"Detailed exceptions are enabled in production"},"level":"Warning","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":30}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":64}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":49}}}},{"Issue":{"patternId":{"value":"XMLDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.2.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":66}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":80}}}}] +[{"Issue":{"patternId":{"value":"Redirect"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible unprotected redirect"},"level":"High","category":null,"location":{"LineLocation":{"line":74}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"Detailed exceptions may be enabled in 'show_detailed_exceptions?'"},"level":"High","category":null,"location":{"LineLocation":{"line":7}}}},{"Issue":{"patternId":{"value":"SessionSettings"},"filename":"src/main/resources/docs/directory-tests/rails4/config/initializers/secret_token.rb","message":{"text":"Session secret should not be included in version control"},"level":"High","category":null,"location":{"LineLocation":{"line":14}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"SQLCVEs"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"DefaultRoutes"},"filename":"src/main/resources/docs/directory-tests/rails4/config/routes.rb","message":{"text":"Rails 4.0.0 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 4.0.5"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":5}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":99}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":94}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/user.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"HeaderDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":41}}}},{"Issue":{"patternId":{"value":"MimeTypeDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":35}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 4.0.2"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":90}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"High","category":null,"location":{"LineLocation":{"line":16}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":50}}}},{"Issue":{"patternId":{"value":"Send"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"User controlled method execution"},"level":"Warning","category":null,"location":{"LineLocation":{"line":85}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"RegexDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Parameter value used in regex"},"level":"High","category":null,"location":{"LineLocation":{"line":46}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":28}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":55}}}},{"Issue":{"patternId":{"value":"SkipBeforeFilter"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Use whitelist (:only => [..]) when skipping CSRF check"},"level":"Warning","category":null,"location":{"LineLocation":{"line":13}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":62}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":60}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":68}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":48}}}},{"Issue":{"patternId":{"value":"ContentTag"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1"},"level":"High","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":27}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"High","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"FileDisclosure"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a file existence disclosure. Upgrade to 4.0.12 or disable serving static assets"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ModelAttrAccessible"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Potentially dangerous attribute available for mass assignment"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":42}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ValidationRegex"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/email.rb","message":{"text":"Insufficient validation for 'email' using /^[a-z0-9]+@[a-z0-9]+\\.[a-z]+$/. Use \\A and \\z as anchors"},"level":"High","category":null,"location":{"LineLocation":{"line":10}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":34}}}},{"Issue":{"patternId":{"value":"SimpleFormat"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":59}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":32}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/config/environments/production.rb","message":{"text":"Detailed exceptions are enabled in production"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":30}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":64}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":49}}}},{"Issue":{"patternId":{"value":"XMLDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.2.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":66}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":80}}}}] From f6a095d57aa70ae8498ae84baefbb97b69b3a08a Mon Sep 17 00:00:00 2001 From: manufacturist <15235526+manufacturist@users.noreply.github.com> Date: Tue, 15 Jul 2025 16:56:42 +0300 Subject: [PATCH 3/3] fix: result uploader & failing specs --- .../analysis/cli/cli-output-brakeman-1.json | 120 +- .../cli/cli-output-brakeman-rails4.json | 1137 ++++++++++++++++- .../core/upload/ResultsUploader.scala | 3 +- 3 files changed, 1198 insertions(+), 62 deletions(-) diff --git a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-1.json b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-1.json index 5f7e4168..d766a085 100644 --- a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-1.json +++ b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-1.json @@ -8,7 +8,7 @@ "message": { "text": "Unescaped model attribute rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -26,7 +26,7 @@ "message": { "text": "User input in eval" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -44,7 +44,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -62,7 +62,7 @@ "message": { "text": "Possible command injection in open()" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -80,7 +80,7 @@ "message": { "text": "Parameter value used in file name" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -98,7 +98,7 @@ "message": { "text": "Rails 4.0.0 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 4.0.5" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -116,7 +116,7 @@ "message": { "text": "Detailed exceptions may be enabled in 'show_detailed_exceptions?'" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -134,7 +134,7 @@ "message": { "text": "Possible command injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -152,7 +152,7 @@ "message": { "text": "Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -170,7 +170,7 @@ "message": { "text": "Unescaped parameter value rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -188,7 +188,7 @@ "message": { "text": "Parameter value used in regex" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -206,7 +206,7 @@ "message": { "text": "Use whitelist (:only => [..]) when skipping CSRF check" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -224,7 +224,7 @@ "message": { "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -242,7 +242,7 @@ "message": { "text": "SSL certificate verification was bypassed" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -260,7 +260,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -278,7 +278,7 @@ "message": { "text": "Potentially dangerous attribute available for mass assignment" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -296,7 +296,7 @@ "message": { "text": "User controlled method execution" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -314,7 +314,7 @@ "message": { "text": "Unescaped parameter value rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -332,7 +332,7 @@ "message": { "text": "User input in eval" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -350,7 +350,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -368,7 +368,7 @@ "message": { "text": "Parameters should be whitelisted for mass assignment" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -386,7 +386,7 @@ "message": { "text": "Insufficient validation for 'email' using /^[a-z0-9]+@[a-z0-9]+\\.[a-z]+$/. Use \\A and \\z as anchors" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -404,7 +404,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -422,7 +422,7 @@ "message": { "text": "Unescaped model attribute rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -440,7 +440,7 @@ "message": { "text": "Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -458,7 +458,7 @@ "message": { "text": "SSL certificate verification was bypassed" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -476,7 +476,7 @@ "message": { "text": "Possible command injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -494,7 +494,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -512,7 +512,7 @@ "message": { "text": "Parameter value used in file name" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -530,7 +530,7 @@ "message": { "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -548,7 +548,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -566,7 +566,7 @@ "message": { "text": "Possible command injection in open()" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -584,7 +584,7 @@ "message": { "text": "Parameters should be whitelisted for mass assignment" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -602,7 +602,7 @@ "message": { "text": "Unescaped model attribute rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -620,7 +620,7 @@ "message": { "text": "Session secret should not be included in version control" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -638,7 +638,7 @@ "message": { "text": "Detailed exceptions are enabled in production" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -656,7 +656,7 @@ "message": { "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -674,7 +674,7 @@ "message": { "text": "Parameters should be whitelisted for mass assignment" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -692,7 +692,7 @@ "message": { "text": "Possible unprotected redirect" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -710,7 +710,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -728,7 +728,7 @@ "message": { "text": "Parameters should be whitelisted for mass assignment" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -746,7 +746,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -764,7 +764,7 @@ "message": { "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -782,7 +782,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -800,7 +800,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -818,7 +818,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -836,7 +836,7 @@ "message": { "text": "Unescaped parameter value rendered inline" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -854,7 +854,7 @@ "message": { "text": "Parameter value used in file name" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -872,7 +872,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -890,7 +890,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -908,7 +908,7 @@ "message": { "text": "Parameter value used in file name" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -926,7 +926,7 @@ "message": { "text": "Possible command injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -944,7 +944,7 @@ "message": { "text": "Possible SQL injection" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -962,7 +962,7 @@ "message": { "text": "Rails 4.0.0 has a file existence disclosure. Upgrade to 4.0.12 or disable serving static assets" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -980,7 +980,7 @@ "message": { "text": "Rails 4.0.0 has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -998,7 +998,7 @@ "message": { "text": "Rails 4.0.0 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.2.2" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -1034,7 +1034,7 @@ "message": { "text": "Rails 4.0.0 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1" }, - "level": "Warning", + "level": "High", "category": null, "location": { "LineLocation": { @@ -1070,7 +1070,7 @@ "message": { "text": "Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -1106,7 +1106,7 @@ "message": { "text": "Rails 4.0.0 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 4.0.2" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { @@ -1124,7 +1124,7 @@ "message": { "text": "Rails 4.0.0 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1" }, - "level": "Warning", + "level": "Error", "category": null, "location": { "LineLocation": { diff --git a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json index 02af8a05..469d2f91 100644 --- a/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json +++ b/cli/src/test/resources/com/codacy/analysis/cli/cli-output-brakeman-rails4.json @@ -1 +1,1136 @@ -[{"Issue":{"patternId":{"value":"Redirect"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible unprotected redirect"},"level":"High","category":null,"location":{"LineLocation":{"line":74}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"Detailed exceptions may be enabled in 'show_detailed_exceptions?'"},"level":"High","category":null,"location":{"LineLocation":{"line":7}}}},{"Issue":{"patternId":{"value":"SessionSettings"},"filename":"src/main/resources/docs/directory-tests/rails4/config/initializers/secret_token.rb","message":{"text":"Session secret should not be included in version control"},"level":"High","category":null,"location":{"LineLocation":{"line":14}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"SQLCVEs"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"DefaultRoutes"},"filename":"src/main/resources/docs/directory-tests/rails4/config/routes.rb","message":{"text":"Rails 4.0.0 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 4.0.5"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":5}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":99}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":94}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/user.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":6}}}},{"Issue":{"patternId":{"value":"HeaderDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":41}}}},{"Issue":{"patternId":{"value":"MimeTypeDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":35}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 4.0.2"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":90}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"High","category":null,"location":{"LineLocation":{"line":16}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":37}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":11}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":50}}}},{"Issue":{"patternId":{"value":"Send"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"User controlled method execution"},"level":"Warning","category":null,"location":{"LineLocation":{"line":85}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"Evaluation"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"User input in eval"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"RegexDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Parameter value used in regex"},"level":"High","category":null,"location":{"LineLocation":{"line":46}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":26}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":28}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible command injection in open()"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":55}}}},{"Issue":{"patternId":{"value":"SkipBeforeFilter"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Use whitelist (:only => [..]) when skipping CSRF check"},"level":"Warning","category":null,"location":{"LineLocation":{"line":13}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":62}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":60}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":68}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":8}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":48}}}},{"Issue":{"patternId":{"value":"ContentTag"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1"},"level":"High","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":27}}}},{"Issue":{"patternId":{"value":"Render"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)"},"level":"High","category":null,"location":{"LineLocation":{"line":21}}}},{"Issue":{"patternId":{"value":"FileDisclosure"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a file existence disclosure. Upgrade to 4.0.12 or disable serving static assets"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ModelAttrAccessible"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Potentially dangerous attribute available for mass assignment"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/account.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":42}}}},{"Issue":{"patternId":{"value":"UnknowError"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 4.0.7"},"level":"Info","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"ValidationRegex"},"filename":"src/main/resources/docs/directory-tests/rails4/app/models/email.rb","message":{"text":"Insufficient validation for 'email' using /^[a-z0-9]+@[a-z0-9]+\\.[a-z]+$/. Use \\A and \\z as anchors"},"level":"High","category":null,"location":{"LineLocation":{"line":10}}}},{"Issue":{"patternId":{"value":"MassAssignment"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Parameters should be whitelisted for mass assignment"},"level":"Warning","category":null,"location":{"LineLocation":{"line":34}}}},{"Issue":{"patternId":{"value":"SimpleFormat"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":59}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":88}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped model attribute rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":32}}}},{"Issue":{"patternId":{"value":"DetailedExceptions"},"filename":"src/main/resources/docs/directory-tests/rails4/config/environments/production.rb","message":{"text":"Detailed exceptions are enabled in production"},"level":"High","category":null,"location":{"LineLocation":{"line":1}}}},{"Issue":{"patternId":{"value":"RenderInline"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Unescaped parameter value rendered inline"},"level":"Warning","category":null,"location":{"LineLocation":{"line":30}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":64}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":49}}}},{"Issue":{"patternId":{"value":"XMLDoS"},"filename":"src/main/resources/docs/directory-tests/rails4/Gemfile","message":{"text":"Rails 4.0.0 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.2.2"},"level":"Warning","category":null,"location":{"LineLocation":{"line":4}}}},{"Issue":{"patternId":{"value":"SSLVerify"},"filename":"src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb","message":{"text":"SSL certificate verification was bypassed"},"level":"Warning","category":null,"location":{"LineLocation":{"line":15}}}},{"Issue":{"patternId":{"value":"Execute"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb","message":{"text":"Possible command injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":19}}}},{"Issue":{"patternId":{"value":"FileAccess"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"Parameter value used in file name"},"level":"Warning","category":null,"location":{"LineLocation":{"line":92}}}},{"Issue":{"patternId":{"value":"CreateWith"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb","message":{"text":"create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch"},"level":"Warning","category":null,"location":{"LineLocation":{"line":66}}}},{"Issue":{"patternId":{"value":"SQL"},"filename":"src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb","message":{"text":"Possible SQL injection"},"level":"Warning","category":null,"location":{"LineLocation":{"line":80}}}}] +[ + { + "Issue": { + "patternId": { + "value": "Redirect" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible unprotected redirect" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 74 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "DetailedExceptions" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb", + "message": { + "text": "Detailed exceptions may be enabled in 'show_detailed_exceptions?'" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 7 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SessionSettings" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/config/initializers/secret_token.rb", + "message": { + "text": "Session secret should not be included in version control" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 14 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 21 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQLCVEs" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-0080) with PostgreSQL. Upgrade to 4.0.3" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 6 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "DefaultRoutes" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/config/routes.rb", + "message": { + "text": "Rails 4.0.0 with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to 4.0.5" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 1 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Execute" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb", + "message": { + "text": "Possible command injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 5 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Evaluation" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "User input in eval" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 99 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "FileAccess" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Parameter value used in file name" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 94 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/user.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 6 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "HeaderDoS" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 4.0.2" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "MassAssignment" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Parameters should be whitelisted for mass assignment" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 41 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "MimeTypeDoS" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 37 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped parameter value rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 35 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped parameter value rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 26 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "UnknowError" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 4.0.2" + }, + "level": "Info", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "FileAccess" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Parameter value used in file name" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 90 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 11 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Render" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 16 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped model attribute rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 37 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Execute" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb", + "message": { + "text": "Possible command injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 11 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 50 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Send" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "User controlled method execution" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 85 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Execute" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Possible command injection in open()" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 92 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "UnknowError" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 4.0.7" + }, + "level": "Info", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Evaluation" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "User input in eval" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 8 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RegexDoS" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Parameter value used in regex" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 46 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SSLVerify" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/application_controller.rb", + "message": { + "text": "SSL certificate verification was bypassed" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 26 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped model attribute rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 28 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Execute" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Possible command injection in open()" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 88 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 55 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SkipBeforeFilter" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Use whitelist (:only => [..]) when skipping CSRF check" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 13 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 15 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "CreateWith" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 62 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "CreateWith" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 60 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "CreateWith" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 68 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 8 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "MassAssignment" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Parameters should be whitelisted for mass assignment" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 48 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "ContentTag" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "MassAssignment" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Parameters should be whitelisted for mass assignment" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 27 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Render" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Passing query parameters to render() is vulnerable in Rails 4.0.0 (CVE-2016-0752)" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 21 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "FileDisclosure" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 has a file existence disclosure. Upgrade to 4.0.12 or disable serving static assets" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "ModelAttrAccessible" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Potentially dangerous attribute available for mass assignment" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 1 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/account.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 42 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "UnknowError" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 4.0.7" + }, + "level": "Info", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "MassAssignment" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Parameters should be whitelisted for mass assignment" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 34 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SimpleFormat" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 has a vulnerability in simple_format (CVE-2013-6416). Upgrade to Rails version 4.0.2" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 59 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "FileAccess" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Parameter value used in file name" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 88 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped model attribute rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 32 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "DetailedExceptions" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/config/environments/production.rb", + "message": { + "text": "Detailed exceptions are enabled in production" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 1 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "RenderInline" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Unescaped parameter value rendered inline" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 30 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 19 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 64 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 49 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "XMLDoS" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/Gemfile", + "message": { + "text": "Rails 4.0.0 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.2.2" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 4 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SSLVerify" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/lib/sweet_lib.rb", + "message": { + "text": "SSL certificate verification was bypassed" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 15 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "Execute" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/another_controller.rb", + "message": { + "text": "Possible command injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 19 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "FileAccess" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "Parameter value used in file name" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 92 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "CreateWith" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/users_controller.rb", + "message": { + "text": "create_with is vulnerable to strong params bypass. Upgrade to Rails 4.0.9 or patch" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 66 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "SQL" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/controllers/friendly_controller.rb", + "message": { + "text": "Possible SQL injection" + }, + "level": "Error", + "category": null, + "location": { + "LineLocation": { + "line": 80 + } + } + } + }, + { + "Issue": { + "patternId": { + "value": "ValidationRegex" + }, + "filename": "src/main/resources/docs/directory-tests/rails4/app/models/email.rb", + "message": { + "text": "Insufficient validation for 'email' using /^[a-z0-9]+@[a-z0-9]+\\.[a-z]+$/. Use \\A and \\z as anchors" + }, + "level": "High", + "category": null, + "location": { + "LineLocation": { + "line": 10 + } + } + } + } +] \ No newline at end of file diff --git a/core/src/main/scala/com/codacy/analysis/core/upload/ResultsUploader.scala b/core/src/main/scala/com/codacy/analysis/core/upload/ResultsUploader.scala index f1d8b43b..f0b0d2d3 100644 --- a/core/src/main/scala/com/codacy/analysis/core/upload/ResultsUploader.scala +++ b/core/src/main/scala/com/codacy/analysis/core/upload/ResultsUploader.scala @@ -137,7 +137,8 @@ class ResultsUploader private (commitUuid: Commit.Uuid, codacyClient: CodacyClie case ((accumulatedFileResults, resultBatches), fileResults) => (accumulatedFileResults + fileResults, resultBatches) } - fileResultBatches :+ remainingFileResults + + (fileResultBatches :+ remainingFileResults).filter(_.nonEmpty) } private def groupResultsByFile(files: Set[Path], results: Set[ToolResult]): Set[FileResults] = {