Vulnerability Report by Delvelin

0.1.1-beta

Vulnerability Report

delvelin-plugin

Path: /Volumes/DATA/Projects/Kotlin/delvelin-plugin

.kt
3.4%
.java
89.7%
.kts
6.9%

CWE-400 - Apache Log4j 1.x (EOL) allows Denial of Service (DoS) 1 issues

org.apache.logging.log4j:log4j-core:2.0-beta9

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. https://nvd.nist.gov/vuln/detail/CVE-2023-26464

CWE-379 - Guava vulnerable to insecure use of temporary directory 1 issues

com.google.guava:guava:31.1-jre

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. https://nvd.nist.gov/vuln/detail/CVE-2023-2976

CWE-798 - Hardcoded Secrets and Credentials 62 issues

username = project.findProperty("repoUsername") as Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts	Warning: Hardcoded secrets or credentials found in the source code. Hardcoding sensitive information such as passwords, tokens, and API keys can expose secrets and increase the risk of data leaks.
password = project.findProperty("repoPassword") as Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts
val keyStore = KeyStore.getInstance(KeyStore.getDe Path : ...src/test/kotlin/DelvelinUnitTest.kt
keyStore.load(null, null) Path : ...src/test/kotlin/DelvelinUnitTest.kt
trustManagerFactory.init(keyStore) Path : ...src/test/kotlin/DelvelinUnitTest.kt
private static final Path basePath = Paths.get(Sys Path : ...hangga/delvelin/utils/FileUtil.java
// Show save dialog and get the user's choice Path : ...hangga/delvelin/utils/FileUtil.java
int userSelection = fileChooser.showSaveDialog(nul Path : ...hangga/delvelin/utils/FileUtil.java
this.className = className; Path : ...hangga/delvelin/utils/Reports.java
String className; Path : ...hangga/delvelin/utils/Reports.java
return className; Path : ...hangga/delvelin/utils/Reports.java
itemFiles.add(new ItemFile(specificLocation, ext, Path : ...hangga/delvelin/utils/Reports.java
String className; Path : ...hangga/delvelin/utils/Reports.java
this.className = className; Path : ...hangga/delvelin/utils/Reports.java
return className; Path : ...hangga/delvelin/utils/Reports.java
public static void addToReport(String cweCode, Str Path : ...hangga/delvelin/utils/Reports.java
newItem.setClassName(className); Path : ...hangga/delvelin/utils/Reports.java
.collect(Collectors.groupingBy(ItemReport::getCweC Path : ...hangga/delvelin/utils/Reports.java
String cweCode = entry.getKey(); Path : ...hangga/delvelin/utils/Reports.java
// Grouping reports by CWE Code Path : ...hangga/delvelin/utils/Reports.java
.collect(Collectors.groupingBy(ItemReport::getCweC Path : ...hangga/delvelin/utils/Reports.java
String cweCode = entry.getKey(); Path : ...hangga/delvelin/utils/Reports.java
String ext = entry.getKey(); Path : ...hangga/delvelin/utils/Reports.java
String cweLabels = cweCounts.keySet() Path : ...hangga/delvelin/utils/Reports.java
String cweLabels = cweCounts.keySet() Path : ...hangga/delvelin/utils/Reports.java
// Grouping reports by CWE Code Path : ...hangga/delvelin/utils/Reports.java
.collect(Collectors.groupingBy(ItemReport::getCweC Path : ...hangga/delvelin/utils/Reports.java
.append(entry.getKey()) Path : ...hangga/delvelin/utils/Reports.java
String cweCode = entry.getKey(); Path : ...hangga/delvelin/utils/Reports.java
// .collect(Collectors.groupingBy(ext - Path : ...hangga/delvelin/utils/Reports.java
.collect(Collectors.groupingBy(ext -> ext, Collect Path : ...hangga/delvelin/utils/Reports.java
String msg = "Warning: Hardcoded secrets or creden Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"and API keys can expose secrets and increase the Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
private static final Pattern KEYWORD_PATTERN = Pat Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"(password\|pwd\|passwd\|pass\|user_password\|user_pwd\| Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
List sensitiveKeys = Arrays.asList("passwo Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"auth_token", "token", "session_token", "oauth_tok Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"secret_key", "api_token", "jwt_token", "jwt_secre Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"ssh_key", "rsa_key", "dsa_key", "ecdsa_key", "x50 Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"secret_access_key", "security_key", "symmetric_ke Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"authentication", "login", "userid", "user_id", "u Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
"license_key", "account_number", "bank_account", " Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
this.vulnerabilities = Vulnerabilities.HARDCODED_S Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
private final List ignoredKeys = Arrays.as Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
if (ignoredKeys.stream().noneMatch(line::contains) Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
Matcher matcher = KEYWORD_PATTERN.matcher(line); Path : ...hangga/delvelin/cwedetectors/HardCodedSecretDetector.java
new HardCodedSecretDetector(), Path : ...hangga/delvelin/cwedetectors/GeneralScanner.java
new WeakAlgorithm("(?i)Cipher\\s\\.\\sgetInstanc Path : ...hangga/delvelin/cwedetectors/WeakCryptographicDetector.java
new WeakAlgorithm("(?i)Cipher\\s\\.\\sgetInstanc Path : ...hangga/delvelin/cwedetectors/WeakCryptographicDetector.java
new WeakAlgorithm("(?i)KeyPairGenerator\\s\\.\\s Path : ...hangga/delvelin/cwedetectors/WeakCryptographicDetector.java
new WeakAlgorithm("(?i)KeyPairGenerator\\s\\.\\s Path : ...hangga/delvelin/cwedetectors/WeakCryptographicDetector.java
public String className; Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
className = pathStr; Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
className = pathStr.replace(SourceSet.SEP, ".") Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
Reports.detect("",extName, className); Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
return (Config.outputFileFormat == OutputFileForma Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
message, priority, className, extName); Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
message, vulnerabilities.getPriority(), className, Path : ...hangga/delvelin/cwedetectors/BaseDetector.java
HARDCODED_SECRETS("Hardcoded Secrets and Credentia Path : ...hangga/delvelin/properties/Vulnerabilities.java
INADEQUATE_AUTHENTICATION("Inadequate Authenticati Path : ...hangga/delvelin/properties/Vulnerabilities.java
public static final String PINK = Config.outputFil Path : ...hangga/delvelin/properties/Ansi.java
public static final String BRIGHT_PINK = Config.ou Path : ...hangga/delvelin/properties/Ansi.java

CWE-502 - Incomplete fix for Apache Log4j vulnerability 1 issues

org.apache.logging.log4j:log4j-core:2.0-beta9

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

# Impact The fix to address [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228) in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack. ## Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. # Mitigation Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. This issue can be mitigated in prior releases (< 2.16.0) by removing the JndiLookup class from the classpath (example: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class). Log4j 2.15.0 restricts JNDI LDAP lookups to localhost by default. Note that previous mitigations involving configuration such as to set the system property `log4j2.formatMsgNoLookups` to `true` do NOT mitigate this specific vulnerability. https://nvd.nist.gov/vuln/detail/CVE-2021-45046

CWE-20 - Improper Input Validation and Injection in Apache Log4j2 1 issues

org.apache.logging.log4j:log4j-core:2.0-beta9

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to an attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2. # Affected packages Only the `org.apache.logging.log4j:log4j-core` package is directly affected by this vulnerability. The `org.apache.logging.log4j:log4j-api` should be kept at the same version as the `org.apache.logging.log4j:log4j-core` package to ensure compatability if in use. This issue does not impact default configurations of Log4j2 and requires an attacker to have control over the Log4j2 configuration, which reduces the likelihood of being exploited. https://nvd.nist.gov/vuln/detail/CVE-2021-44832

CWE-319 - HTTP Connection without SSL/TLS 5 issues

val urlString = "http://example.com" // Menggunaka Path : ...src/test/kotlin/DelvelinUnitTest.kt	Insecure HTTP detected
val connection = url.openConnection() as HttpURLCo Path : ...src/test/kotlin/DelvelinUnitTest.kt
if (line.contains("HttpURLConnection") \|\| Path : ...hangga/delvelin/cwedetectors/InsecureHttpDetector.java
HttpURLConnection connection = (HttpURLConnection) Path : ...hangga/delvelin/services/ApiServices.java
HttpURLConnection connection = null; Path : ...hangga/delvelin/osvdetector/OsvDetector.java

CWE-173 - Information Disclosure in Guava 1 issues

com.google.guava:guava:31.1-jre

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method. https://nvd.nist.gov/vuln/detail/CVE-2020-8908

CWE-295 - Improper validation of certificate with host mismatch in Apache Log4j SMTP appender 1 issues

org.apache.logging.log4j:log4j-core:2.0-beta9

Path : ...Projects/Kotlin/delvelin-plugin/build.gradle.kts

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender prior to version 2.13.2. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. https://nvd.nist.gov/vuln/detail/CVE-2020-9488

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) 12 issues

StringBuilder Path : ...src/test/kotlin/DelvelinUnitTest.kt	Consider using `StringBuffer`
StringBuilder Path : ...src/test/kotlin/DelvelinUnitTest.kt
StringBuilder Path : ...hangga/delvelin/utils/FileUtil.java
StringBuilder Path : ...hangga/delvelin/utils/Reports.java
StringBuilder Path : ...hangga/delvelin/utils/Reports.java
StringBuilder Path : ...hangga/delvelin/utils/Reports.java
Queue Path : ...hangga/delvelin/cwedetectors/NonThreadSafeDetector.java	Consider using `ConcurrentLinkedQueue` or `LinkedBlockingQueue`
HashMap Path : ...hangga/delvelin/cwedetectors/NonThreadSafeDetector.java	Consider using `ConcurrentHashMap` or `Collections.synchronizedMap(new HashMap<>())`
HashMap Path : ...hangga/delvelin/cwedetectors/NonThreadSafeDetector.java
StringBuilder Path : ...hangga/delvelin/cwedetectors/NonThreadSafeDetector.java	Consider using `StringBuffer`
StringBuilder Path : ...hangga/delvelin/properties/Vulnerabilities.java
StringBuilder Path : ...hangga/delvelin/osvdetector/OsvDetector.java

CWE Issues Distribution

${BAR_ITEMS_BAR}