resultado.log

DEBU[0000] {HORUSEC_CLI} Config file running on path: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/horusec-config.json 
WARN[0000] {HORUSEC_CLI} Config file not found          
DEBU[0000] Set log file to /tmp/horusec-2022-03-22-16-51-01.log 
DEBU[0000] {HORUSEC_CLI} The current configuration for this analysis are:{
  "is_timeout": false,
  "log_level": "debug",
  "config_file_path": "/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/horusec-config.json",
  "log_file_path": "/tmp/horusec-2022-03-22-16-51-01.log",
  "horusec_api_uri": "http://0.0.0.0:8000",
  "repository_authorization": "00000000-0000-0000-0000-000000000000",
  "cert_path": "",
  "repository_name": "example2",
  "print_output_type": "",
  "json_output_file_path": "",
  "project_path": "/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities",
  "custom_rules_path": "",
  "container_bind_project_path": "",
  "timeout_in_seconds_request": 300,
  "timeout_in_seconds_analysis": 600,
  "monitor_retry_in_seconds": 15,
  "return_error_if_found_vulnerability": false,
  "enable_git_history_analysis": false,
  "cert_insecure_skip_verify": false,
  "enable_commit_author": false,
  "disable_docker": false,
  "enable_information_severity": false,
  "enable_owasp_dependency_check": false,
  "enable_shell_check": false,
  "severities_to_ignore": [
    "INFO"
  ],
  "files_or_paths_to_ignore": [
    "*tmp*",
    "**/.vscode/**"
  ],
  "false_positive_hashes": null,
  "risk_accept_hashes": null,
  "show_vulnerabilities_types": [
    "Vulnerability"
  ],
  "tools_config": {
    "Bandit": {
      "istoignore": false
    },
    "Brakeman": {
      "istoignore": false
    },
    "BundlerAudit": {
      "istoignore": false
    },
    "Checkov": {
      "istoignore": false
    },
    "DotnetCli": {
      "istoignore": false
    },
    "Flawfinder": {
      "istoignore": false
    },
    "GitLeaks": {
      "istoignore": false
    },
    "GoSec": {
      "istoignore": false
    },
    "HorusecEngine": {
      "istoignore": false
    },
    "MixAudit": {
      "istoignore": false
    },
    "Nancy": {
      "istoignore": false
    },
    "NpmAudit": {
      "istoignore": false
    },
    "OwaspDependencyCheck": {
      "istoignore": false
    },
    "PhpCS": {
      "istoignore": false
    },
    "Safety": {
      "istoignore": false
    },
    "SecurityCodeScan": {
      "istoignore": false
    },
    "Semgrep": {
      "istoignore": false
    },
    "ShellCheck": {
      "istoignore": false
    },
    "Sobelow": {
      "istoignore": false
    },
    "TfSec": {
      "istoignore": false
    },
    "Trivy": {
      "istoignore": false
    },
    "YarnAudit": {
      "istoignore": false
    }
  },
  "headers": {},
  "work_dir": {
    "go": [],
    "csharp": [],
    "ruby": [],
    "python": [],
    "java": [],
    "kotlin": [],
    "javaScript": [],
    "leaks": [],
    "hcl": [],
    "php": [],
    "c": [],
    "yaml": [],
    "generic": [],
    "elixir": [],
    "shell": [],
    "dart": [],
    "nginx": []
  },
  "custom_images": {
    "c": "",
    "csharp": "",
    "elixir": "",
    "generic": "",
    "go": "",
    "hcl": "",
    "javascript": "",
    "leaks": "",
    "php": "",
    "python": "",
    "ruby": "",
    "shell": ""
  },
  "version": "v2.8.0-beta.1"
} 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/FETCH_HEAD] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/HEAD] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/branches] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/config] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/description] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/applypatch-msg.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/commit-msg.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/fsmonitor-watchman.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/post-update.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-applypatch.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-commit.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-merge-commit.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-push.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-rebase.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/pre-receive.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/prepare-commit-msg.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/hooks/update.sample] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/index] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/info] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/info/exclude] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/HEAD] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs/heads] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs/heads/main] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs/remotes] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs/remotes/origin] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/logs/refs/remotes/origin/HEAD] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/objects] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/objects/info] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/objects/pack] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/objects/pack/pack-b9766859f30122bc008e92eb52f57b17a14384d7.idx] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/objects/pack/pack-b9766859f30122bc008e92eb52f57b17a14384d7.pack] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/packed-refs] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/heads] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/heads/main] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/remotes] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/remotes/origin] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/remotes/origin/HEAD] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.git/refs/tags] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/CODEOWNERS] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/ISSUE_TEMPLATE] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/ISSUE_TEMPLATE/bug_report.md] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/ISSUE_TEMPLATE/feature_request.md] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/ISSUE_TEMPLATE/improvement.md] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/ISSUE_TEMPLATE/support_request.md] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/PULL_REQUEST_TEMPLATE.md] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/workflows] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/workflows/dco.yaml] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/workflows/license.yaml] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.github/workflows/security.yml] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.gitignore] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example1/.gitignore] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example2/.gitignore] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/.gitignore] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/public/apple-touch-icon-precomposed.png] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/public/apple-touch-icon.png] 
DEBU[0000] {HORUSEC_CLI} The file or folder was ignored to send analysis:[/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/public/favicon.ico] 
WARN[0000] {HORUSEC_CLI} When starting the analysis WE SKIP A TOTAL OF 62 FILES that are not considered to be analyzed. To see more details use flag --log-level=debug 

WARN[0000] Horusec will return a timeout after 600 seconds. This time can be customized in the cli settings. 

WARN[0000] {HORUSEC_CLI} PLEASE DON'T REMOVE ".horusec" FOLDER BEFORE THE ANALYSIS FINISH! Don’t worry, we’ll remove it after the analysis ends automatically! Project sent to folder in location: [/home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9] 

DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Nginx in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - YAML in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Swift in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Dart in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Kotlin in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Leaks in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - JavaScript in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - C# in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - Nginx is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running HorusecEngine - Java in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running Flawfinder - C in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running Sobelow - Elixir in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with mix.lock extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension mix.lock on elixir/example1 
DEBU[0000] {HORUSEC_CLI} Using path elixir/example1 as workdir to run tool Sobelow 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - Swift is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - YAML is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running MixAudit - Elixir in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with mix.lock extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension mix.lock on elixir/example1 
DEBU[0000] {HORUSEC_CLI} Using path elixir/example1 as workdir to run tool MixAudit 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - Dart is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - Kotlin is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running Checkov - HCL in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running TfSec - HCL in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - C# is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} The tool was ignored for run in this analysis: Nancy 
DEBU[0000] {HORUSEC_CLI} Running GoSec - Go in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - JavaScript is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} The tool was ignored for run in this analysis: ShellCheck 
DEBU[0000] {HORUSEC_CLI} The tool was ignored for run in this analysis: OwaspDependencyCheck 
DEBU[0000] {HORUSEC_CLI} Running Semgrep - Generic in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running Trivy - Generic in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running Safety - Python in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with requirements.txt extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension requirements.txt on python/example2 
DEBU[0000] {HORUSEC_CLI} Using path python/example2 as workdir to run tool Safety 
DEBU[0000] {HORUSEC_CLI} Running Bandit - Python in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running PhpCS - PHP in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running BundlerAudit - Ruby in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with Gemfile.lock extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension Gemfile.lock on ruby/example1 
DEBU[0000] {HORUSEC_CLI} Using path ruby/example1 as workdir to run tool SecurityCodeScan 
DEBU[0000] {HORUSEC_CLI} Running Brakeman - Ruby in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with Gemfile name on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found file Gemfile on ruby/example1/Gemfile  
DEBU[0000] {HORUSEC_CLI} Using path ruby/example1 as workdir to run tool Brakeman 
DEBU[0000] {HORUSEC_CLI} HorusecEngine - Java is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running NpmAudit - JavaScript in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with package-lock.json extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Running YarnAudit - JavaScript in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with yarn.lock extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension package-lock.json on javascript/example1 
DEBU[0000] {HORUSEC_CLI} Using path javascript/example1 as workdir to run tool NpmAudit 
DEBU[0000] Found files of extension yarn.lock on javascript/example2 
DEBU[0000] {HORUSEC_CLI} Using path javascript/example2 as workdir to run tool YarnAudit 
DEBU[0000] {HORUSEC_CLI} Running DotnetCli - C# in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with *.sln extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension *.sln on csharp/example1 
DEBU[0000] {HORUSEC_CLI} Using path csharp/example1 as workdir to run tool DotnetCli 
DEBU[0000] {HORUSEC_CLI} Running SecurityCodeScan - C# in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] {HORUSEC_CLI} Searching for files with .sln extension on /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/.horusec/79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0000] Found files of extension .sln on csharp/example1 
DEBU[0000] {HORUSEC_CLI} Using path csharp/example1 as workdir to run tool SecurityCodeScan 
DEBU[0001] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:9812c2a2608bac11e6a625a424952c68152cdfd45d9406de4db82453e9962325 image:docker.io/horuszup/horusec-c:v1.0.1]] 
DEBU[0001] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:9812c2a2608bac11e6a625a424952c68152cdfd45d9406de4db82453e9962325 image:docker.io/horuszup/horusec-c:v1.0.1]] 
DEBU[0001] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-c:v1.0.1]] 
DEBU[0001] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-c:v1.0.1]] 
DEBU[0001] {HORUSEC_CLI} Flawfinder - C is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0001] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:b9bb51f6a699a9e9a310193d5a10635f5fff7e57563c75d5a110b2f4c723b8bb image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0001] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:b9bb51f6a699a9e9a310193d5a10635f5fff7e57563c75d5a110b2f4c723b8bb image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0001] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:2fc5faaba349514e778353cb7fe7f286927e2569e1df1c935b309e7f8b975feb image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0001] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:2fc5faaba349514e778353cb7fe7f286927e2569e1df1c935b309e7f8b975feb image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0001] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:a1de2fbbdc72ba75ce66f9371fda826562e56714f6dd6f73a837b0db3b1343ec image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0001] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:a1de2fbbdc72ba75ce66f9371fda826562e56714f6dd6f73a837b0db3b1343ec image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0002] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:2f26a0340e3ffd3cb0e44d0d7351343bb38d2a088dcc785ceee4976b6c540193 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0002] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:2f26a0340e3ffd3cb0e44d0d7351343bb38d2a088dcc785ceee4976b6c540193 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0002] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:1991eefe468b46a62ba70407b77461eb110a51130a01c17c012b9f8ba9734757 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0002] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:1991eefe468b46a62ba70407b77461eb110a51130a01c17c012b9f8ba9734757 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0002] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:5f1371e0373611a68ac49c526c8d772a742393a3ad1f503b4066e1589504fb1d image:docker.io/horuszup/horusec-go:v1.2.1]] 
DEBU[0002] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:5f1371e0373611a68ac49c526c8d772a742393a3ad1f503b4066e1589504fb1d image:docker.io/horuszup/horusec-go:v1.2.1]] 
DEBU[0002] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0002] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0002] {HORUSEC_CLI} TfSec - HCL is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0002] {HORUSEC_CLI} HorusecEngine - Leaks is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0003] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:fc414979b10259242446ed4a79de4df287eeb8098ae56600cf11887d61f44618 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0003] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:fc414979b10259242446ed4a79de4df287eeb8098ae56600cf11887d61f44618 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0003] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:6818a94057b9d2c42283a3da4a3bb6e16b53c0d80489bf4c82c6b6eff2f48c49 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0003] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:6818a94057b9d2c42283a3da4a3bb6e16b53c0d80489bf4c82c6b6eff2f48c49 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0003] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:0e3c5eb62d43f58cf5fc98313cc326683e742ffa0ba38d0bebad27419fc2e418 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0003] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:0e3c5eb62d43f58cf5fc98313cc326683e742ffa0ba38d0bebad27419fc2e418 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0003] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:5c13764cd03fb750fc7646b4f577b9aec5a7b7db396ab7e275fb89ed1a07e1e6 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0003] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:5c13764cd03fb750fc7646b4f577b9aec5a7b7db396ab7e275fb89ed1a07e1e6 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0003] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:46b7dbe59f7cbddf75468e5fb2a17d1a47ecb4d161a256d56d20393d761e305a image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0003] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:46b7dbe59f7cbddf75468e5fb2a17d1a47ecb4d161a256d56d20393d761e305a image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:d971c2f0ca9a58ca6765d3293e8bf7b913d751bb3460970c640add288930dead image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:d971c2f0ca9a58ca6765d3293e8bf7b913d751bb3460970c640add288930dead image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:4018f8f7265ff815cb49f4bc09a55904c7b2f590559705611d34fde285aa33f7 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:4018f8f7265ff815cb49f4bc09a55904c7b2f590559705611d34fde285aa33f7 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:f9ccf429e4ab016859142d8a2608eacedad30411a9078970be875580fc6f4e0a image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:f9ccf429e4ab016859142d8a2608eacedad30411a9078970be875580fc6f4e0a image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:a9838b5af6535347d34fe629cf69c3ff9ed7321bdd533bf65ca9b2bec36b11da image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:a9838b5af6535347d34fe629cf69c3ff9ed7321bdd533bf65ca9b2bec36b11da image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:773ad5a5d172f98fb29b026158dc548a9e611003797665b54f1b5f5196392d43 image:docker.io/horuszup/horusec-php:v1.0.1]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:773ad5a5d172f98fb29b026158dc548a9e611003797665b54f1b5f5196392d43 image:docker.io/horuszup/horusec-php:v1.0.1]] 
DEBU[0004] {HORUSEC_CLI} Docker create new container: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:0e5edc5c5bd6c9ff62d03d30976d55bd2842213a9168ae5193686408b24114bb image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker wait container up...[map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 containerId:0e5edc5c5bd6c9ff62d03d30976d55bd2842213a9168ae5193686408b24114bb image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0004] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0004] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0004] {HORUSEC_CLI} MixAudit - Elixir is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0005] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-php:v1.0.1]] 
DEBU[0005] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-php:v1.0.1]] 
DEBU[0005] {HORUSEC_CLI} PhpCS - PHP is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0005] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0005] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0005] {HORUSEC_CLI} Bandit - Python is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0005] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0005] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0005] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0005] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0005] {HORUSEC_CLI} NpmAudit - JavaScript is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0006] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0006] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0006] {HORUSEC_CLI} Brakeman - Ruby is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0006] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-go:v1.2.1]] 
DEBU[0006] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0006] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-js:v1.2.0]] 
DEBU[0006] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-go:v1.2.1]] 
DEBU[0006] {HORUSEC_CLI} GoSec - Go is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0006] {HORUSEC_CLI} YarnAudit - JavaScript is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0007] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0007] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-hcl:v1.1.0]] 
DEBU[0007] {HORUSEC_CLI} Checkov - HCL is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0009] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0009] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-elixir:v1.1.0]] 
DEBU[0009] {HORUSEC_CLI} Sobelow - Elixir is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0010] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0010] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-ruby:v1.1.1]] 
DEBU[0010] {HORUSEC_CLI} BundlerAudit - Ruby is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0010] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0010] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-python:v1.0.0]] 
DEBU[0010] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0010] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0010] {HORUSEC_CLI} Semgrep - Generic is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0010] {HORUSEC_CLI} Safety - Python is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0010] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0010] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-generic:v1.1.0]] 
DEBU[0010] {HORUSEC_CLI} Trivy - Generic is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0057] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0057] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0057] {HORUSEC_CLI} DotnetCli - C# is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 
DEBU[0060] {HORUSEC_CLI} Docker read container output: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0060] {HORUSEC_CLI} Docker Finished analysis with SUCCESS: [map[analysisId:79a2a64c-ba32-4200-93fb-b122dde61fe9 image:docker.io/horuszup/horusec-csharp:v1.2.0]] 
DEBU[0060] {HORUSEC_CLI} SecurityCodeScan - C# is finished in analysisID: 79a2a64c-ba32-4200-93fb-b122dde61fe9 


==================================================================================

HORUSEC ENDED THE ANALYSIS WITH STATUS OF "success" AND WITH THE FOLLOWING RESULTS:

==================================================================================

Analysis StartedAt: 2022-03-22 16:51:01
Analysis FinishedAt: 2022-03-22 16:52:01

==================================================================================

Language: YAML
Severity: CRITICAL
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/yaml/example1/example.yaml
Code: 
RuleID: HS-KUBERNETES-4
Details: Capability System Admin
CAP_SYS_ADMIN is the most privileged capability and should always be avoided.
Type: Vulnerability
ReferenceHash: 18040dc10b672acad7bbb4634c32fa084fd283f770beec86fa1d16dd69954a6e

==================================================================================

Language: Java
Severity: CRITICAL
Line: 14
Column: 4
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example2/build.gradle
Code: compileOnly 'org.apache.logging.log4j:log4j-api:2.14.0'
RuleID: HS-JAVA-150
Details: Remote code injection Apache Log4j
Log4j versions prior to 2.17.1 are subject to a remote code execution vulnerability via the ldap JNDI parser, uncontrolled recursion from self-referential lookups and some other vulnerabilities. For more information checkout the CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228), CVE-2021-45046 (https://nvd.nist.gov/vuln/detail/CVE-2021-45046), CVE-2021-45105 (https://nvd.nist.gov/vuln/detail/CVE-2021-45105) and CVE-2021-44832 (https://nvd.nist.gov/vuln/detail/CVE-2021-44832) advisories.
Type: Vulnerability
ReferenceHash: 71878e3c29364755dfbd8e68ee8f0028b5bfb1bed91fa45b80137d83eec3c918

==================================================================================

Language: HCL
Severity: CRITICAL
Line: 20
Column: 
SecurityTool: TfSec
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 20 and 20.
RuleID: aws-vpc-no-public-ingress-sgr
Details: aws-vpc-no-public-ingress-sgr -> [Resource 'aws_security_group_rule.my-rule' defines a fully open ingress security group rule.]
Type: Vulnerability
ReferenceHash: 69fd52a63b5da396b817869763af1d2d92489b16c8ba8b241c078a3a4c0a9299

==================================================================================

Language: HCL
Severity: CRITICAL
Line: 25
Column: 
SecurityTool: TfSec
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 25 and 25.
RuleID: aws-elbv2-http-not-used
Details: aws-elbv2-http-not-used -> [Resource 'aws_alb_listener.my-alb-listener' uses plain HTTP instead of HTTPS.]
Type: Vulnerability
ReferenceHash: a912db3bb0a67dfd4356d5720b8a441058df95acb40848eecc3edd244ba38cfd

==================================================================================

Language: HCL
Severity: CRITICAL
Line: 28
Column: 
SecurityTool: TfSec
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 28 and 30.
RuleID: aws-rds-no-classic-resources
Details: aws-rds-no-classic-resources -> [Resource 'aws_db_security_group.my-group' uses EC2 Classic. Use a VPC instead.]
Type: Vulnerability
ReferenceHash: 5b060e08471e670fcb625fa046a354493d217a192856ddddbb51abde848d4fd3

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/server-key.txt
Code: -----BEGIN RSA PRIVATE KEY-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: e5544276cd4ed447af777447168b533f2f38df4e5fc2dc1d9a1b3ce2e6bc8625

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 17
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/main.py
Code: password = 'thisisnotapassword' #nohorus
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 1bfd01873dfaad9fadf2a8a8856dbbf9e31b184664c78e2b72c2308dc7e51517

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/ca-key.txt
Code: -----BEGIN RSA PRIVATE KEY-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: 246450edd913a7a210708106ff2061c542d3ae46ca118d07914c0aec183c4bf9

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 26
Column: 33
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example2/deployments/docker-compose.yaml
Code: HORUSEC_DATABASE_SQL_URI: "postgresql://root:root@127.0.0.1:5432/horusec_db?sslmode=disable"
RuleID: HS-LEAKS-27
Details: Password found in a hardcoded URL
A password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.
Type: Vulnerability
ReferenceHash: eab730ca2150002cc7c15004a79a5fded384e0db93e598f07cfbfe33e1fc69ac

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/client-key.txt
Code: -----BEGIN RSA PRIVATE KEY-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: acc04e51009e301c4aaa6b71b78a95e943c78c3a9f8f795fd7fb2fd3cab46eeb

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 20
Column: 19
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/config.js
Code: "server": "postgres://postgres:postgres@127.0.0.1",
RuleID: HS-LEAKS-27
Details: Password found in a hardcoded URL
A password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.
Type: Vulnerability
ReferenceHash: 55447e5d2bbce43db4bb121c2dfc3ee5a7a6f9368839f0a88dd52e24b0aee1e4

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 28
Column: 19
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/config.js
Code: "server": "postgres://postgres:postgres@10.211.55.70",
RuleID: HS-LEAKS-27
Details: Password found in a hardcoded URL
A password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.
Type: Vulnerability
ReferenceHash: a9c2e1931f2d1c82b24007f32c69a8dd8d61563832726079695df0c27fe276a5

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 36
Column: 19
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/config.js
Code: "server": "postgres://postgres:postgres@postgres_db",
RuleID: HS-LEAKS-27
Details: Password found in a hardcoded URL
A password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.
Type: Vulnerability
ReferenceHash: 7c490532f6c54af8141c2b9259cdea6cc7b4ad06e36aa4d05f6dedbd3c5b5249

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 26
Column: 1
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example2/main.go
Code: password := "password"
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: a47bdda283dd0f887407923561c82049e04f016f00abfe012727a23d3e1d1bb8

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 32
Column: 20
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example2/main.go
Code: URI := fmt.Sprint("postgresql://root:root@postgresql:5432/horusecDB?sslmode=disable")
RuleID: HS-LEAKS-27
Details: Password found in a hardcoded URL
A password was found in a hardcoded URL, this can lead to not only the leak of this password but also a failure point to some more sophisticated CSRF and SSRF attacks. Check CWE-352 (https://cwe.mitre.org/data/definitions/352.html) and CWE-918 (https://cwe.mitre.org/data/definitions/918.html) for more details.
Type: Vulnerability
ReferenceHash: ce613fce503ac68746d53d41b69aef75415131633832bf0b3e34c2862ef7f899

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/client-cert.txt
Code: -----BEGIN CERTIFICATE-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: 545bd73af7e020094c0bbc7a072775a6232c0e1aecceb6587aae4d04ce661371

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 17
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/main.py
Code: password = 'thisisnotapassword' #nohusky
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 2a9648727ebb520d93185f55bc03b78462b27f246d3e4d25b398a3706729e809

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 41
Column: 58
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/test/support/data_case.ex
Code: assert {:error, changeset} = Accounts.create_user(%{password: "short"})
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 646a847a16d643cf90d480389da9ed9ee67808334af02984bb34faf054fe098b

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 61
Column: 2
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/config/dev.exs
Code: password: "postgres",
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: a54edfc6111a18b7e19b8db04966832601aef4d95a333b5f5af3c5915595049c

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 24
Column: 7
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "password": "admin"
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 2a6f7e5439ec1605c5bd1bbdf27b95e4842982f7cb18a6b2e1ee8ef41bebbb5b

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 28
Column: 7
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "password": "asdfpiuw981"
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 5bd35a7ecb9c3805680039289d8bcc7519d50af21cf4da618a1f8cff64bee2c4

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 46
Column: 12
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/swift/example1/example/example/Source/Exercises/Key-Management/Hard-Coded-Keys/BrokenCryptographyExerciseVC.swift
Code: let password = "b@nkP@ssword123"
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 05f2dc65de713837fbfd5236a677179f5bf6e381bccdf4a03b84f068fbdc9493

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/ca.txt
Code: -----BEGIN CERTIFICATE-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: 6c7ab9f1889c7d150de71c6f81b1d69ee84af271fca2ca3225809270bdccbcf0

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 164
Column: 8
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/kotlin/example1/src/main/kotlin/Hello.kt
Code: val password = "secret1234"
RuleID: HS-LEAKS-26
Details: Hard-coded password
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.
Type: Vulnerability
ReferenceHash: 3580c4fcac48e456d603adb404e6bea30ef6657112b4e6871daaa1422079aebe

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 1
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/leaks/example1/deployments/certificates/server-cert.txt
Code: -----BEGIN CERTIFICATE-----
RuleID: HS-LEAKS-12
Details: Asymmetric Private Key
Found SSH and/or x.509 Cerficates among the files of your project, make sure you want this kind of information inside your Git repo, since it can be missused by someone with access to any kind of copy.  For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.
Type: Vulnerability
ReferenceHash: 669dd3ed7697bf4911b307e69085975f189685550e20153749d6be45ae1a390b

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 20
Column: 15
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo "bbbb" . $_POST['b'];
RuleID: 7d731faa
Details: Easy XSS detected because of direct user input with $_POST on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: dded403532905de2a3c1a0f497ee45b55ef13f2f7f7a755b765f950603d796f7

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 22
Column: 10
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: db_query($_GET['a']);
RuleID: 32604f5b
Details: Potential SQL injection found in db_query()
 PHPCS_SecurityAudit.Drupal7.SQLi.D7DbQuerySQLi
Type: Vulnerability
ReferenceHash: d5574ae760980195a9688bfa225a95c94c24ab054119817656e5d9df4d2a2f9e

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 24
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: preg_replace("/.*/ei", $_GET['a'], 'aaaaaaa');
RuleID: 94c1d724
Details: User input and /e modifier found in preg_replace, remote code execution possible.
 PHPCS_SecurityAudit.BadFunctions.PregReplace.PregReplaceUserInputE
Type: Vulnerability
ReferenceHash: 3bf02ad2ea013d54986d2e7ee20a07b9be4ce0d3095226da84222d1256fc9724

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 25
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: preg_replace($_GET['b'], $_GET['a'], $_GET['c']);
RuleID: 23a0e01a
Details: User input found in preg_replace, /e modifier could be used for malicious intent.
 PHPCS_SecurityAudit.BadFunctions.PregReplace.PregReplaceUserInput
Type: Vulnerability
ReferenceHash: ce9d2f0c10366e6b32f768f9ac602665a97fc81ceb10a22a20e505b850ea26ec

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 38
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: `$_GET`;
RuleID: e73da300
Details: System execution with backticks detected with dynamic parameter directly from user input
 PHPCS_SecurityAudit.BadFunctions.Backticks.ErrSystemExec
Type: Vulnerability
ReferenceHash: 10e8d4651bc8e93678d411e821215a0e6a1f85615ec2ad0c2ade43b17347ee62

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 41
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: assert($_GET);
RuleID: 45496417
Details: Assert eval function assert() detected with dynamic parameter directly from user input
 PHPCS_SecurityAudit.BadFunctions.Asserts.ErrFunctionHandling
Type: Vulnerability
ReferenceHash: 6b9f1a6400540057db2071bfb7ddaed4e7294107c23ac2ff598c75da8fc4c306

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 43
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: exec($_GET);
RuleID: 7cdf7b60
Details: System program execution function exec() detected with dynamic parameter directly from user input
 PHPCS_SecurityAudit.BadFunctions.SystemExecFunctions.ErrSystemExec
Type: Vulnerability
ReferenceHash: 227a48dec73ea75a32145d4f00eede1f448efc128b6fde54c6eb1432aac87e40

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 45
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: mysql_query($_GET);
RuleID: 023b104b
Details: SQL function mysql_query() detected with dynamic parameter  directly from user input
 PHPCS_SecurityAudit.BadFunctions.SQLFunctions.ErrSQLFunction
Type: Vulnerability
ReferenceHash: 9f1a03d182e2fc0ae1e786b69ee6801b0c131c688563e5b651a597acc70ca1cf

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 50
Column: 36
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: openssl_public_encrypt($i, $e, $k, OPENSSL_PKCS1_PADDING);
RuleID: 396fe71a
Details: Bad use of openssl_public_encrypt without OPENSSL_PKCS1_OAEP_PADDING
 PHPCS_SecurityAudit.BadFunctions.CryptoFunctions.ErrPCKS1Crypto
Type: Vulnerability
ReferenceHash: 0f72b6536032d3ebd2d8fe6b16cd75d74826055f8fc9297b8a252486b77b77f6

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 58
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: include('abc.xyz');
RuleID: 82583e95
Details: The file extension '.xyz' that is not specified by --extensions has been used in a include/require function. Please add it to the scan process.
 PHPCS_SecurityAudit.Misc.IncludeMismatch.ErrMiscIncludeMismatch
Type: Vulnerability
ReferenceHash: 61082ccb3171a80930a5d5bf4c4692b7212a409f4b6664fffa8477b982bc8d96

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 62
Column: 15
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: print("aaa" . $_GET['a']);
RuleID: 3ee495d3
Details: Easy XSS detected because of direct user input with $_GET on print
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: f1b0a38e0bb845630803eeb18549273f33085b2113711d439bf6af6be5f439b3

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 63
Column: 6
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo($_GET['a']);
RuleID: 12c4ed18
Details: Easy XSS detected because of direct user input with $_GET on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 9d37b1d0829e666e83da642acf6bdec16bd74d07df65fc621c7ae5922743b5cb

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 64
Column: 6
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo $_GET['a'];
RuleID: 12c4ed18
Details: Easy XSS detected because of direct user input with $_GET on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: d848d915108ddef30d2c260a49bc849436a7b62300098029f367c23d960df701

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 67
Column: 8
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo a($_GET['b']);
RuleID: 12c4ed18
Details: Easy XSS detected because of direct user input with $_GET on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: c2cee07b84cb8a5309cebba4a03fb092088584f8c8a87a18b7c6308052628d40

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 68
Column: 13
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo(allo(a($_GET['c'])));
RuleID: 12c4ed18
Details: Easy XSS detected because of direct user input with $_GET on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 2568f3fff6f74526171f9a1c4c6fc992c4d4e95613324d2739bedeee05d285e8

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 69
Column: 6
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: echo arg(1);
RuleID: 2f9285ad
Details: Easy XSS detected because of direct user input with arg on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 6948a71de80b75ecf78ecaeda674f5b92950c5c9033cd8af60ef441f5ba6ef10

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 70
Column: 10
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: die("" . $_GET['a']);
RuleID: c32d19b9
Details: Easy XSS detected because of direct user input with $_GET on die
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: e6c14cd17bfb046309048c194b3e567ac431e855bbf043761ef760ba7268f3e9

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 71
Column: 15
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: exit("exit" . $_GET['a']);
RuleID: 0e0a0612
Details: Easy XSS detected because of direct user input with $_GET on exit
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 45048737642b75a7e4b43fd03142b2d502642dde52d17312279fa3aa439ff8f3

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 73
Column: 5
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: <?= $_GET['a'] ?>
RuleID: 2314e91a
Details: Easy XSS detected because of direct user input with $_GET on <?=
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 5251b4f73b688151815b250b30428db190d11c18794fcb3afe5045818a32420f

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 77
Column: 1
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: file_create_filename(arg(1));
RuleID: 37b45108
Details: Filesystem function file_create_filename() detected with dynamic parameter directly from user input
 PHPCS_SecurityAudit.BadFunctions.FilesystemFunctions.ErrFilesystem
Type: Vulnerability
ReferenceHash: f85d031218daa951cd59f8d5604f19cdef0b6ebffcd6598677554f33c25fc81f

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 95
Column: 31
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: ->condition('email', '1', $_GET)
RuleID: 37ad405d
Details: SQL injection found in condition with param #3
 PHPCS_SecurityAudit.Drupal7.DynQueries.D7DynQueriesSQLi
Type: Vulnerability
ReferenceHash: bf9d304bc7a50a5d188d06f22492dddfbbe5756e5544f7599bbf9458b732ac3c

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 122
Column: 14
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/tool-examples/phpcs-security-audit.php
Code: ->fields($_GET)
RuleID: abb2bf56
Details: SQL injection found in fields with param #1
 PHPCS_SecurityAudit.Drupal7.DynQueries.D7DynQueriesSQLi
Type: Vulnerability
ReferenceHash: de7b9a2169d89f647932124a82831e18bee5073d006d21274526966687da146e

==================================================================================

Language: PHP
Severity: CRITICAL
Line: 23
Column: 26
SecurityTool: PhpCS
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example2/cross-site-scripting-xss.php
Code: echo 'Hello, welcome ' . $_GET['name'];
RuleID: 12c4ed18
Details: Easy XSS detected because of direct user input with $_GET on echo
 PHPCS_SecurityAudit.BadFunctions.EasyXSS.EasyXSSerr
Type: Vulnerability
ReferenceHash: 4bf2619c9794a1999bb2ca7d171a00be00b318bf63959af3aac5fef04e853537

==================================================================================

Language: Generic
Severity: CRITICAL
Line: 548
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/jwt v0.3.2
RuleID: CVE-2020-26892
Details: The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
Installed Version: "0.3.2", Update to Version: "v1.1.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26892.
Cwe Links: (https://cwe.mitre.org/data/definitions/798.html)
Type: Vulnerability
ReferenceHash: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7

==================================================================================

Language: Generic
Severity: CRITICAL
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: CVE-2020-26892
Details: The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
Installed Version: "2.1.2", Update to Version: "2.1.9" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26892.
Cwe Links: (https://cwe.mitre.org/data/definitions/798.html)
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: CRITICAL
Line: 651
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/satori/go.uuid v1.2.0
RuleID: CVE-2021-3538
Details: A flaw was found in github.com/satori/go.uuid in versions from commit 0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c to d91630c8510268e75203009fe7daf2b8e1d60c45. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.
Installed Version: "1.2.0", Update to Version: "1.2.1-0.20181016170032-d91630c85102" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-3538.
Cwe Links: (https://cwe.mitre.org/data/definitions/338.html)
Type: Vulnerability
ReferenceHash: 5cbfe17f2b6b82431ce9de941b9666814228601747f7a680956a422e006b3495

==================================================================================

Language: Generic
Severity: CRITICAL
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activestorage v6.0.0
RuleID: CVE-2022-21831
Details: No description is available for this CVE.
Installed Version: "6.0.0", Update to Version: "7.0.2.3, 6.1.4.7, 6.0.4.7, 5.2.6.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2022-21831.
Type: Vulnerability
ReferenceHash: dea7a163ca76a3acb542312fc8eae58289574a38d44d4df97c76bc08165f69a0

==================================================================================

Language: Generic
Severity: CRITICAL
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activesupport v6.0.0
RuleID: CVE-2020-8165
Details: A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.
Installed Version: "6.0.0", Update to Version: "6.0.3.1, 5.2.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8165.
Cwe Links: (https://cwe.mitre.org/data/definitions/502.html)
Type: Vulnerability
ReferenceHash: b2a400f460d929aa8f44f746f5d85418d069836e06c586c8a15ce593e2291c70

==================================================================================

Language: C#
Severity: CRITICAL
Line: 11
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="adplug" Version="2.3.1"/>
RuleID: 46091d79
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-874w-m2v2-mj64).
Type: Vulnerability
ReferenceHash: a3de79d0a4507e75706168f2cc4033b543ce75620a4afed5d7989ad818ffd935

==================================================================================

Language: C#
Severity: CRITICAL
Line: 9
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="Wire" Version="1.0.0"/>
RuleID: 6ebb293d
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-hpw7-3vq3-mmv6).
Type: Vulnerability
ReferenceHash: a86010d89768015b7ebf18d9ecf2bb439c16deba7d71a808fa46e051b09d658d

==================================================================================

Language: C#
Severity: CRITICAL
Line: 36
Column: 34
SecurityTool: SecurityCodeScan
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: client.Credentials = new NetworkCredential("test@test.com", "testpassword");
RuleID: SCS0015
Details: Hardcoded value in 'string password'.
The secret value to this API appears to be hardcoded. Consider moving the value to externalized configuration to avoid leakage of secret information. For more information, check the following url (https://security-code-scan.github.io/#SCS0015).
Type: Vulnerability
ReferenceHash: c95fb842ac060749491a69c46a60e6c6e910b0f7733efeee06e05a7f9e421974

==================================================================================

Language: Dart
Severity: HIGH
Line: 38
Column: 29
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/dart/example1/lib/data/query/user_ctr.dart
Code: uery("SELECT * FROM user WHERE username = '$user' and password = '$password'");
RuleID: HS-DART-13
Details: SQL Injection
The input values included in SQL queries need to be passed in safely. Bind variables in prepared statements can be used to easily mitigate the risk of SQL injection. Alternatively to prepare statements, each parameter can be escaped manually. For more information checkout the CWE-89 (https://cwe.mitre.org/data/definitions/89.html) advisory.
Type: Vulnerability
ReferenceHash: 5bf82b53a6273708a50cababe65d7201163755dfe3189b0881e93436453a967f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 36
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: 2ceab33104e6922f6a9bcc8afd1525a21d894f4a7edce66cf4b7ac40acc0b6c9

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 42
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: 357feeafa9c9a8283340c2f24d3b9e6af708c40b62ae25bca73ca31079ae682f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 48
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: 90479ea2f915e62c5af342029895008ed1b7ead5307d11b74390942739723fc5

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 66
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: 85beeff20ab2a8d7369939b5b71ca0b99854ccd81f32e58858d8382d65a8b720

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 72
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: 43c0b0abd5c7dfa2f694537b30124ffe41bca0596b4ca6ce7054588db33c3435

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 78
Column: 24
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/dummy.js
Code: "price": parseInt(Math.random() * 100),
RuleID: HS-JAVASCRIPT-6
Details: No use weak random number generator
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information. As the Math.random() function relies on a weak pseudorandom number generator, this function should not be used for security-critical applications or for protecting sensitive data. In such context, a cryptographically strong pseudorandom number generator (CSPRNG) should be used instead. For more information checkout the CWE-338 (https://cwe.mitre.org/data/definitions/338.html) advisory.
Type: Vulnerability
ReferenceHash: f9c5b0823d9c1e1aea8a07fc642dacb36b34cb87e6edf12b62fea30df5bab0e1

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example4/test.js
Code: 
RuleID: HS-JAVASCRIPT-16
Details: Alert statements should not be used
alert(...) as well as confirm(...) and prompt(...) can be useful for debugging during development, but in production mode this kind of pop-up could expose sensitive information to attackers, and should never be displayed. For more information checkout the CWE-489 (https://cwe.mitre.org/data/definitions/489.html) advisory.
Type: Vulnerability
ReferenceHash: f3be256297e6b074192d7114bd1f09b08d621ad487b3f29a23ef05d2718dac3f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 31
Column: 12
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/app.js
Code: res.redirect(url);
RuleID: HS-JAVASCRIPT-22
Details: Redirect to unknown path
Sanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts. For more information checkout the CWE-20 (https://cwe.mitre.org/data/definitions/20.html) advisory.
Type: Vulnerability
ReferenceHash: 922d42473110557a718b1ec3b666fafa5f688ba4932e9e72711356bfac5595f9

==================================================================================

Language: Java
Severity: HIGH
Line: 18
Column: 7
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example1/src/main/java/br/com/zup/vulnerabilities/random/RandomIssue.java
Code: import java.util.Random;
RuleID: HS-JAVA-114
Details: Insecure Random Number Generator
The App uses an insecure Random Number Generator. For more information checkout the CWE-330 (https://cwe.mitre.org/data/definitions/330.html) advisory.
Type: Vulnerability
ReferenceHash: 3ff3386e5fd7667b25c081818ab98c340ddbcdda8f633f04d7701d55203f90a2

==================================================================================

Language: Java
Severity: HIGH
Line: 27
Column: 13
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example1/src/main/java/br/com/zup/vulnerabilities/trust/AllTrustSSLSocketFactoryIssue.java
Code: public class AllTrustSSLSocketFactoryIssue extends SSLSocketFactory {
RuleID: HS-JAVA-9
Details: Insecure Implementation of SSL
Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks. For more information checkout the CWE-295 (https://cwe.mitre.org/data/definitions/295.html) advisory.
Type: Vulnerability
ReferenceHash: 90cf7d0387d64288df034306a916894222f4c327518a74bbbe7e2d510a7a57cd

==================================================================================

Language: Java
Severity: HIGH
Line: 39
Column: 10
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/java/example1/src/main/java/br/com/zup/vulnerabilities/trust/AllTrustSSLSocketFactoryIssue.java
Code: } catch (Exception ex) {
RuleID: HS-JAVA-63
Details: Information Exposure Through An Error Message
The sensitive information may be valuable information on its own (such as a password), or it may be useful for launching other, more deadly attacks. For more information checkout the CWE-209 (https://cwe.mitre.org/data/definitions/209.html) advisory.
Type: Vulnerability
ReferenceHash: b2601dcee0bf6aa165cb6245c9ef11fc2e6afcbc53e16b5ba877a7d05b4caf9d

==================================================================================

Language: HCL
Severity: HIGH
Line: 34
Column: 
SecurityTool: TfSec
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 34 and 34.
RuleID: azure-compute-enable-disk-encryption
Details: azure-compute-enable-disk-encryption -> [Resource 'azurerm_managed_disk.source' defines an unencrypted managed disk.]
Type: Vulnerability
ReferenceHash: 904fbf133cf1ef1c8e57b9149c95d150c227cf06d02370a65e05953e5cd7364b

==================================================================================

Language: Leaks
Severity: HIGH
Line: 37
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'DB_NAME', 'mkllel' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 494364e9fc7eefb78e72c13622bd8f36ce7ff193e4e3774794a003cdfc97a32f

==================================================================================

Language: Leaks
Severity: HIGH
Line: 40
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'DB_USER', 'mkllel' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 87ed08c26c6f047c4075afb76726d6f7eff9c88c6e0648433666354829396123

==================================================================================

Language: Leaks
Severity: HIGH
Line: 43
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'DB_PASSWORD', 'wen0221!' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: a7272504ff776a01f9c9eb820143441844a98ac7c772cd9b5bd4900ed7fb6945

==================================================================================

Language: Leaks
Severity: HIGH
Line: 46
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'DB_HOST', 'localhost' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 142201dfbb35df380a2872d250d1190581d8a6c3b7a769cec8b271420c5fba95

==================================================================================

Language: Leaks
Severity: HIGH
Line: 63
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'AUTH_KEY',         'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 0f96b6c5b0751324e081603bea19094948d186b060f4383891312e4557705afc

==================================================================================

Language: Leaks
Severity: HIGH
Line: 64
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'SECURE_AUTH_KEY',  'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 9c2b048898fdd7ab148a92460c7dbb4832a08b2d5e80b6f728dddacceed3bc6b

==================================================================================

Language: Leaks
Severity: HIGH
Line: 65
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'LOGGED_IN_KEY',    'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 98fafba007b866c59514097e978450ee4754598101ac7d986443a4b689c43862

==================================================================================

Language: Leaks
Severity: HIGH
Line: 66
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'NONCE_KEY',        'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 861d9035762949472adbe7e1f13f14b243ddd2ee13a09a0448b9a3e9f5fed700

==================================================================================

Language: Leaks
Severity: HIGH
Line: 67
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'AUTH_SALT',        'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: 05735d963275192924c769521b424a4426378e3d748ccacefe88d580d7af1b83

==================================================================================

Language: Leaks
Severity: HIGH
Line: 68
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'SECURE_AUTH_SALT', 'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: a6c167d46cc2a5fe423d374fac787dbe054d39d7d956adc3d864402002b75be4

==================================================================================

Language: Leaks
Severity: HIGH
Line: 69
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'LOGGED_IN_SALT',   'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: f46e7c1841dd2f329461bf21b5d4d278318f20e9dd1502be4eb1b5cc3587cc9c

==================================================================================

Language: Leaks
Severity: HIGH
Line: 70
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/php/example1/wp-config.php
Code: define( 'NONCE_SALT',       'put your unique phrase here' );
RuleID: HS-LEAKS-28
Details: Wordpress configuration file disclosure
Wordpress configuration file exposed, this can lead to the leak of admin passwords, database credentials and a lot of sensitive data about the system. Check CWE-200 (https://cwe.mitre.org/data/definitions/200.html) for more details.
Type: Vulnerability
ReferenceHash: c55186451954e0d8def7f422179ace64c46e2f24cad86e1acbcc623c7af3db57

==================================================================================

Language: Elixir
Severity: HIGH
Line: 
Column: 
SecurityTool: MixAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/mix.lock
Code: ecto
Details: Missing `is_nil` requirement
Ecto will not raise on queries with non-explicit nil comparisons (ie if they aren't checked with `is_nil`).
Type: Vulnerability
ReferenceHash: 321ac7ba803762c1704daab4b5cff181045e8566c34e9c705ef8945175bb1e91

==================================================================================

Language: Elixir
Severity: HIGH
Line: 
Column: 
SecurityTool: MixAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/mix.lock
Code: phoenix
RuleID: 2017-1000163
Details: Arbitrary URL Redirect
The Phoenix team designed Phoenix.Controller.redirect/2 to protect againstredirects allowing user input to redirect to an external URL where yourapplication code otherwise assumes a local path redirect. This is why the:to option is used for “local” URL redirects and why you must pass the:external option to intentionally allow external URLs to be redirected to.It has been disclosed that carefully crafted user input may be treated by somebrowsers as an external URL. An attacker can use this vulnerability to aid insocial engineering attacks. The most common use would be to create highlybelievable phishing attacks.For example, the following user input would pass local URL validation,but be treated by Chrome and Firefox as external URLs:http://localhost:4000/?redirect=/\nexample.comNot all browsers are affected, but latest Chrome and Firefox will issue a getrequest for example.com and successfully redirect externally.
Type: Vulnerability
ReferenceHash: b027bb471503420afa0e60df3a54d5ecaa5f95ca1b978a1bc1a6a754235e8ed8

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 100
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs
RuleID: 1066634
Details: Affected version of `qs` are vulnerable to Prototype Pollution because it is possible to bypass the protection. The `qs.parse` function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing `[` or `]` may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.


## Recommendation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
Type: Vulnerability
ReferenceHash: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 100
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs
RuleID: 1067066
Details: Versions prior to 1.0.0 of `qs` are affected by a denial of service vulnerability that results from excessive recursion in parsing a deeply nested JSON string.




## Recommendation

Update to version 1.0.0 or later
Type: Vulnerability
ReferenceHash: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 85
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: negotiator
RuleID: 1067068
Details: Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value.




## Recommendation

Update to version 0.6.1 or later.
Type: Vulnerability
ReferenceHash: 7e833ce5ece30c05dd31c82232a7ad16983a237453ddb7b3dd43902b682945d0

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 65
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: fresh
RuleID: 1067122
Details: Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.


## Recommendation

Update to version 0.5.2 or later.
Type: Vulnerability
ReferenceHash: 828ded0545f61106f15d5f1f3e8ecea04294f7057627383166be1ee0607de7ad

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 100
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs
RuleID: 1067175
Details: Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crashing.


## Recommendation

Update to version 1.0.0 or later.
Type: Vulnerability
ReferenceHash: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 118
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: qs
RuleID: 1066634
Details: Affected version of `qs` are vulnerable to Prototype Pollution because it is possible to bypass the protection. The `qs.parse` function fails to properly prevent an object's prototype to be altered when parsing arbitrary input. Input containing `[` or `]` may bypass the prototype pollution protection and alter the Object prototype. This allows attackers to override properties that will exist in all objects, which may lead to Denial of Service or Remote Code Execution in specific circumstances.


## Recommendation

Upgrade to 6.0.4, 6.1.2, 6.2.3, 6.3.2 or later.
Type: Vulnerability
ReferenceHash: d2dbf3e0ce12b0a9bc8b9160cafa72d1a53e9053ef8b2ba2428aecfc03e9d302

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 103
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: negotiator
RuleID: 1067068
Details: Affected versions of `negotiator` are vulnerable to regular expression denial of service attacks, which trigger upon parsing a specially crafted `Accept-Language` header value.




## Recommendation

Update to version 0.6.1 or later.
Type: Vulnerability
ReferenceHash: ee1c3471c52c4bedc85752ef863d23fc76101e5a047c7eeb9e83baaf90dbb5f9

==================================================================================

Language: JavaScript
Severity: HIGH
Line: 73
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: fresh
RuleID: 1067122
Details: Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input.


## Recommendation

Update to version 0.5.2 or later.
Type: Vulnerability
ReferenceHash: 259521764e685e0660b478fc393647ec0b8014c7cc1dcf3ff1e68784bcb60a87

==================================================================================

Language: Ruby
Severity: HIGH
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible exposure of information vulnerability in Action Pack (actionpack - 6.0.0) upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 ( - https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: HIGH
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Open Redirect in Host Authorization Middleware (actionpack - 6.0.0) upgrade to ~> 6.0.4, >= 6.0.4.1, >= 6.1.4.1 ( - https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: HIGH
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible DoS Vulnerability in Action Controller Token Authentication (actionpack - 6.0.0) upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 ( - https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: HIGH
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Denial of Service vulnerability in Action Dispatch (actionpack - 6.0.0) upgrade to ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 ( - https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: HIGH
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Information Disclosure / Unintended Method Execution in Action Pack (actionpack - 6.0.0) upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 ( - https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: HIGH
Line: 59
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: addressable
Details: Regular Expression Denial of Service in Addressable templates (addressable - 2.6.0) upgrade to >= 2.8.0 ( - https://github.com/advisories/GHSA-jxhc-q857-3j6g)
Type: Vulnerability
ReferenceHash: 3e1df653eda0a35a72e0463b365707f5cadbb215a838362d0f4a6d56bac7afc3

==================================================================================

Language: Ruby
Severity: HIGH
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) (nokogiri - 1.10.4) upgrade to >= 1.13.2 ( - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: HIGH
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 (nokogiri - 1.10.4) upgrade to >= 1.11.4 ( - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: HIGH
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation (nokogiri - 1.10.4) upgrade to >= 1.10.8 ( - https://github.com/sparklemotion/nokogiri/issues/1992)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: HIGH
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby (nokogiri - 1.10.4) upgrade to >= 1.12.5 ( - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: HIGH
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: Keepalive thread overload/DoS in puma (puma - 3.12.1) upgrade to ~> 3.12.2, >= 4.3.1 ( - https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: HIGH
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: HTTP Smuggling via Transfer-Encoding Header in Puma (puma - 3.12.1) upgrade to ~> 3.12.5, >= 4.3.4 ( - https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: HIGH
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: Keepalive Connections Causing Denial Of Service in puma (puma - 3.12.1) upgrade to ~> 4.3.8, >= 5.3.1 ( - https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: HIGH
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: Information Exposure with Puma when used with Rails (puma - 3.12.1) upgrade to ~> 4.3.11, >= 5.6.2 ( - https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: HIGH
Line: 194
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: websocket-extensions
Details: Regular Expression Denial of Service in websocket-extensions (RubyGem) (websocket-extensions - 0.1.4) upgrade to >= 0.1.5 ( - https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2)
Type: Vulnerability
ReferenceHash: 957d1cd80280e62d971acc15ffb2dc092e0d1cd7eb03b23d4911668fa0187023

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 37771
Details: Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.) See CVE-2019-19844.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 35516
Details: The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field parameter in a popup action to an admin change form page, as demonstrated by a /admin/auth/user/?pop=1&t=password URI. See: CVE-2014-0483.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 33072
Details: The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 33071
Details: The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 33070
Details: Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 25713
Details: The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 25714
Details: The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 25715
Details: Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 33073
Details: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 33074
Details: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 25718
Details: The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 40637
Details: Django before 2.2.24, 3.x before 3.1.12, and 3.2.x before 3.2.4 has a potential directory traversal via django.contrib.admindocs. Staff members could use the TemplateDetailView view to check the existence of arbitrary files. Additionally, if (and only if) the default admindocs templates have been customized by application developers to also show file contents, then not only the existence but also the file contents would have been exposed. In other words, there is directory traversal outside of the template root directories.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 43041
Details: Django versions 2.2.25, 3.1.14 and 3.2.10 include a fix for CVE-2021-44420: In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
https://www.djangoproject.com/weblog/2021/dec/07/security-releases/
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 44427
Details: Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45116: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to leveraging the Django Template Language's variable resolution logic, the dictsort template filter was potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably crafted key.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 44426
Details: Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45452: Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 44423
Details: Django 2.2.26, 3.2.11 and 4.0.1 include a fix for CVE-2021-45115: An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was artificially large in relation to the comparison values. In a situation where access to user registration was unrestricted, this provided a potential vector for a denial-of-service attack.
https://www.djangoproject.com/weblog/2022/jan/04/security-releases/
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 44741
Details: An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 1
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: django
RuleID: 44742
Details: The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not properly encode the current context. This may lead to XSS.
Type: Vulnerability
ReferenceHash: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a

==================================================================================

Language: Python
Severity: HIGH
Line: 2
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: flask
RuleID: 36388
Details: flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
Type: Vulnerability
ReferenceHash: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b

==================================================================================

Language: Python
Severity: HIGH
Line: 2
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: flask
RuleID: 38654
Details: Flask 0.12.3 includes a fix for CVE-2019-1010083: Unexpected memory usage. The impact is denial of service. The attack vector is crafted encoded JSON data. NOTE: this may overlap CVE-2018-1000656.
https://github.com/pallets/flask/pull/2695/commits/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929
Type: Vulnerability
ReferenceHash: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b

==================================================================================

Language: Python
Severity: HIGH
Line: 2
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: flask
RuleID: 25820
Details: flask 0.6.1 fixes a security problem that allowed clients to download arbitrary files  if the host server was a windows based operating system and the client  uses backslashes to escape the directory the files where exposed from.
Type: Vulnerability
ReferenceHash: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b

==================================================================================

Language: Python
Severity: HIGH
Line: 3
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: jinja2
RuleID: 39525
Details: This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory. See: CVE-2020-28493.
Type: Vulnerability
ReferenceHash: 85a4cd1b13193cec4ab156cf0574bf4abac8b3a725024ea2695cc59ed149c0d0

==================================================================================

Language: Python
Severity: HIGH
Line: 3
Column: 0
SecurityTool: Safety
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/requirements.txt
Code: jinja2
RuleID: 25866
Details: The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp.
Type: Vulnerability
ReferenceHash: 85a4cd1b13193cec4ab156cf0574bf4abac8b3a725024ea2695cc59ed149c0d0

==================================================================================

Language: Generic
Severity: HIGH
Line: 85
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/apache/thrift v0.13.0
RuleID: CVE-2020-13949
Details: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Installed Version: "0.13.0", Update to Version: "v0.14.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-13949.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 8a9b439a9f071ce7ba414dc60f186d7b973d75245854ba9bd74b5dae3e587a66

==================================================================================

Language: Generic
Severity: HIGH
Line: 134
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/containerd/containerd v1.4.1
RuleID: CVE-2021-41103
Details: containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
Installed Version: "1.4.1", Update to Version: "v1.4.11, v1.5.7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-41103.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc

==================================================================================

Language: Generic
Severity: HIGH
Line: 165
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/dgrijalva/jwt-go v3.2.0+incompatible
RuleID: CVE-2020-26160
Details: jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26160.
Cwe Links: (https://cwe.mitre.org/data/definitions/862.html)
Type: Vulnerability
ReferenceHash: e2c8729b329494f140bb7cde2299426adaa9b6f77eb1a656f8d9dbd7b67567c6

==================================================================================

Language: Generic
Severity: HIGH
Line: 272
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/gogo/protobuf v1.3.1
RuleID: CVE-2021-3121
Details: An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.
Installed Version: "1.3.1", Update to Version: "1.3.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-3121.
Cwe Links: (https://cwe.mitre.org/data/definitions/129.html)
Type: Vulnerability
ReferenceHash: 4d39cbd0e24ee614104b6a5d20ad19a127f4336e9b93c454137b63e07d6987bf

==================================================================================

Language: Generic
Severity: HIGH
Line: 548
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/jwt v0.3.2
RuleID: CVE-2020-26521
Details: The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
Installed Version: "0.3.2", Update to Version: "v1.1.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26521.
Cwe Links: (https://cwe.mitre.org/data/definitions/476.html)
Type: Vulnerability
ReferenceHash: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7

==================================================================================

Language: Generic
Severity: HIGH
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: CVE-2020-26521
Details: The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
Installed Version: "2.1.2", Update to Version: "2.1.9" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26521.
Cwe Links: (https://cwe.mitre.org/data/definitions/476.html)
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: HIGH
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: CVE-2022-24450
Details: NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
Installed Version: "2.1.2", Update to Version: "2.7.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2022-24450.
Cwe Links: (https://cwe.mitre.org/data/definitions/863.html)
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: fresh v0.2.0
RuleID: CVE-2017-16119
Details: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Installed Version: "0.2.0", Update to Version: "0.5.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16119.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 466d3818ff2db72345defca3b7d72e8610c77102ed3ca9dbc857ff397835da8c

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: fresh v0.2.2
RuleID: CVE-2017-16119
Details: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Installed Version: "0.2.2", Update to Version: "0.5.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16119.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 848bd36dde1c3872d98a065ec60b6ce7e4fc053957ba260095b9bc8fc701a0b2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: mime v1.2.11
RuleID: CVE-2017-16138
Details: The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Installed Version: "1.2.11", Update to Version: "2.0.3, 1.4.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16138.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 98b7d4d01cc1d5486fa0f5763dbc8fbc57226723ed00455f0ccb954890af1a9b

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: negotiator v0.3.0
RuleID: CVE-2016-10539
Details: negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Installed Version: "0.3.0", Update to Version: "0.6.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2016-10539.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: 9e593d1b45117aebbba769cbff1f28ada08478900d14a6d9d3de0213fd71dd83

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: negotiator v0.3.0
RuleID: NSWG-ECO-106
Details: negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string. 

Timeline

- April 29th 2016 - Initial report to maintainers
- April 29th 2016 - Confirm receipt from maintainers
- May 1st 2016 - Fix confirmed
- May 5th 2016 - 0.6.1 published with fix
- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
Installed Version: "0.3.0", Update to Version: ">= 0.6.1" for fix this issue.
Type: Vulnerability
ReferenceHash: 9e593d1b45117aebbba769cbff1f28ada08478900d14a6d9d3de0213fd71dd83

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs v0.6.6
RuleID: CVE-2014-10064
Details: The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Installed Version: "0.6.6", Update to Version: "1.0.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-10064.
Cwe Links: (https://cwe.mitre.org/data/definitions/399.html)
Type: Vulnerability
ReferenceHash: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs v0.6.6
RuleID: CVE-2014-7191
Details: The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Installed Version: "0.6.6", Update to Version: "1.0.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-7191.
Cwe Links: (https://cwe.mitre.org/data/definitions/399.html)
Type: Vulnerability
ReferenceHash: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs v0.6.6
RuleID: CVE-2017-1000048
Details: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Installed Version: "0.6.6", Update to Version: "6.3.2, 6.2.3, 6.1.2, 6.0.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-1000048.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: fresh v0.2.0
RuleID: CVE-2017-16119
Details: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Installed Version: "0.2.0", Update to Version: "0.5.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16119.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: f02d7ca215e5852ce577bb89e8bb4ff757b99cf74653281521b04685b7962120

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: fresh v0.2.2
RuleID: CVE-2017-16119
Details: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Installed Version: "0.2.2", Update to Version: "0.5.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16119.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: d8fb346ea3e846b2802b2e5c29ac925646ad3ed33e500b91b69ddaf79e0f92fe

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: fresh v0.2.4
RuleID: CVE-2017-16119
Details: Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
Installed Version: "0.2.4", Update to Version: "0.5.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16119.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 610a5184d5932e4f0a0596b207ae33a41664086415f52e628124add52a0b7aba

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: mime v1.2.11
RuleID: CVE-2017-16138
Details: The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Installed Version: "1.2.11", Update to Version: "2.0.3, 1.4.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16138.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: f417edbe23cddb1fe54d6d201436744f8c1272e94b1bf0c8a9c37917f7163796

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: negotiator v0.3.0
RuleID: CVE-2016-10539
Details: negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.
Installed Version: "0.3.0", Update to Version: "0.6.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2016-10539.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: 4a8d51561b4e52a9df7e61e2f0d15c1f8f31b71ccbd1a6d9d7740d43f4797120

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: negotiator v0.3.0
RuleID: NSWG-ECO-106
Details: negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string. 

Timeline

- April 29th 2016 - Initial report to maintainers
- April 29th 2016 - Confirm receipt from maintainers
- May 1st 2016 - Fix confirmed
- May 5th 2016 - 0.6.1 published with fix
- June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)
Installed Version: "0.3.0", Update to Version: ">= 0.6.1" for fix this issue.
Type: Vulnerability
ReferenceHash: 4a8d51561b4e52a9df7e61e2f0d15c1f8f31b71ccbd1a6d9d7740d43f4797120

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: qs v0.6.6
RuleID: CVE-2014-10064
Details: The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Installed Version: "0.6.6", Update to Version: "1.0.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-10064.
Cwe Links: (https://cwe.mitre.org/data/definitions/399.html)
Type: Vulnerability
ReferenceHash: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: qs v0.6.6
RuleID: CVE-2014-7191
Details: The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Installed Version: "0.6.6", Update to Version: "1.0.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-7191.
Cwe Links: (https://cwe.mitre.org/data/definitions/399.html)
Type: Vulnerability
ReferenceHash: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: qs v0.6.6
RuleID: CVE-2017-1000048
Details: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Installed Version: "0.6.6", Update to Version: "6.3.2, 6.2.3, 6.1.2, 6.0.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-1000048.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2020-8164
Details: A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.
Installed Version: "6.0.0", Update to Version: "6.0.3.1, 5.2.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8164.
Cwe Links: (https://cwe.mitre.org/data/definitions/502.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-22885
Details: A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.
Installed Version: "6.0.0", Update to Version: "5.2.4.6, 5.2.6, 6.1.3.2, 6.0.3.7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22885.
Cwe Links: (https://cwe.mitre.org/data/definitions/209.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-22902
Details: The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
Installed Version: "6.0.0", Update to Version: "6.1.3.2, 6.0.3.7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22902.
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-22904
Details: The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.
Installed Version: "6.0.0", Update to Version: "5.2.4.6, 5.2.6, 6.1.3.2, 6.0.3.7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22904.
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-22942
Details: A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.
Installed Version: "6.0.0", Update to Version: "6.1.4.1, 6.0.4.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22942.
Cwe Links: (https://cwe.mitre.org/data/definitions/601.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2022-23633
Details: Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.
Installed Version: "6.0.0", Update to Version: "7.0.2.2, 6.1.4.6, 6.0.4.6, 5.2.6.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2022-23633.
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activestorage v6.0.0
RuleID: CVE-2020-8162
Details: A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
Installed Version: "6.0.0", Update to Version: "6.0.3.1, 5.2.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8162.
Cwe Links: (https://cwe.mitre.org/data/definitions/434.html)
Type: Vulnerability
ReferenceHash: dea7a163ca76a3acb542312fc8eae58289574a38d44d4df97c76bc08165f69a0

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: addressable v2.6.0
RuleID: CVE-2021-32740
Details: Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
Installed Version: "2.6.0", Update to Version: "2.8.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-32740.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: dbf874603543c77b44a124b4354a7deaad6367ce3f933d6e04843c0f983aedad

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: CVE-2019-13117
Details: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
Installed Version: "1.10.4", Update to Version: ">= 1.10.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-13117.
Cwe Links: (https://cwe.mitre.org/data/definitions/908.html)
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: CVE-2020-7595
Details: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
Installed Version: "1.10.4", Update to Version: "1.10.8" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-7595.
Cwe Links: (https://cwe.mitre.org/data/definitions/835.html)
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: CVE-2021-30560
Details: Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Installed Version: "1.10.4", Update to Version: ">= 1.13.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-30560.
Cwe Links: (https://cwe.mitre.org/data/definitions/416.html)
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: CVE-2021-41098
Details: Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Installed Version: "1.10.4", Update to Version: "1.12.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-41098.
Cwe Links: (https://cwe.mitre.org/data/definitions/611.html)
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: GHSA-7rrm-v45f-jp64
Details: ### Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

- [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388) (Medium severity)
- [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977) (Medium severity)
- [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517) (Medium severity)
- [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518) (Medium severity)
- [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537) (Low severity)
- [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541) (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516) via `xmllint` is not present in Nokogiri, and [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595) has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.11.4`, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.11.4`.


### Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from [security.archlinux.org](https://security.archlinux.org), which appears to have the most up-to-date information as of this analysis.

#### [CVE-2019-20388](https://security.archlinux.org/CVE-2019-20388)

- **Severity**: Medium
- **Type**: Denial of service
- **Description**: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.


#### [CVE-2020-7595](https://security.archlinux.org/CVE-2020-7595)

- **Severity**: Medium
- **Type**: Denial of service
- **Description**: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

This has been patched in Nokogiri since v1.10.8 (see #1992).


#### [CVE-2020-24977](https://security.archlinux.org/CVE-2020-24977)

- **Severity**: Medium
- **Type**: Information disclosure
- **Description**: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.


#### [CVE-2021-3516](https://security.archlinux.org/CVE-2021-3516)

- **Severity**: Medium
- **Type**: Arbitrary code execution (no remote vector)
- **Description**: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship `xmllint`.


#### [CVE-2021-3517](https://security.archlinux.org/CVE-2021-3517)

- **Severity**: Medium
- **Type**: Arbitrary code execution
- **Description**: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.


#### [CVE-2021-3518](https://security.archlinux.org/CVE-2021-3518)

- **Severity**: Medium
- **Type**: Arbitrary code execution
- **Description**: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.


#### [CVE-2021-3537](https://security.archlinux.org/CVE-2021-3537)

- **Severity**: Low
- **Type**: Denial of service
- **Description**: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
- **Issue**: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.


#### [CVE-2021-3541](https://security.archlinux.org/CVE-2021-3541)

- **Severity**: Low
- **Type**: Denial of service
- **Description**: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
- **Fixed**: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into `DTDLOAD` which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

Installed Version: "1.10.4", Update to Version: "1.11.4" for fix this issue.
PrimaryURL: https://github.com/advisories/GHSA-7rrm-v45f-jp64.
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: GHSA-fq42-c5rg-92c2
Details: ### Summary

Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies:

- vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news)
- vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news)

Those library versions address the following upstream CVEs:

- libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity)
- libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.


### Mitigation

Upgrade to Nokogiri `>= 1.13.2`.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs.


### Impact

#### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)

- CVSS3 score: 8.8 (High)
- Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.


#### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)

- As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
- Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
- Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false.

An analysis of these parse options:

- While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
- `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately.

Installed Version: "1.10.4", Update to Version: "1.13.2" for fix this issue.
PrimaryURL: https://github.com/advisories/GHSA-fq42-c5rg-92c2.
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2019-16770
Details: In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.
Installed Version: "3.12.1", Update to Version: "4.3.1, 3.12.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-16770.
Cwe Links: (https://cwe.mitre.org/data/definitions/770.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2020-11076
Details: In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
Installed Version: "3.12.1", Update to Version: "4.3.4, 3.12.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-11076.
Cwe Links: (https://cwe.mitre.org/data/definitions/444.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2021-29509
Details: Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in `puma` 4.3.8 and 5.3.1. Setting `queue_requests false` also fixes the issue. This is not advised when using `puma` without a reverse proxy, such as `nginx` or `apache`, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.
Installed Version: "3.12.1", Update to Version: "5.3.1, 4.3.8" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-29509.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2022-23634
Details: Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.
Installed Version: "3.12.1", Update to Version: "4.3.11, 5.6.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2022-23634.
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack v2.0.7
RuleID: CVE-2020-8161
Details: A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Installed Version: "2.0.7", Update to Version: "2.1.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8161.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack v2.0.7
RuleID: CVE-2020-8184
Details: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Installed Version: "2.0.7", Update to Version: "2.2.3, 2.1.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8184.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1

==================================================================================

Language: Generic
Severity: HIGH
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: websocket-extensions v0.1.4
RuleID: CVE-2020-7663
Details: websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Installed Version: "0.1.4", Update to Version: "0.1.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-7663.
Type: Vulnerability
ReferenceHash: 47e415538f20916e6f837cc9331218e7727fe99455ed2e14027c60c3f423f53d

==================================================================================

Language: C#
Severity: HIGH
Line: 14
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="MetadataExtractor" Version="2.1.0"/>
RuleID: 265fd2c3
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-cwqq-w8c3-r2jw).
Type: Vulnerability
ReferenceHash: 73ec9c0ab49b97e2826f27723af405141709136f2b01fcc7f0360b1953beac90

==================================================================================

Language: C#
Severity: HIGH
Line: 10
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="Microsoft.ChakraCore" Version="1.11.13"/>
RuleID: f682a3ca
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-2wwc-w2gw-4329).
Type: Vulnerability
ReferenceHash: 3ab5c8776343017a2cf51dbc5b7de1593067fa76eacaba5ae2c80e3f43fab0fe

==================================================================================

Language: C#
Severity: HIGH
Line: 13
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="Sustainsys.Saml2" Version="2.0.0"/>
RuleID: 2daf8e46
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-g6j2-ch25-5mmv).
Type: Vulnerability
ReferenceHash: fd4e9f10f1e3cdf6328a454acb24b29b08c6fbe41a272c7dc390997e751106d4

==================================================================================

Language: C#
Severity: HIGH
Line: 29
Column: 32
SecurityTool: SecurityCodeScan
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: var hashProvider = new SHA1CryptoServiceProvider();
RuleID: SCS0006
Details: Weak hashing function.
SHA1 is no longer considered as a strong hashing algorithm. For more information, check the following url (https://security-code-scan.github.io/#SCS0006).
Type: Vulnerability
ReferenceHash: e1fe563580d3be95c12ea42ae9ff9f16aad2fa3e2f0863bf3010935e2ecbb8f9

==================================================================================

Language: Nginx
Severity: MEDIUM
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/nginx/example1/server.nginx
Code: 
RuleID: HS-NGINX-1
Details: Improper Restriction of Rendered UI Layers or Frames
Your Nginx file must include the X-Frame-Options header. A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to. For more information checkout the CWE-1021 (https://cwe.mitre.org/data/definitions/1021.html) advisory.
Type: Vulnerability
ReferenceHash: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79

==================================================================================

Language: Nginx
Severity: MEDIUM
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/nginx/example1/server.nginx
Code: 
RuleID: HS-NGINX-2
Details: Missing X-Content-Type-Options header
Setting this header will prevent the browser from interpreting files as a different MIME type to what is specified in the Content-Type HTTP header (e.g. treating text/plain as text/css). For more information checkout https://owasp.org/www-project-secure-headers/#x-content-type-options
Type: Vulnerability
ReferenceHash: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79

==================================================================================

Language: Nginx
Severity: MEDIUM
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/nginx/example1/server.nginx
Code: 
RuleID: HS-NGINX-3
Details: Missing Content-Security-Policy header
A Content Security Policy (also named CSP) requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browsers render pages (e.g., inline JavaScript is disabled by default and must be explicitly allowed in the policy). CSP prevents a wide range of attacks, including cross-site scripting and other cross-site injections. For more information checkout https://owasp.org/www-project-secure-headers/#content-security-policy
Type: Vulnerability
ReferenceHash: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79

==================================================================================

Language: Nginx
Severity: MEDIUM
Line: 0
Column: 0
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/nginx/example1/server.nginx
Code: 
RuleID: HS-NGINX-4
Details: Exposure of Sensitive Information
Your Nginx file must include 'server_tokens off;' configuration. There are many different kinds of mistakes that introduce information exposures. The severities of the error can range widely, depending on the context in which the product operates, the type of sensitive information that is revealed, and the benefits it may provide to an attacker. For more information checkout the CWE-200 (https://cwe.mitre.org/data/definitions/200.html) advisory.
Type: Vulnerability
ReferenceHash: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79

==================================================================================

Language: Swift
Severity: MEDIUM
Line: 39
Column: 16
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/swift/example1/example/example/Source/Container/HTMLViewController.swift
Code: webView.loadHTMLString(content, baseURL: baseURL)
RuleID: HS-SWIFT-14
Details: Javascript injection
User input not sanitized in "loadHTMLString" can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.
Type: Vulnerability
ReferenceHash: 3b0ea775914d2baa3aa5fca87f4918c4c906bbcde69130a31063bfc5f466bd78

==================================================================================

Language: Swift
Severity: MEDIUM
Line: 23
Column: 16
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/swift/example1/example/example/Source/Exercises/Injection-Flaws/XSS/CrossSiteScriptingExerciseVC.swift
Code: webview.loadHTMLString(webText, baseURL: nil)
RuleID: HS-SWIFT-14
Details: Javascript injection
User input not sanitized in "loadHTMLString" can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.
Type: Vulnerability
ReferenceHash: 954d0c45cb5013621a9dab2d752bd894eda9a71f670e3d558ab34cd6c44f3393

==================================================================================

Language: Swift
Severity: MEDIUM
Line: 67
Column: 16
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/swift/example1/example/example/Source/Container/HintVC.swift
Code: webView.loadHTMLString(htmlText, baseURL: baseURL)
RuleID: HS-SWIFT-14
Details: Javascript injection
User input not sanitized in "loadHTMLString" can result in an injection of JavaScript in the context of your application, allowing access to private data. For more information checkout the CWE-95 (https://cwe.mitre.org/data/definitions/95.html) advisory.
Type: Vulnerability
ReferenceHash: dd399a7669ec649005ff78f1e6da4edfebfe53d645ccffe024f767d512a70e3f

==================================================================================

Language: Swift
Severity: MEDIUM
Line: 65
Column: 22
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/swift/example1/example/example/Source/Container/HintVC.swift
Code: let webView = UIWebView()
RuleID: HS-SWIFT-20
Details: WebView Safari
It is recommended to use WKWebView instead of SFSafariViewController or UIWebView to prevent navigating to arbitrary URLs.
Type: Vulnerability
ReferenceHash: 42179e371e056bd82b218b36d343225628a1fa95996184418298dc5bd97d2b0a

==================================================================================

Language: Dart
Severity: MEDIUM
Line: 30
Column: 15
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/dart/example1/lib/utils/cripto_util.dart
Code: var digest = md5.convert(bytes);
RuleID: HS-DART-9
Details: Weak hashing function md5 or sha1
MD5 or SHA1 have known collision weaknesses and are no longer considered strong hashing algorithms. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.
Type: Vulnerability
ReferenceHash: 04486976600a208186b3ab735cf898a9d3215aeed4bb3540cd27eaa239278dcb

==================================================================================

Language: Dart
Severity: MEDIUM
Line: 21
Column: 15
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/dart/example1/lib/utils/cripto_util.dart
Code: var digest = sha1.convert(bytes);
RuleID: HS-DART-9
Details: Weak hashing function md5 or sha1
MD5 or SHA1 have known collision weaknesses and are no longer considered strong hashing algorithms. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.
Type: Vulnerability
ReferenceHash: 8b8fcce4f23c0e13ec2a28e084b1888f7422347d279ccebd32faa2816a027b7e

==================================================================================

Language: C#
Severity: MEDIUM
Line: 51
Column: 25
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: var cookie = new CookieOptions();
RuleID: HS-CSHARP-17
Details: Insecure Http Cookie Transport
Cookies containing authentication tokens, session tokens, and other state management credentials must be protected in transit across a network. Set the cookie options’ Secure property to true to prevent the browser from transmitting cookies over HTTP. For more information checkout the CWE-614 (https://cwe.mitre.org/data/definitions/614.html) advisory.
Type: Vulnerability
ReferenceHash: f7781f261231e78fa69e48b003daf6872421a9739db598226c4f13f4daf2a127

==================================================================================

Language: C#
Severity: MEDIUM
Line: 29
Column: 31
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: var hashProvider = new SHA1CryptoServiceProvider();
RuleID: HS-CSHARP-57
Details: Weak hashing function md5 or sha1
MD5 or SHA1 have known collision weaknesses and are no longer considered strong hashing algorithms. For more information checkout the CWE-326 (https://cwe.mitre.org/data/definitions/326.html) advisory.
Type: Vulnerability
ReferenceHash: e1fe563580d3be95c12ea42ae9ff9f16aad2fa3e2f0863bf3010935e2ecbb8f9

==================================================================================

Language: C
Severity: MEDIUM
Line: 40
Column: 5
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     char BOM[4] = {(char)0xEF, (char)0xBB, (char)0xBF, '\0'}; /*BOM String*/
RuleID: c0a4875b
Details: Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120). Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length. 
Type: Vulnerability
ReferenceHash: 55dd715ddd59050f5a6b1865ee0f069901e53f2c35665397a5c3496a3a68a063

==================================================================================

Language: C
Severity: MEDIUM
Line: 43
Column: 9
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     inf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: 93e387e71708e0dd9080f6ac61321589341417bf4e9413a6ce5761b1916323fc

==================================================================================

Language: C
Severity: MEDIUM
Line: 44
Column: 10
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     outf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: b6f0abfb60853d4a4df6eda30fee9da248c9ae05740775b8df634dd56d47f359

==================================================================================

Language: C
Severity: MEDIUM
Line: 56
Column: 9
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     inf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: daed37b3882e463c24bd0aaf03093f45c6cbbe3c25eb90b825f7f1f503288f1d

==================================================================================

Language: C
Severity: MEDIUM
Line: 57
Column: 10
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     outf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: 50b2d211d0d7e296b469cabe6a7acf73232211dd6a335192c86081f0e98d80d0

==================================================================================

Language: C
Severity: MEDIUM
Line: 69
Column: 9
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     inf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: aaa86ebbced62e4c97a8e28245c8a97e0f57f7f72b698584ebc4ddd43abc9493

==================================================================================

Language: C
Severity: MEDIUM
Line: 70
Column: 10
SecurityTool: Flawfinder
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/c/example1/test.cpp
Code:     outf.open("test.xml");
RuleID: 49169217
Details: Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362).  
Type: Vulnerability
ReferenceHash: ad6d3290b8b492e1814b969b1d84403d34f00e6b93cd2cac48d6511e320c7d5d

==================================================================================

Language: Python
Severity: MEDIUM
Line: 21
Column: 0
SecurityTool: Bandit
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/main.py
Code: 20 
21 exec(command)
22 

RuleID: B102
Details: Use of exec detected.
Type: Vulnerability
ReferenceHash: 8915bca8be9ef8e97d569a4623b885b10c70d655045849933f21d803642b84ff

==================================================================================

Language: Python
Severity: MEDIUM
Line: 21
Column: 0
SecurityTool: Bandit
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/main.py
Code: 20 
21 exec(command)
22 

RuleID: B102
Details: Use of exec detected.
Type: Vulnerability
ReferenceHash: fd451905fa5c85b03b0a7a3e09b08d066537d07fba88968c7c5ff93d34ec5b04

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 41
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: express
RuleID: 1067058
Details: Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.


## Recommendation

For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later. 
Type: Vulnerability
ReferenceHash: c6027c82eb5ddfd5af5a6b5232e45854ded5700cd624ca5e3826f47a9f58c8ce

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 26
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: cookie-signature
RuleID: 1066693
Details: Affected versions of `cookie-signature` are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison. 

Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.

Under favorable network conditions, an attacker can exploit this to guess the secret in no more than `charset*length` guesses, instead of `charset^length` guesses required were the timing attack not present. 



## Recommendation

Update to 1.0.6 or later.
Type: Vulnerability
ReferenceHash: c140f13335020e5725141fb22cb6752d55bae5012aef87c66ddee6e399286175

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 80
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: mime
RuleID: 1067128
Details: Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.


## Recommendation

Update to version 2.0.3 or later.
Type: Vulnerability
ReferenceHash: c91e48e950d33d489d0c22d42991c68a50f972d73a105a8b323c94060eb76791

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 110
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send
RuleID: 1067188
Details: Versions of `send` prior to 0.11.2 are affected by an information leakage vulnerability which may allow an attacker to enumerate paths on the server filesystem.



## Recommendation

Update to version 0.11.1 or later.
Type: Vulnerability
ReferenceHash: 655cc2aff344c9c8a0a921c2ebaf83dfaba162337b52b0a058062274aae1adab

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 17
Column: 
SecurityTool: Brakeman
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/app/controllers/application_controller.rb
Code: system("ls #{options}")
RuleID: 14
Details: https://brakemanscanner.org/docs/warning_types/command_injection/ Possible command injection
Type: Vulnerability
ReferenceHash: 9aff887b9aea458ef259153f5a7d9ddc53aa8efe39d5681f201ecc777a1c7aba

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 113
Column: 
SecurityTool: Brakeman
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: 
RuleID: 116
Details: https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw Rails 6.0.0 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 6.0.3.1 or patch
Type: Vulnerability
ReferenceHash: 39564392781dfbe0002af2bf271cc97059e16789a6fdbb117a376778a576a0a0

==================================================================================

Language: Go
Severity: MEDIUM
Line: 38
Column: 7
SecurityTool: GoSec
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/api/util/util.go
Code: 37: func GetMD5(s string) string {
38: 	h := md5.New()
39: 	io.WriteString(h, s) // #nohorus

RuleID: G401
Details: Use of weak cryptographic primitive
Type: Vulnerability
ReferenceHash: 036f51227fbfd6e19357c43830c5c4c9f41459ce3898ade62071c50a6d1628b5

==================================================================================

Language: Go
Severity: MEDIUM
Line: 19
Column: 2
SecurityTool: GoSec
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/api/util/util.go
Code: 18: import (
19: 	"crypto/md5"
20: 	"fmt"

RuleID: G501
Details: Blocklisted import crypto/md5: weak cryptographic primitive
Type: Vulnerability
ReferenceHash: 24008caf996cda1599bd03db2470ab55201bf310b9d86623173bd46ad8ea3030

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 18
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: cookie-signature
RuleID: 1066693
Details: Affected versions of `cookie-signature` are vulnerable to timing attacks as a result of using a fail-early comparison instead of a constant-time comparison. 

Timing attacks remove the exponential increase in entropy gained from increased secret length, by providing per-character feedback on the correctness of a guess via miniscule timing differences.

Under favorable network conditions, an attacker can exploit this to guess the secret in no more than `charset*length` guesses, instead of `charset^length` guesses required were the timing attack not present. 



## Recommendation

Update to 1.0.6 or later.
Type: Vulnerability
ReferenceHash: 3209f84f48fc6daab1dd16f050c29d7b2e84b99271495052315af215e099625c

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 45
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: express
RuleID: 1067058
Details: Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7.


## Recommendation

For express 3.x, update express to version 3.11 or later.
For express 4.x, update express to version 4.5 or later. 
Type: Vulnerability
ReferenceHash: 71923eafeb49e78c66ee070206aafcf27b31457e465eb5baf90d53640428042c

==================================================================================

Language: JavaScript
Severity: MEDIUM
Line: 93
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: mime
RuleID: 1067128
Details: Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.


## Recommendation

Update to version 2.0.3 or later.
Type: Vulnerability
ReferenceHash: b4e8255a57c2329f7aa71f070afb6da30890815945c1ac5f80d7a7b8b89bf53c

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Ability to forge per-form CSRF tokens given a global CSRF token (actionpack - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Open Redirect in Host Authorization Middleware (actionpack - 6.0.0) upgrade to ~> 6.0.4, >= 6.0.4.2, ~> 6.1.4, >= 6.1.4.2, >= 7.0.0.rc2 ( - https://groups.google.com/g/ruby-security-ann/c/vG9gz3nk1pM/m/7-NU4MNrDAAJ)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Open Redirect in Host Authorization Middleware (actionpack - 6.0.0) upgrade to ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 ( - https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible XSS Vulnerability in Action Pack in Development Mode (actionpack - 6.0.0) upgrade to >= 6.0.3.4 ( - https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Untrusted users able to run pending migrations in production (actionpack - 6.0.0) upgrade to >= 6.0.3.2 ( - https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 17
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview
Details: Potential XSS vulnerability in Action View (actionview - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 ( - https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc)
Type: Vulnerability
ReferenceHash: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 17
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview
Details: Possible XSS vulnerability in ActionView (actionview - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8)
Type: Vulnerability
ReferenceHash: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 17
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview
Details: CSRF Vulnerability in rails-ujs (actionview - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0)
Type: Vulnerability
ReferenceHash: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 11
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activerecord
Details: Possible DoS Vulnerability in Active Record PostgreSQL adapter (activerecord - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 ( - https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI)
Type: Vulnerability
ReferenceHash: 18172b17482ed32d3d5e55cc2604e8b9328ab490c957b03a785620a68a909fa0

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 90
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: loofah
Details: Loofah XSS Vulnerability (loofah - 2.2.3) upgrade to >= 2.3.1 ( - https://github.com/flavorjones/loofah/issues/171)
Type: Vulnerability
ReferenceHash: 2be84db82960ad84bf3458c762f4df9c398773ac75d9ecbd1dffae26898bf797

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: HTTP Response Splitting vulnerability in puma (puma - 3.12.1) upgrade to ~> 3.12.4, >= 4.3.3 ( - https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: HTTP Response Splitting (Early Hints) in Puma (puma - 3.12.1) upgrade to ~> 3.12.4, >= 4.3.3 ( - https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: HTTP Smuggling via Transfer-Encoding Header in Puma (puma - 3.12.1) upgrade to ~> 3.12.6, >= 4.3.5 ( - https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 24
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack
Details: Possible information leak / session hijack vulnerability (rack - 2.0.7) upgrade to ~> 1.6.12, >= 2.0.8 ( - https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3)
Type: Vulnerability
ReferenceHash: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946

==================================================================================

Language: Ruby
Severity: MEDIUM
Line: 145
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rubyzip
Details: Denial of Service in rubyzip ("zip bombs") (rubyzip - 1.2.3) upgrade to >= 1.3.0 ( - https://github.com/rubyzip/rubyzip/pull/403)
Type: Vulnerability
ReferenceHash: 621c2a588a62ca150706cfdb28ac78a3ff72d3621254f561b73936f713830100

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 134
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/containerd/containerd v1.4.1
RuleID: CVE-2020-15257
Details: containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
Installed Version: "1.4.1", Update to Version: "1.2.0, 1.3.9, 1.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-15257.
Cwe Links: (https://cwe.mitre.org/data/definitions/669.html)
Type: Vulnerability
ReferenceHash: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 134
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/containerd/containerd v1.4.1
RuleID: CVE-2021-21334
Details: In containerd (an industry-standard container runtime) before versions 1.3.10 and 1.4.4, containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared. If you are not using containerd's CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue. If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions.
Installed Version: "1.4.1", Update to Version: "v1.3.10, v1.4.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-21334.
Cwe Links: (https://cwe.mitre.org/data/definitions/668.html)
Type: Vulnerability
ReferenceHash: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 134
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/containerd/containerd v1.4.1
RuleID: CVE-2021-32760
Details: containerd is a container runtime. A bug was found in containerd versions prior to 1.4.8 and 1.5.4 where pulling and extracting a specially-crafted container image can result in Unix file permission changes for existing files in the host’s filesystem. Changes to file permissions can deny access to the expected owner of the file, widen access to others, or set extended bits like setuid, setgid, and sticky. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. This bug has been fixed in containerd 1.5.4 and 1.4.8. As a workaround, ensure that users only pull images from trusted sources. Linux security modules (LSMs) like SELinux and AppArmor can limit the files potentially affected by this bug through policies and profiles that prevent containerd from interacting with specific files.
Installed Version: "1.4.1", Update to Version: "v1.4.8, v1.5.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-32760.
Cwe Links: (https://cwe.mitre.org/data/definitions/668.html)
Type: Vulnerability
ReferenceHash: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 525
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/miekg/dns v1.0.14
RuleID: CVE-2019-19794
Details: The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
Installed Version: "1.0.14", Update to Version: "1.1.25-0.20191211073109-8ebf2e419df7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-19794.
Cwe Links: (https://cwe.mitre.org/data/definitions/338.html)
Type: Vulnerability
ReferenceHash: 2840a2c4e1d08fd67e39c2cb5296d08934b587cd0592a3b3452d45b4e10c0e14

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 751
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: go.mongodb.org/mongo-driver v1.1.0
RuleID: CVE-2021-20329
Details: Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0.
Installed Version: "1.1.0", Update to Version: "1.5.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-20329.
Cwe Links: (https://cwe.mitre.org/data/definitions/20.html)
Type: Vulnerability
ReferenceHash: 0e66bb9ed8d5ade659d57bcd6616dec91c6f0821543d22bc13c2f9dced2984cf

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: cookie-signature v1.0.3
RuleID: CVE-2016-1000236
Details: Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.
Installed Version: "1.0.3", Update to Version: "1.0.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2016-1000236.
Cwe Links: (https://cwe.mitre.org/data/definitions/362.html)
Type: Vulnerability
ReferenceHash: 6392bdb4fe820b40c9c8b8001ba8036b05ec5182f01a371deb7450d4499aef2a

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: debug v0.8.1
RuleID: CVE-2017-16137
Details: The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Installed Version: "0.8.1", Update to Version: "3.1.0, 2.6.9" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16137.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: f11049286c520f7819394820053176e4012ae5f5a4011c43849f9b95e65b8e18

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: express v4.0.0
RuleID: CVE-2014-6393
Details: The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Installed Version: "4.0.0", Update to Version: "4.5.0, 3.11.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6393.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html)
Type: Vulnerability
ReferenceHash: ddf7deecdc67c357d73a86445d14f238eeb93a30a449a01ff19e62ab068f8202

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: qs v0.6.6
RuleID: NSWG-ECO-28
Details: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Installed Version: "0.6.6", Update to Version: ">= 1.x" for fix this issue.
Type: Vulnerability
ReferenceHash: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send v0.1.4
RuleID: CVE-2014-6394
Details: visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Installed Version: "0.1.4", Update to Version: "0.8.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6394.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: d0391c757c65f65fbf275f5327e766ced941041f92c2e16a82f24d884160cdaf

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send v0.1.4
RuleID: CVE-2015-8859
Details: The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Installed Version: "0.1.4", Update to Version: "0.11.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-8859.
Cwe Links: (https://cwe.mitre.org/data/definitions/200.html)
Type: Vulnerability
ReferenceHash: d0391c757c65f65fbf275f5327e766ced941041f92c2e16a82f24d884160cdaf

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send v0.2.0
RuleID: CVE-2014-6394
Details: visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Installed Version: "0.2.0", Update to Version: "0.8.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6394.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: 361183030980864c9f4abcafd9ea14f338f810da5f520b9884ccc1f6319dd76a

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send v0.2.0
RuleID: CVE-2015-8859
Details: The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Installed Version: "0.2.0", Update to Version: "0.11.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-8859.
Cwe Links: (https://cwe.mitre.org/data/definitions/200.html)
Type: Vulnerability
ReferenceHash: 361183030980864c9f4abcafd9ea14f338f810da5f520b9884ccc1f6319dd76a

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: serve-static v1.0.1
RuleID: CVE-2015-1164
Details: Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.
Installed Version: "1.0.1", Update to Version: "1.7.2, 1.7.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-1164.
Type: Vulnerability
ReferenceHash: f08c63fa1ab0094020d2ba3d246a54797e90719e1190b2f5885093281af13f7e

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: cookie-signature v1.0.3
RuleID: CVE-2016-1000236
Details: Node-cookie-signature before 1.0.6 is affected by a timing attack due to the type of comparison used.
Installed Version: "1.0.3", Update to Version: "1.0.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2016-1000236.
Cwe Links: (https://cwe.mitre.org/data/definitions/362.html)
Type: Vulnerability
ReferenceHash: 55fc49e2e492e7196b38970126bedec23a74f6ae4ba8899a5022a3c4efd50f37

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: debug v0.8.1
RuleID: CVE-2017-16137
Details: The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Installed Version: "0.8.1", Update to Version: "3.1.0, 2.6.9" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2017-16137.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 2e42f1620b60bb91425f84bd5b44431a72c3d00033996a505f0f672fd4a301ce

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: express v4.0.0
RuleID: CVE-2014-6393
Details: The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding.
Installed Version: "4.0.0", Update to Version: "4.5.0, 3.11.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6393.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html)
Type: Vulnerability
ReferenceHash: 65493036e8de3c70783fd9003ca8f0102cf36e8eda2cd882e283e22cb246b77f

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: qs v0.6.6
RuleID: NSWG-ECO-28
Details: The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Installed Version: "0.6.6", Update to Version: ">= 1.x" for fix this issue.
Type: Vulnerability
ReferenceHash: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: send v0.1.4
RuleID: CVE-2014-6394
Details: visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Installed Version: "0.1.4", Update to Version: "0.8.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6394.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: 28ee86f096f0f1bba2ae277b530e3989d3a738c6aee94880a4fd5ccf09849b56

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: send v0.1.4
RuleID: CVE-2015-8859
Details: The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Installed Version: "0.1.4", Update to Version: "0.11.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-8859.
Cwe Links: (https://cwe.mitre.org/data/definitions/200.html)
Type: Vulnerability
ReferenceHash: 28ee86f096f0f1bba2ae277b530e3989d3a738c6aee94880a4fd5ccf09849b56

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: send v0.2.0
RuleID: CVE-2014-6394
Details: visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
Installed Version: "0.2.0", Update to Version: "0.8.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2014-6394.
Cwe Links: (https://cwe.mitre.org/data/definitions/22.html)
Type: Vulnerability
ReferenceHash: 969fa3d2e2a9dd6bfe792fd76bff1684979c3ac8c6512e6c7416e0effacd97af

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: send v0.2.0
RuleID: CVE-2015-8859
Details: The send package before 0.11.1 for Node.js allows attackers to obtain the root path via unspecified vectors.
Installed Version: "0.2.0", Update to Version: "0.11.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-8859.
Cwe Links: (https://cwe.mitre.org/data/definitions/200.html)
Type: Vulnerability
ReferenceHash: 969fa3d2e2a9dd6bfe792fd76bff1684979c3ac8c6512e6c7416e0effacd97af

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: serve-static v1.0.1
RuleID: CVE-2015-1164
Details: Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.
Installed Version: "1.0.1", Update to Version: "1.7.2, 1.7.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2015-1164.
Type: Vulnerability
ReferenceHash: dc81548d401adba2056ebe2b0079a050e852c7df44c62686987a4ab6ff6c9d26

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2020-8166
Details: A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.
Installed Version: "6.0.0", Update to Version: "6.0.3.1, 5.2.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8166.
Cwe Links: (https://cwe.mitre.org/data/definitions/352.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2020-8185
Details: A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.
Installed Version: "6.0.0", Update to Version: "6.0.3.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8185.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2020-8264
Details: In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.
Installed Version: "6.0.0", Update to Version: "6.0.3.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8264.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-22881
Details: The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website.
Installed Version: "6.0.0", Update to Version: "6.1.2.1, 6.0.3.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22881.
Cwe Links: (https://cwe.mitre.org/data/definitions/601.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack v6.0.0
RuleID: CVE-2021-44528
Details: A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.
Installed Version: "6.0.0", Update to Version: "6.1.4.2, 6.0.4.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-44528.
Cwe Links: (https://cwe.mitre.org/data/definitions/601.html)
Type: Vulnerability
ReferenceHash: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview v6.0.0
RuleID: CVE-2020-15169
Details: In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.
Installed Version: "6.0.0", Update to Version: "5.2.4.4, 6.0.3.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-15169.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html)
Type: Vulnerability
ReferenceHash: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview v6.0.0
RuleID: CVE-2020-5267
Details: In ActionView before versions 6.0.2.2 and 5.2.4.2, there is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. The issue is fixed in versions 6.0.2.2 and 5.2.4.2.
Installed Version: "6.0.0", Update to Version: "5.2.4.2, 6.0.2.2" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-5267.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html),(https://cwe.mitre.org/data/definitions/80.html)
Type: Vulnerability
ReferenceHash: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionview v6.0.0
RuleID: CVE-2020-8167
Details: A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
Installed Version: "6.0.0", Update to Version: "6.0.3.1, 5.2.4.3" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-8167.
Cwe Links: (https://cwe.mitre.org/data/definitions/352.html)
Type: Vulnerability
ReferenceHash: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activerecord v6.0.0
RuleID: CVE-2021-22880
Details: The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Installed Version: "6.0.0", Update to Version: "6.1.2.1, 6.0.3.5, 5.2.4.5" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-22880.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: a0fa9ca08cb2fa4b452376c2bd9af8a8d7f251a1dd77cabdf1048441baad4a01

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: loofah v2.2.3
RuleID: CVE-2019-15587
Details: In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Installed Version: "2.2.3", Update to Version: "2.3.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-15587.
Cwe Links: (https://cwe.mitre.org/data/definitions/79.html)
Type: Vulnerability
ReferenceHash: cc75018273ff2a7643f53cc9fa9de03beba74ff2189113aea04ad6ca5b50eb95

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2020-11077
Details: In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
Installed Version: "3.12.1", Update to Version: "4.3.5, 3.12.6" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-11077.
Cwe Links: (https://cwe.mitre.org/data/definitions/444.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2020-5247
Details: In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Installed Version: "3.12.1", Update to Version: "4.3.3, 3.12.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-5247.
Cwe Links: (https://cwe.mitre.org/data/definitions/74.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2020-5249
Details: In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.
Installed Version: "3.12.1", Update to Version: "4.3.3, 3.12.4" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-5249.
Cwe Links: (https://cwe.mitre.org/data/definitions/74.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack v2.0.7
RuleID: CVE-2019-16782
Details: There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
Installed Version: "2.0.7", Update to Version: "2.0.8, 1.6.12" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-16782.
Cwe Links: (https://cwe.mitre.org/data/definitions/203.html)
Type: Vulnerability
ReferenceHash: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1

==================================================================================

Language: Generic
Severity: MEDIUM
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rubyzip v1.2.3
RuleID: CVE-2019-16892
Details: In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).
Installed Version: "1.2.3", Update to Version: "1.3.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2019-16892.
Cwe Links: (https://cwe.mitre.org/data/definitions/400.html)
Type: Vulnerability
ReferenceHash: 832ee07331c35d9e6f1c9c8a08c685581373cfff00b4137d134614f82e3a2832

==================================================================================

Language: C#
Severity: MEDIUM
Line: 45
Column: 13
SecurityTool: SecurityCodeScan
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: rnd.NextBytes(buffer);
RuleID: SCS0005
Details: Weak random number generator.
It is possible to predict the next numbers of a pseudo random generator. Use a cryptographically strong generator for security sensitive purposes. For more information, check the following url (https://security-code-scan.github.io/#SCS0005).
Type: Vulnerability
ReferenceHash: 33e383594fb31d90b0b4e47576b9c0dfd67a82c94161b48ada17b05c261934cd

==================================================================================

Language: C#
Severity: LOW
Line: 24
Column: 0
SecurityTool: HorusecEngine
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: public class NetCoreVulnerabilities : ControllerBase
RuleID: HS-CSHARP-55
Details: No return string concat in controller
A potential Cross-Site Scripting (XSS) was found. The endpoint returns a variable from the client entry that has not been coded. Always encode untrusted input before output, regardless of validation or cleaning performed. https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-3.1. For more information checkout the CWE-79 (https://cwe.mitre.org/data/definitions/79.html) advisory.
Type: Vulnerability
ReferenceHash: eac0694e83450b345c7d9ed096b57de72b8afe6b3bdb5b688a201f6c9409f4cd

==================================================================================

Language: C#
Severity: LOW
Line: 43
Column: 22
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/Vulnerabilities.cs
Code: var rnd = new Random();
RuleID: HS-CSHARP-71
Details: Weak Random Number Generator
The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts. For more information access: (https://security-code-scan.github.io/#SCS0005) or (https://cwe.mitre.org/data/definitions/338.html).
Type: Vulnerability
ReferenceHash: be5bad0e338b8b8ec0d9f76645bc6504d5e0da81bcfc887a2e7f55201d8e2293

==================================================================================

Language: JavaScript
Severity: LOW
Line: 62
Column: 4
SecurityTool: HorusecEngine
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example3/app.js
Code: secure: false,
RuleID: HS-JAVASCRIPT-47
Details: Creating cookies without the "secure" flag
When a cookie is protected with the secure attribute set to true it will not be send by the browser over an unencrypted HTTP request and thus cannot be observed by an unauthorized person during a man-in-the-middle attack. It is recommended to use HTTPs everywhere so setting the secure flag to true should be the default behaviour when creating cookies. For more information checkout the OWASP A3:2017 (https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure.html) advisory.
Type: Vulnerability
ReferenceHash: bae888c60f374723d8541f0ea3705880690e6d756ee413012bf06cf58956026c

==================================================================================

Language: HCL
Severity: LOW
Line: 18
Column: 
SecurityTool: TfSec
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 18 and 21.
RuleID: aws-vpc-add-decription-to-security-group
Details: aws-vpc-add-decription-to-security-group -> [Resource 'aws_security_group_rule.my-rule' should include a description for auditing purposes.]
Type: Vulnerability
ReferenceHash: be5aa50bbd4ece4fa8f8299350d9016650f8dabf8eb20956102d5ce3789b3e15

==================================================================================

Language: Python
Severity: LOW
Line: 15
Column: 0
SecurityTool: Bandit
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/main.py
Code: 14 
15 secret = 'password123!'
16 
17 password = 'thisisnotapassword' #nohorus

RuleID: B105
Details: Possible hardcoded password: 'password123!'
Type: Vulnerability
ReferenceHash: a70263373359512e06dfc63320507c5c9ce3fd55cfaffb7358c240272c5ea2f5

==================================================================================

Language: Python
Severity: LOW
Line: 17
Column: 0
SecurityTool: Bandit
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/main.py
Code: 16 
17 password = 'thisisnotapassword' #nohorus
18 
19 command = 'print "this command is not secure!
RuleID: B105
Details: Possible hardcoded password: 'thisisnotapassword'
Type: Vulnerability
ReferenceHash: bdada2d0c7e6443c0b9e36a9e1a3e9cc2c56d40d0641bddbc1dff5891b10f2a1

==================================================================================

Language: Python
Severity: LOW
Line: 25
Column: 0
SecurityTool: Bandit
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/main.py
Code: 24 
25 assert 2 + 2 == 5, "Wrong!"

RuleID: B101
Details: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Type: Vulnerability
ReferenceHash: 9a843b00df88c3cb0888457259a6945eca06b0f377baa40219c9de05a8a609fa

==================================================================================

Language: Python
Severity: LOW
Line: 15
Column: 0
SecurityTool: Bandit
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example1/tests/test.py
Code: 14 
15 assert 2 + 3 == 6, "Wrong!"

RuleID: B101
Details: Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
Type: Vulnerability
ReferenceHash: 222fbc9efb45aca5aa9b1c33528863e3f911121cbc3feae5ea3bcef48b7640fe

==================================================================================

Language: Python
Severity: LOW
Line: 15
Column: 0
SecurityTool: Bandit
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/main.py
Code: 14 
15 secret = 'password123!'
16 
17 password = 'thisisnotapassword' #nohusky

RuleID: B105
Details: Possible hardcoded password: 'password123!'
Type: Vulnerability
ReferenceHash: 7bbcae6ef436674d0e80a681260cce3471dc7ec4111ae64fe53c6fb27dd1eeb3

==================================================================================

Language: Python
Severity: LOW
Line: 17
Column: 0
SecurityTool: Bandit
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/python/example2/main.py
Code: 16 
17 password = 'thisisnotapassword' #nohusky
18 
19 command = 'print "this command is not secure!
RuleID: B105
Details: Possible hardcoded password: 'thisisnotapassword'
Type: Vulnerability
ReferenceHash: 56d61c3b6102d9b8647327423a3bec3f3cd7ac0dfc0bec4c0b570cb7a7df3874

==================================================================================

Language: JavaScript
Severity: LOW
Line: 121
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: serve-static
RuleID: 1066503
Details: Versions of `serve-static` prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.


## Proof of Concept

A link to `http://example.com//www.google.com/%2e%2e` will redirect to `//www.google.com/%2e%2e`

Some browsers will interpret this as `http://www.google.com/%2e%2e`, resulting in an external redirect.


## Recommendation

Version 1.7.x: Update to version 1.7.2 or later.
Version 1.6.x: Update to version 1.6.5 or later.
Type: Vulnerability
ReferenceHash: 3447fc4894516c7e111bb3e41c54625cdec645d42626e90833e51da8ceb79765

==================================================================================

Language: JavaScript
Severity: LOW
Line: 110
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: send
RuleID: 1067174
Details: Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. 

For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`.


## Recommendation

Update to version 0.8.4 or later.
Type: Vulnerability
ReferenceHash: 655cc2aff344c9c8a0a921c2ebaf83dfaba162337b52b0a058062274aae1adab

==================================================================================

Language: JavaScript
Severity: LOW
Line: 31
Column: 
SecurityTool: NpmAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example1/package-lock.json
Code: debug
RuleID: 1067094
Details: Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. 

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.


## Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.x.x: Update to version 3.1.0 or later.
Type: Vulnerability
ReferenceHash: 0df78105e45adadd0a584b2fc0ff01ce11771e7d5448d041103014c76713c3ed

==================================================================================

Language: Go
Severity: LOW
Line: 39
Column: 2
SecurityTool: GoSec
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/api/util/util.go
Code: : 	h := md5.New()
39: 	io.WriteString(h, s) // #nohorus
40: 	md5Result := fmt.Sprintf("%x", h.Sum(ni
RuleID: G104
Details: Errors unhandled.
Type: Vulnerability
ReferenceHash: cac9d40a197cbfad93322c7c0efdcf6560eb3f4016b21f36725f04d65a4a8961

==================================================================================

Language: JavaScript
Severity: LOW
Line: 158
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: serve-static
RuleID: 1066503
Details: Versions of `serve-static` prior to 1.6.5 ( or 1.7.x prior to 1.7.2 ) are affected by an open redirect vulnerability on some browsers when configured to mount at the root directory.


## Proof of Concept

A link to `http://example.com//www.google.com/%2e%2e` will redirect to `//www.google.com/%2e%2e`

Some browsers will interpret this as `http://www.google.com/%2e%2e`, resulting in an external redirect.


## Recommendation

Version 1.7.x: Update to version 1.7.2 or later.
Version 1.6.x: Update to version 1.6.5 or later.
Type: Vulnerability
ReferenceHash: 902da333732abb51ea6b08fb19931b517dd5079bbbe1939e9dfb73a3afc97d63

==================================================================================

Language: JavaScript
Severity: LOW
Line: 
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: debug
RuleID: 1067094
Details: Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. 

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.


## Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.x.x: Update to version 3.1.0 or later.
Type: Vulnerability
ReferenceHash: e2becee306b91f87a1de71db429f3a31e74337309324ac7c3f5e176cbe840fde

==================================================================================

Language: JavaScript
Severity: LOW
Line: 148
Column: 
SecurityTool: YarnAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/javascript/example2/yarn.lock
Code: send
RuleID: 1067174
Details: Versions 0.8.3 and earlier of `send` are affected by a directory traversal vulnerability. When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. 

For example, `static(_dirname + '/public')` would allow access to `_dirname + '/public-restricted'`.


## Recommendation

Update to version 0.8.4 or later.
Type: Vulnerability
ReferenceHash: b84877196e940ae92e8a032eba7d82d41229c5064db784caa1d67efe111ce22c

==================================================================================

Language: Ruby
Severity: LOW
Line: 5
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: actionpack
Details: Possible Strong Parameters Bypass in ActionPack (actionpack - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY)
Type: Vulnerability
ReferenceHash: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d

==================================================================================

Language: Ruby
Severity: LOW
Line: 12
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activestorage
Details: Possible code injection vulnerability in Rails / Active Storage (activestorage - 6.0.0) upgrade to ~> 5.2.6, >= 5.2.6.3, ~> 6.0.4, >= 6.0.4.7, ~> 6.1.4, >= 6.1.4.7, >= 7.0.2.3 ( - https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI)
Type: Vulnerability
ReferenceHash: 7ecdaa455c041e7f1f6c2a5c04c273ac2a524223ff83256ea1da6664fa505544

==================================================================================

Language: Ruby
Severity: LOW
Line: 12
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activestorage
Details: Circumvention of file size limits in ActiveStorage (activestorage - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ)
Type: Vulnerability
ReferenceHash: 7ecdaa455c041e7f1f6c2a5c04c273ac2a524223ff83256ea1da6664fa505544

==================================================================================

Language: Ruby
Severity: LOW
Line: 13
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: activesupport
Details: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore (activesupport - 6.0.0) upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 ( - https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c)
Type: Vulnerability
ReferenceHash: 7b1d83e504f65340aeabb9cde2f973b1c2177031b95cd417ab1d1ec3f43214fe

==================================================================================

Language: Ruby
Severity: LOW
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability (nokogiri - 1.10.4) upgrade to >= 1.11.0.rc4 ( - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: LOW
Line: 33
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri
Details: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities (nokogiri - 1.10.4) upgrade to >= 1.10.5 ( - https://github.com/sparklemotion/nokogiri/issues/1943)
Type: Vulnerability
ReferenceHash: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501

==================================================================================

Language: Ruby
Severity: LOW
Line: 107
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma
Details: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma (puma - 3.12.1) upgrade to ~> 4.3.9, >= 5.5.1 ( - https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx)
Type: Vulnerability
ReferenceHash: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150

==================================================================================

Language: Ruby
Severity: LOW
Line: 24
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack
Details: Directory traversal in Rack::Directory app bundled with Rack (rack - 2.0.7) upgrade to ~> 2.1.3, >= 2.2.0 ( - https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA)
Type: Vulnerability
ReferenceHash: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946

==================================================================================

Language: Ruby
Severity: LOW
Line: 24
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: rack
Details: Percent-encoded cookies can be used to overwrite existing prefixed cookie names (rack - 2.0.7) upgrade to ~> 2.1.4, >= 2.2.3 ( - https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak)
Type: Vulnerability
ReferenceHash: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946

==================================================================================

Language: Generic
Severity: LOW
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: nokogiri v1.10.4
RuleID: CVE-2020-26247
Details: Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Installed Version: "1.10.4", Update to Version: "1.11.0" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2020-26247.
Cwe Links: (https://cwe.mitre.org/data/definitions/611.html)
Type: Vulnerability
ReferenceHash: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2

==================================================================================

Language: Generic
Severity: LOW
Line: 
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: puma v3.12.1
RuleID: CVE-2021-41136
Details: Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.
Installed Version: "3.12.1", Update to Version: "4.3.9, 5.5.1" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-41136.
Cwe Links: (https://cwe.mitre.org/data/definitions/444.html)
Type: Vulnerability
ReferenceHash: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04

==================================================================================

Language: C#
Severity: LOW
Line: 12
Column: 
SecurityTool: DotnetCli
Confidence: HIGH
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
Code: <PackageReference Include="HtmlSanitizer" Version="4.0.217"/>
RuleID: 21a2e5d7
Details: A possible vulnerable dependency was found, please checkout the following url for more information (https://github.com/advisories/GHSA-8j9v-h2vp-2hhv).
Type: Vulnerability
ReferenceHash: 7b37c9b05cf5da221e6493d142046fd77300c7d683f601ac51668826e5ab7494

==================================================================================

Language: HCL
Severity: UNKNOWN
Line: 32
Column: 
SecurityTool: Checkov
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 32 and 36.
RuleID: CKV_AZURE_2
Details: CKV_AZURE_2 -> [Ensure Azure managed disk has encryption enabled]
Type: Vulnerability
ReferenceHash: d7c68880c6e63e555e8ba8d6901e720be804544acd609e1ee1a99ad309dd0a01

==================================================================================

Language: HCL
Severity: UNKNOWN
Line: 32
Column: 
SecurityTool: Checkov
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/hcl/example1/main.tf
Code: code beetween line 32 and 36.
RuleID: CKV_AZURE_93
Details: CKV_AZURE_93 -> [Ensure that managed disks use a specific set of disk encryption sets for the customer-managed key encryption]
Type: Vulnerability
ReferenceHash: d7c68880c6e63e555e8ba8d6901e720be804544acd609e1ee1a99ad309dd0a01

==================================================================================

Language: Elixir
Severity: UNKNOWN
Line: 9
Column: 
SecurityTool: Sobelow
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/lib/built_with_elixir_web/router.ex
Code: 
RuleID: c4433341
Details: Missing Content-Security-Policy
Type: Vulnerability
ReferenceHash: 0f28a30847b2af8c98784ca60aa8d4af50f9dd7ad6041253972ff946ac75f418

==================================================================================

Language: Elixir
Severity: UNKNOWN
Line: 0
Column: 
SecurityTool: Sobelow
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/config/prod.exs
Code: 
RuleID: 482bec53
Details: HTTPS Not Enabled
Type: Vulnerability
ReferenceHash: 65adb449a575a82710a0603e0019190f8ab04bd6bfa7b90ffa03f5c1945bcd36

==================================================================================

Language: Elixir
Severity: UNKNOWN
Line: 17
Column: 
SecurityTool: Sobelow
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/elixir/example1/lib/built_with_elixir_web/templates/layout/app.html.eex
Code: 
RuleID: 39d42b1f
Details: XSS
Type: Vulnerability
ReferenceHash: 3329e456649d83b26172302e0256f6a2472b501084bc32ce80837c431757a3c0

==================================================================================

Language: Ruby
Severity: UNKNOWN
Line: 
Column: 
SecurityTool: BundlerAudit
Confidence: LOW
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/ruby/example1/Gemfile.lock
Code: Cloning into '/root/.local/share/ruby-advisory-db'...
Details:  (Cloning into '/root/.local/share/ruby-advisory-db'... - )  ( - )
Type: Vulnerability
ReferenceHash: 2cb52a6579aca48a33f08b44e57aba65cb00c11e4262df137545e3df2ab3235c

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 134
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/containerd/containerd v1.4.1
RuleID: GMS-2021-175
Details: In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header.
Installed Version: "1.4.1", Update to Version: "1.4.12, 1.5.8" for fix this issue.
Type: Vulnerability
ReferenceHash: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 173
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/docker/distribution v2.7.1+incompatible
RuleID: GMS-2022-20
Details: ### Impact

Systems that rely on digest equivalence for image attestations may be vulnerable to type confusion.
Installed Version: "2.7.1+incompatible", Update to Version: "v2.8.0" for fix this issue.
Type: Vulnerability
ReferenceHash: ba2e41b87e2a864bd7d6f31f333414c2d87411b94611b4e6488a38abe8c7acaf

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 548
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/jwt v0.3.2
RuleID: GMS-2022-72
Details: The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an `Export/Import` system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission. The JWT library's validation of the bindings in the `Import Token` incorrectly warned on mismatches, instead of outright rejecting the token. As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the importing account is not rejected, and use it to import any Subject from the Exporting account, not just the Subject referenced in the Import Token. The NATS account-server system treats account JWTs as semi-public information, such that an attacker can easily enumerate all account JWTs and retrieve all Import Tokens from those account JWTs.
Installed Version: "0.3.2", Update to Version: "v2.0.1" for fix this issue.
Type: Vulnerability
ReferenceHash: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 548
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/jwt v0.3.2
RuleID: GMS-2022-73
Details: The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an `Export/Import` system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission. The JWT library's validation of the bindings in the `Import Token` incorrectly warned on mismatches, instead of outright rejecting the token. As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the importing account is not rejected, and use it to import any Subject from the Exporting account, not just the Subject referenced in the Import Token. The NATS account-server system treats account JWTs as semi-public information, such that an attacker can easily enumerate all account JWTs and retrieve all Import Tokens from those account JWTs.
Installed Version: "0.3.2", Update to Version: "v2.0.1" for fix this issue.
Type: Vulnerability
ReferenceHash: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: GMS-2021-96
Details: (This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt )

## Problem Description

NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.

The NATS accounts system has expiration timestamps on credentials; the <https://github.com/nats-io/jwt> library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.

A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this.  The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.

The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those applications.


## Affected versions

#### JWT library

 * all versions prior to 1.1.0
 * fixed after nats-io/jwt PR 103 landed (2020-10-06)

#### NATS Server

 * Version 2 prior to 2.1.9
   + 2.0.0 through and including 2.1.8 are vulnerable.
 * fixed with nats-io/nats-server PRs 1632, 1635, 1645


## Impact

Time-based credential expiry did not work.


## Workaround

Have credentials which only expire after fixes can be deployed.


## Solution

Upgrade the JWT dependency in any application using it.

Upgrade the NATS server if using NATS Accounts.
Installed Version: "2.1.2", Update to Version: "2.1.9" for fix this issue.
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: GMS-2021-97
Details: (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-28466.txt>)

## Problem Description

An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

This issue was fixed publicly in <https://github.com/nats-io/nats-server/pull/1731> in November 2020.

The need to call this out as a security issue was highlighted by `snyk.io` and we are grateful for their assistance in doing so.

Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected.
See below for an important caveat if running such a service.


## Affected versions

#### NATS Server

 * Version 2 prior to 2.2.0
   + 2.0.0 through and including 2.1.9 are vulnerable.
 * fixed with nats-io/nats-server PR 1731, commit 2e3c226729


## Impact

The nats-server could be killed, after consuming resources.


## Workaround

The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.


## Solution

Upgrade the nats-server.


## Caveat on NATS with untrusted users

Running a NATS service which is exposed to untrusted users presents a heightened risk.

Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

Those who are running such services are encouraged to build regularly from git.
Installed Version: "2.1.2", Update to Version: "2.2.0" for fix this issue.
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: GMS-2021-98
Details: (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-26521.txt>)

## Problem Description

The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account.  The Operator should be able to safely issue Accounts to other entities which it does not fully trust.

A malicious Account could create and sign a User JWT with a state not created by the normal tooling, such that decoding by the NATS JWT library (written in Go) would attempt a nil dereference, aborting execution.

The NATS Server is known to be impacted by this.


## Affected versions

#### JWT library

 * all versions prior to 1.1.0

#### NATS Server

 * Version 2 prior to 2.1.9


## Impact

#### JWT library

 * Programs would nil dereference and panic, aborting execution by default.

#### NATS server

 * Denial of Service caused by process termination


## Workaround

If your NATS servers do not trust any accounts which are managed by untrusted entities, then malformed User credentials are unlikely to be encountered.


## Solution

Upgrade the JWT dependency in any application using it.

Upgrade the NATS server if using NATS Accounts.
Installed Version: "2.1.2", Update to Version: "2.1.9" for fix this issue.
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 549
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/nats-io/nats-server/v2 v2.1.2
RuleID: GMS-2021-99
Details: (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2021-3127.txt>)

## Problem Description

The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects.  Some Exports are public, such that anyone can import the
relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission.

The JWT library's validation of the bindings in the Import Token incorrectly warned on mismatches, instead of outright rejecting the token.

As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the
importing account is not rejected, and use it to import *any* Subject from the Exporting account, not just the Subject referenced in the Import Token.

The NATS account-server system treats account JWTs as semi-public information, such that an attacker can easily enumerate all account JWTs and retrieve all Import Tokens from those account JWTs.

The CVE identifier should cover the JWT library repair and the nats-server containing the fixed JWT library, and any other application depending upon the fixed JWT library.


## Affected versions

#### JWT library

 * all versions prior to 2.0.1
 * fixed after nats-io/jwt#149 landed (2021-03-14)

#### NATS Server

 * Version 2 prior to 2.2.0
   + 2.0.0 through and including 2.1.9 are vulnerable
 * fixed with nats-io/nats-server@423b79440c (2021-03-14)


## Impact

In deployments with untrusted accounts able to update the Account Server with imports, a malicious account can access any Subject from an account which provides Exported Subjects.

Abuse of this facility requires the malicious actor to upload their tampered Account JWT to the Account Server, providing the service operator with a data-store which can be scanned for signs of abuse.


## Workaround

Deny access to clients to update their account JWT in the account server.


## Solution

Upgrade the JWT dependency in any application using it.

Upgrade the NATS server if using NATS Accounts (with private Exports; Account owners can create those at any time though).

Audit all accounts JWTs to scan for exploit attempts; a Python script to audit the accounts can be found at <https://gist.github.com/philpennock/09d49524ad98043ff11d8a40c2bb0d5a>.
Installed Version: "2.1.2", Update to Version: "2.2.0" for fix this issue.
Type: Vulnerability
ReferenceHash: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 571
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: github.com/opencontainers/image-spec v1.0.1
RuleID: GMS-2021-101
Details: ### Impact
In the OCI Image Specification version 1.0.1 and prior, manifest and index documents are not self-describing and documents with a single digest could be interpreted as either a manifest or an index.

### Patches
The Image Specification will be updated to recommend that both manifest and index documents contain a `mediaType` field to identify the type of document.
Installed Version: "1.0.1", Update to Version: "1.0.2" for fix this issue.
Type: Vulnerability
ReferenceHash: 3da238569fdd6ee5da9838627de3bb8c7c3885d0ca35b41fc337dec4bf38754b

==================================================================================

Language: Generic
Severity: UNKNOWN
Line: 966
Column: 0
SecurityTool: Trivy
Confidence: MEDIUM
File: /home/wilian/go/src/github.com/ZupIT/horusec-examples-vulnerabilities/go/example1/go.sum
Code: golang.org/x/text v0.3.4
RuleID: CVE-2021-38561
Details: Installed Version: "0.3.4", Update to Version: "0.3.7" for fix this issue.
PrimaryURL: https://avd.aquasec.com/nvd/cve-2021-38561.
Type: Vulnerability
ReferenceHash: 3ec997da0d274ad5d95c95e8ded5fec4d152cc86af1eb0fd26f46af2f827ea45

==================================================================================

In this analysis, a total of 309 possible vulnerabilities were found and we classified them into:
Total of Vulnerability CRITICAL is: 56
Total of Vulnerability HIGH is: 122
Total of Vulnerability MEDIUM is: 86
Total of Vulnerability LOW is: 29
Total of Vulnerability UNKNOWN is: 16
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 18040dc10b672acad7bbb4634c32fa084fd283f770beec86fa1d16dd69954a6e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 71878e3c29364755dfbd8e68ee8f0028b5bfb1bed91fa45b80137d83eec3c918 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 69fd52a63b5da396b817869763af1d2d92489b16c8ba8b241c078a3a4c0a9299 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a912db3bb0a67dfd4356d5720b8a441058df95acb40848eecc3edd244ba38cfd 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 5b060e08471e670fcb625fa046a354493d217a192856ddddbb51abde848d4fd3 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e5544276cd4ed447af777447168b533f2f38df4e5fc2dc1d9a1b3ce2e6bc8625 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1bfd01873dfaad9fadf2a8a8856dbbf9e31b184664c78e2b72c2308dc7e51517 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 246450edd913a7a210708106ff2061c542d3ae46ca118d07914c0aec183c4bf9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: eab730ca2150002cc7c15004a79a5fded384e0db93e598f07cfbfe33e1fc69ac 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: acc04e51009e301c4aaa6b71b78a95e943c78c3a9f8f795fd7fb2fd3cab46eeb 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 55447e5d2bbce43db4bb121c2dfc3ee5a7a6f9368839f0a88dd52e24b0aee1e4 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a9c2e1931f2d1c82b24007f32c69a8dd8d61563832726079695df0c27fe276a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7c490532f6c54af8141c2b9259cdea6cc7b4ad06e36aa4d05f6dedbd3c5b5249 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a47bdda283dd0f887407923561c82049e04f016f00abfe012727a23d3e1d1bb8 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ce613fce503ac68746d53d41b69aef75415131633832bf0b3e34c2862ef7f899 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 545bd73af7e020094c0bbc7a072775a6232c0e1aecceb6587aae4d04ce661371 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2a9648727ebb520d93185f55bc03b78462b27f246d3e4d25b398a3706729e809 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 646a847a16d643cf90d480389da9ed9ee67808334af02984bb34faf054fe098b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a54edfc6111a18b7e19b8db04966832601aef4d95a333b5f5af3c5915595049c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2a6f7e5439ec1605c5bd1bbdf27b95e4842982f7cb18a6b2e1ee8ef41bebbb5b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 5bd35a7ecb9c3805680039289d8bcc7519d50af21cf4da618a1f8cff64bee2c4 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 05f2dc65de713837fbfd5236a677179f5bf6e381bccdf4a03b84f068fbdc9493 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6c7ab9f1889c7d150de71c6f81b1d69ee84af271fca2ca3225809270bdccbcf0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3580c4fcac48e456d603adb404e6bea30ef6657112b4e6871daaa1422079aebe 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 669dd3ed7697bf4911b307e69085975f189685550e20153749d6be45ae1a390b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dded403532905de2a3c1a0f497ee45b55ef13f2f7f7a755b765f950603d796f7 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d5574ae760980195a9688bfa225a95c94c24ab054119817656e5d9df4d2a2f9e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3bf02ad2ea013d54986d2e7ee20a07b9be4ce0d3095226da84222d1256fc9724 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ce9d2f0c10366e6b32f768f9ac602665a97fc81ceb10a22a20e505b850ea26ec 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 10e8d4651bc8e93678d411e821215a0e6a1f85615ec2ad0c2ade43b17347ee62 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6b9f1a6400540057db2071bfb7ddaed4e7294107c23ac2ff598c75da8fc4c306 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 227a48dec73ea75a32145d4f00eede1f448efc128b6fde54c6eb1432aac87e40 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9f1a03d182e2fc0ae1e786b69ee6801b0c131c688563e5b651a597acc70ca1cf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 0f72b6536032d3ebd2d8fe6b16cd75d74826055f8fc9297b8a252486b77b77f6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 61082ccb3171a80930a5d5bf4c4692b7212a409f4b6664fffa8477b982bc8d96 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f1b0a38e0bb845630803eeb18549273f33085b2113711d439bf6af6be5f439b3 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9d37b1d0829e666e83da642acf6bdec16bd74d07df65fc621c7ae5922743b5cb 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d848d915108ddef30d2c260a49bc849436a7b62300098029f367c23d960df701 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c2cee07b84cb8a5309cebba4a03fb092088584f8c8a87a18b7c6308052628d40 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2568f3fff6f74526171f9a1c4c6fc992c4d4e95613324d2739bedeee05d285e8 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6948a71de80b75ecf78ecaeda674f5b92950c5c9033cd8af60ef441f5ba6ef10 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e6c14cd17bfb046309048c194b3e567ac431e855bbf043761ef760ba7268f3e9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 45048737642b75a7e4b43fd03142b2d502642dde52d17312279fa3aa439ff8f3 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 5251b4f73b688151815b250b30428db190d11c18794fcb3afe5045818a32420f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f85d031218daa951cd59f8d5604f19cdef0b6ebffcd6598677554f33c25fc81f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bf9d304bc7a50a5d188d06f22492dddfbbe5756e5544f7599bbf9458b732ac3c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: de7b9a2169d89f647932124a82831e18bee5073d006d21274526966687da146e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4bf2619c9794a1999bb2ca7d171a00be00b318bf63959af3aac5fef04e853537 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 5cbfe17f2b6b82431ce9de941b9666814228601747f7a680956a422e006b3495 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dea7a163ca76a3acb542312fc8eae58289574a38d44d4df97c76bc08165f69a0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b2a400f460d929aa8f44f746f5d85418d069836e06c586c8a15ce593e2291c70 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a3de79d0a4507e75706168f2cc4033b543ce75620a4afed5d7989ad818ffd935 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a86010d89768015b7ebf18d9ecf2bb439c16deba7d71a808fa46e051b09d658d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c95fb842ac060749491a69c46a60e6c6e910b0f7733efeee06e05a7f9e421974 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 5bf82b53a6273708a50cababe65d7201163755dfe3189b0881e93436453a967f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2ceab33104e6922f6a9bcc8afd1525a21d894f4a7edce66cf4b7ac40acc0b6c9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 357feeafa9c9a8283340c2f24d3b9e6af708c40b62ae25bca73ca31079ae682f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 90479ea2f915e62c5af342029895008ed1b7ead5307d11b74390942739723fc5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 85beeff20ab2a8d7369939b5b71ca0b99854ccd81f32e58858d8382d65a8b720 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 43c0b0abd5c7dfa2f694537b30124ffe41bca0596b4ca6ce7054588db33c3435 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f9c5b0823d9c1e1aea8a07fc642dacb36b34cb87e6edf12b62fea30df5bab0e1 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f3be256297e6b074192d7114bd1f09b08d621ad487b3f29a23ef05d2718dac3f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 922d42473110557a718b1ec3b666fafa5f688ba4932e9e72711356bfac5595f9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3ff3386e5fd7667b25c081818ab98c340ddbcdda8f633f04d7701d55203f90a2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 90cf7d0387d64288df034306a916894222f4c327518a74bbbe7e2d510a7a57cd 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b2601dcee0bf6aa165cb6245c9ef11fc2e6afcbc53e16b5ba877a7d05b4caf9d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 904fbf133cf1ef1c8e57b9149c95d150c227cf06d02370a65e05953e5cd7364b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 494364e9fc7eefb78e72c13622bd8f36ce7ff193e4e3774794a003cdfc97a32f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 87ed08c26c6f047c4075afb76726d6f7eff9c88c6e0648433666354829396123 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a7272504ff776a01f9c9eb820143441844a98ac7c772cd9b5bd4900ed7fb6945 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 142201dfbb35df380a2872d250d1190581d8a6c3b7a769cec8b271420c5fba95 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 0f96b6c5b0751324e081603bea19094948d186b060f4383891312e4557705afc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9c2b048898fdd7ab148a92460c7dbb4832a08b2d5e80b6f728dddacceed3bc6b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 98fafba007b866c59514097e978450ee4754598101ac7d986443a4b689c43862 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 861d9035762949472adbe7e1f13f14b243ddd2ee13a09a0448b9a3e9f5fed700 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 05735d963275192924c769521b424a4426378e3d748ccacefe88d580d7af1b83 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a6c167d46cc2a5fe423d374fac787dbe054d39d7d956adc3d864402002b75be4 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f46e7c1841dd2f329461bf21b5d4d278318f20e9dd1502be4eb1b5cc3587cc9c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c55186451954e0d8def7f422179ace64c46e2f24cad86e1acbcc623c7af3db57 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 321ac7ba803762c1704daab4b5cff181045e8566c34e9c705ef8945175bb1e91 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b027bb471503420afa0e60df3a54d5ecaa5f95ca1b978a1bc1a6a754235e8ed8 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7e833ce5ece30c05dd31c82232a7ad16983a237453ddb7b3dd43902b682945d0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 828ded0545f61106f15d5f1f3e8ecea04294f7057627383166be1ee0607de7ad 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f199ffe523b32b2592cdb287c84b0c41e19fddc169a093cd8bd352ab714a066f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d2dbf3e0ce12b0a9bc8b9160cafa72d1a53e9053ef8b2ba2428aecfc03e9d302 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ee1c3471c52c4bedc85752ef863d23fc76101e5a047c7eeb9e83baaf90dbb5f9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 259521764e685e0660b478fc393647ec0b8014c7cc1dcf3ff1e68784bcb60a87 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3e1df653eda0a35a72e0463b365707f5cadbb215a838362d0f4a6d56bac7afc3 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 957d1cd80280e62d971acc15ffb2dc092e0d1cd7eb03b23d4911668fa0187023 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 892e73cc8df6c0ed6b5fdc125a0daa023920a37785f57064699ccab5ad422c9a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4cd898641c99b94d041f533d3385e555afb458e9c43e48e892834e61c524e52b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 85a4cd1b13193cec4ab156cf0574bf4abac8b3a725024ea2695cc59ed149c0d0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 85a4cd1b13193cec4ab156cf0574bf4abac8b3a725024ea2695cc59ed149c0d0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8a9b439a9f071ce7ba414dc60f186d7b973d75245854ba9bd74b5dae3e587a66 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2c8729b329494f140bb7cde2299426adaa9b6f77eb1a656f8d9dbd7b67567c6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4d39cbd0e24ee614104b6a5d20ad19a127f4336e9b93c454137b63e07d6987bf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 466d3818ff2db72345defca3b7d72e8610c77102ed3ca9dbc857ff397835da8c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 848bd36dde1c3872d98a065ec60b6ce7e4fc053957ba260095b9bc8fc701a0b2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 98b7d4d01cc1d5486fa0f5763dbc8fbc57226723ed00455f0ccb954890af1a9b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9e593d1b45117aebbba769cbff1f28ada08478900d14a6d9d3de0213fd71dd83 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9e593d1b45117aebbba769cbff1f28ada08478900d14a6d9d3de0213fd71dd83 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f02d7ca215e5852ce577bb89e8bb4ff757b99cf74653281521b04685b7962120 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d8fb346ea3e846b2802b2e5c29ac925646ad3ed33e500b91b69ddaf79e0f92fe 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 610a5184d5932e4f0a0596b207ae33a41664086415f52e628124add52a0b7aba 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f417edbe23cddb1fe54d6d201436744f8c1272e94b1bf0c8a9c37917f7163796 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4a8d51561b4e52a9df7e61e2f0d15c1f8f31b71ccbd1a6d9d7740d43f4797120 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4a8d51561b4e52a9df7e61e2f0d15c1f8f31b71ccbd1a6d9d7740d43f4797120 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dea7a163ca76a3acb542312fc8eae58289574a38d44d4df97c76bc08165f69a0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dbf874603543c77b44a124b4354a7deaad6367ce3f933d6e04843c0f983aedad 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 47e415538f20916e6f837cc9331218e7727fe99455ed2e14027c60c3f423f53d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 73ec9c0ab49b97e2826f27723af405141709136f2b01fcc7f0360b1953beac90 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3ab5c8776343017a2cf51dbc5b7de1593067fa76eacaba5ae2c80e3f43fab0fe 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: fd4e9f10f1e3cdf6328a454acb24b29b08c6fbe41a272c7dc390997e751106d4 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e1fe563580d3be95c12ea42ae9ff9f16aad2fa3e2f0863bf3010935e2ecbb8f9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a32bcbeb938856ee4d494a8b65f95120311e8e51bb64c797177f8c0be90b9d79 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3b0ea775914d2baa3aa5fca87f4918c4c906bbcde69130a31063bfc5f466bd78 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 954d0c45cb5013621a9dab2d752bd894eda9a71f670e3d558ab34cd6c44f3393 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dd399a7669ec649005ff78f1e6da4edfebfe53d645ccffe024f767d512a70e3f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 42179e371e056bd82b218b36d343225628a1fa95996184418298dc5bd97d2b0a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 04486976600a208186b3ab735cf898a9d3215aeed4bb3540cd27eaa239278dcb 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8b8fcce4f23c0e13ec2a28e084b1888f7422347d279ccebd32faa2816a027b7e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f7781f261231e78fa69e48b003daf6872421a9739db598226c4f13f4daf2a127 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e1fe563580d3be95c12ea42ae9ff9f16aad2fa3e2f0863bf3010935e2ecbb8f9 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 55dd715ddd59050f5a6b1865ee0f069901e53f2c35665397a5c3496a3a68a063 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 93e387e71708e0dd9080f6ac61321589341417bf4e9413a6ce5761b1916323fc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b6f0abfb60853d4a4df6eda30fee9da248c9ae05740775b8df634dd56d47f359 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: daed37b3882e463c24bd0aaf03093f45c6cbbe3c25eb90b825f7f1f503288f1d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 50b2d211d0d7e296b469cabe6a7acf73232211dd6a335192c86081f0e98d80d0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: aaa86ebbced62e4c97a8e28245c8a97e0f57f7f72b698584ebc4ddd43abc9493 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ad6d3290b8b492e1814b969b1d84403d34f00e6b93cd2cac48d6511e320c7d5d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8915bca8be9ef8e97d569a4623b885b10c70d655045849933f21d803642b84ff 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: fd451905fa5c85b03b0a7a3e09b08d066537d07fba88968c7c5ff93d34ec5b04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c6027c82eb5ddfd5af5a6b5232e45854ded5700cd624ca5e3826f47a9f58c8ce 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c140f13335020e5725141fb22cb6752d55bae5012aef87c66ddee6e399286175 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: c91e48e950d33d489d0c22d42991c68a50f972d73a105a8b323c94060eb76791 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 655cc2aff344c9c8a0a921c2ebaf83dfaba162337b52b0a058062274aae1adab 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9aff887b9aea458ef259153f5a7d9ddc53aa8efe39d5681f201ecc777a1c7aba 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 39564392781dfbe0002af2bf271cc97059e16789a6fdbb117a376778a576a0a0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 036f51227fbfd6e19357c43830c5c4c9f41459ce3898ade62071c50a6d1628b5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 24008caf996cda1599bd03db2470ab55201bf310b9d86623173bd46ad8ea3030 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3209f84f48fc6daab1dd16f050c29d7b2e84b99271495052315af215e099625c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 71923eafeb49e78c66ee070206aafcf27b31457e465eb5baf90d53640428042c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b4e8255a57c2329f7aa71f070afb6da30890815945c1ac5f80d7a7b8b89bf53c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 17c2a04cfc9e8755d0b81fe42c16d924d6fae77fe24860941bf069b82570d08e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 18172b17482ed32d3d5e55cc2604e8b9328ab490c957b03a785620a68a909fa0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2be84db82960ad84bf3458c762f4df9c398773ac75d9ecbd1dffae26898bf797 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 621c2a588a62ca150706cfdb28ac78a3ff72d3621254f561b73936f713830100 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2840a2c4e1d08fd67e39c2cb5296d08934b587cd0592a3b3452d45b4e10c0e14 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 0e66bb9ed8d5ade659d57bcd6616dec91c6f0821543d22bc13c2f9dced2984cf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6392bdb4fe820b40c9c8b8001ba8036b05ec5182f01a371deb7450d4499aef2a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f11049286c520f7819394820053176e4012ae5f5a4011c43849f9b95e65b8e18 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ddf7deecdc67c357d73a86445d14f238eeb93a30a449a01ff19e62ab068f8202 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f2efe6e3b8ba00e878a4e85dd9d0a2f2b1a7a5c01192901576223e3304cc2b5b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d0391c757c65f65fbf275f5327e766ced941041f92c2e16a82f24d884160cdaf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d0391c757c65f65fbf275f5327e766ced941041f92c2e16a82f24d884160cdaf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 361183030980864c9f4abcafd9ea14f338f810da5f520b9884ccc1f6319dd76a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 361183030980864c9f4abcafd9ea14f338f810da5f520b9884ccc1f6319dd76a 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: f08c63fa1ab0094020d2ba3d246a54797e90719e1190b2f5885093281af13f7e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 55fc49e2e492e7196b38970126bedec23a74f6ae4ba8899a5022a3c4efd50f37 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2e42f1620b60bb91425f84bd5b44431a72c3d00033996a505f0f672fd4a301ce 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 65493036e8de3c70783fd9003ca8f0102cf36e8eda2cd882e283e22cb246b77f 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4d75fbcedeca5719ae4fac1cb35b426446d62692d5bdecf5b057db9f62c6b40e 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 28ee86f096f0f1bba2ae277b530e3989d3a738c6aee94880a4fd5ccf09849b56 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 28ee86f096f0f1bba2ae277b530e3989d3a738c6aee94880a4fd5ccf09849b56 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 969fa3d2e2a9dd6bfe792fd76bff1684979c3ac8c6512e6c7416e0effacd97af 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 969fa3d2e2a9dd6bfe792fd76bff1684979c3ac8c6512e6c7416e0effacd97af 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: dc81548d401adba2056ebe2b0079a050e852c7df44c62686987a4ab6ff6c9d26 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 650b0345b27a2ccf6a178b395a97f2cc4256303d2fda37f5a496f0c0f46d42a5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ad609c2cac15160514a37c80e928351fd1cf5ddf5d0bdd2d1598e3181c707691 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a0fa9ca08cb2fa4b452376c2bd9af8a8d7f251a1dd77cabdf1048441baad4a01 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: cc75018273ff2a7643f53cc9fa9de03beba74ff2189113aea04ad6ca5b50eb95 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8dbe30523102dd0d5b395aca189443763ae4dc803bb4963b191c5a2b526f0ec1 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 832ee07331c35d9e6f1c9c8a08c685581373cfff00b4137d134614f82e3a2832 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 33e383594fb31d90b0b4e47576b9c0dfd67a82c94161b48ada17b05c261934cd 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: eac0694e83450b345c7d9ed096b57de72b8afe6b3bdb5b688a201f6c9409f4cd 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: be5bad0e338b8b8ec0d9f76645bc6504d5e0da81bcfc887a2e7f55201d8e2293 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bae888c60f374723d8541f0ea3705880690e6d756ee413012bf06cf58956026c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: be5aa50bbd4ece4fa8f8299350d9016650f8dabf8eb20956102d5ce3789b3e15 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: a70263373359512e06dfc63320507c5c9ce3fd55cfaffb7358c240272c5ea2f5 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bdada2d0c7e6443c0b9e36a9e1a3e9cc2c56d40d0641bddbc1dff5891b10f2a1 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 9a843b00df88c3cb0888457259a6945eca06b0f377baa40219c9de05a8a609fa 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 222fbc9efb45aca5aa9b1c33528863e3f911121cbc3feae5ea3bcef48b7640fe 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7bbcae6ef436674d0e80a681260cce3471dc7ec4111ae64fe53c6fb27dd1eeb3 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 56d61c3b6102d9b8647327423a3bec3f3cd7ac0dfc0bec4c0b570cb7a7df3874 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3447fc4894516c7e111bb3e41c54625cdec645d42626e90833e51da8ceb79765 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 655cc2aff344c9c8a0a921c2ebaf83dfaba162337b52b0a058062274aae1adab 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 0df78105e45adadd0a584b2fc0ff01ce11771e7d5448d041103014c76713c3ed 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: cac9d40a197cbfad93322c7c0efdcf6560eb3f4016b21f36725f04d65a4a8961 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 902da333732abb51ea6b08fb19931b517dd5079bbbe1939e9dfb73a3afc97d63 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2becee306b91f87a1de71db429f3a31e74337309324ac7c3f5e176cbe840fde 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: b84877196e940ae92e8a032eba7d82d41229c5064db784caa1d67efe111ce22c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e2180e1df425f71506d35e84b5f979ab6792985ab5a228208bc754f69836345d 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7ecdaa455c041e7f1f6c2a5c04c273ac2a524223ff83256ea1da6664fa505544 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7ecdaa455c041e7f1f6c2a5c04c273ac2a524223ff83256ea1da6664fa505544 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7b1d83e504f65340aeabb9cde2f973b1c2177031b95cd417ab1d1ec3f43214fe 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 8f65aa0cbb34262dce05707ff77abe3a863a202b225069a66497db2e91860501 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 6ef3ea9c857fea6c2d8ffa073b554e55885c061c3b36a319510c45335e500150 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 4c7b9cd4b118ba3eea2aa01d24b8be577c3ab767708cf50cf57343f1ded20946 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: bc11d7508cf14b66e9955cd06c2c0651449a82591fa06c8336c14559f64227d2 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: e74420908e5d0deea8ce9dbb2f00d032cd79ab2e95e379576fe8a8c982517d04 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 7b37c9b05cf5da221e6493d142046fd77300c7d683f601ac51668826e5ab7494 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d7c68880c6e63e555e8ba8d6901e720be804544acd609e1ee1a99ad309dd0a01 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: d7c68880c6e63e555e8ba8d6901e720be804544acd609e1ee1a99ad309dd0a01 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 0f28a30847b2af8c98784ca60aa8d4af50f9dd7ad6041253972ff946ac75f418 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 65adb449a575a82710a0603e0019190f8ab04bd6bfa7b90ffa03f5c1945bcd36 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3329e456649d83b26172302e0256f6a2472b501084bc32ce80837c431757a3c0 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 2cb52a6579aca48a33f08b44e57aba65cb00c11e4262df137545e3df2ab3235c 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 1e2a0ac1e7696a5d67eaf097ecbdec41c1bc43a68343e98cad8c743a5e2a9cfc 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: ba2e41b87e2a864bd7d6f31f333414c2d87411b94611b4e6488a38abe8c7acaf 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 810c9655aeb565c9922fee65b9d5c3b46ff1abba230a0f868e5b3d25fb9dc1c7 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 75c9f5c33528a426e62d1c38c5f66cd829b8c02197703e42a7e1b39580ef6ae6 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3da238569fdd6ee5da9838627de3bb8c7c3885d0ca35b41fc337dec4bf38754b 
DEBU[0060] {HORUSEC_CLI} Vulnerability Hash expected to be FIXED: 3ec997da0d274ad5d95c95e8ded5fec4d152cc86af1eb0fd26f46af2f827ea45 

==================================================================================


WARN[0060] {HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis 

WARN[0060] {HORUSEC_CLI} 309 VULNERABILITIES WERE FOUND IN YOUR CODE SENT TO HORUSEC, TO SEE MORE DETAILS USE THE LOG LEVEL AS DEBUG AND TRY AGAIN 

WARN[0060] {HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option "--information-severity=true". For more details use (horusec start --help) command.