Contrast-Security-OSS
diff --git a/‎expected_csv_file/SampleFileRiskSenseIntegration_vulnerabilities.csv‎
Lines changed: 9 additions & 0 deletions b/‎expected_csv_file/SampleFileRiskSenseIntegration_vulnerabilities.csv‎
Lines changed: 9 additions & 0 deletions
@@ -0,0 +1,9 @@
+Group Name,Project Name,Tool,Scanner Name,Status,Vulnerability,Details,Additional Info,Severity,CVE,CWE,Other Identifiers,Detected At,Location,Activity,Comments,sast-plugin-id,CVSS Vectors,Dismissal Reason,Vulnerability ID,APPID,SeverityScore,Address
+SDIT-RA,reference-application,sast,Semgrep,detected,Exposure of sensitive system information to an unauthorized control sphere,"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints\nsuch as /actuator/env, /actuator/logfile, /actuator/heapdump and others.\nIf the application lacks proper security measures (e.g., authentication and \nauthorization), sensitive data could be accessed, compromising the application and \nits infrastructure. This configuration poses a serious risk in production \nenvironments or public-facing deployments.\n\nTo mitigate the risks, take the following measures:\n  - Expose only the Actuator endpoints required for your use case\n  - For production environments, restrict exposure to non-sensitive endpoints \n  like `health` or `info`\n  - Ensure Actuator endpoints are protected with authentication and authorization \n  (e.g., via Spring Security)\n  - Use environment-specific configurations to limit exposure in production\n\nSecure Code Example:\nInstead of include: ""*"", list only the endpoints you need to expose:\n```\nmanagement:\n  endpoints:\n    web:\n      exposure:\n        include: ""health,info,metrics""\n```\n\nReferences:\n- https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.exposing\n- https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785\n- https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators\n",,medium,,CWE-497,"""A01:2021 - Broken Access Control""; yaml_spring_rule-SpringActuatorFullyEnabled; ""A3:2017 - Sensitive Data Exposure""",2025-06-12 17:00:07 UTC,"{""file""=>""src/main/resources/bootstrap.yml"", ""end_line""=>11, ""start_line""=>1}",FALSE,,sdit-ra/reference-application/391603,,,391603,APP5428,5,SpecFlow 2 Demo
+SDIT-RA,reference-application,sast,Semgrep,detected,Exposure of sensitive system information to an unauthorized control sphere,"Spring Boot Actuator is fully enabled. This exposes sensitive endpoints\nsuch as /actuator/env, /actuator/logfile, /actuator/heapdump and others.\nIf the application lacks proper security measures (e.g., authentication and \nauthorization), sensitive data could be accessed, compromising the application and \nits infrastructure. This configuration poses a serious risk in production \nenvironments or public-facing deployments.\n\nTo mitigate the risks, take the following measures:\n  - Expose only the Actuator endpoints required for your use case\n  - For production environments, restrict exposure to non-sensitive endpoints \n  like `health` or `info`\n  - Ensure Actuator endpoints are protected with authentication and authorization \n  (e.g., via Spring Security)\n  - Use environment-specific configurations to limit exposure in production\n\nSecure Code Example:\nInstead of include: ""*"", list only the endpoints you need to expose:\n```\nmanagement:\n  endpoints:\n    web:\n      exposure:\n        include: ""health,info,metrics""\n```\n\nReferences:\n- https://docs.spring.io/spring-boot/reference/actuator/endpoints.html#actuator.endpoints.exposing\n- https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785\n- https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators\n",,medium,,CWE-497,"""A01:2021 - Broken Access Control""; yaml_spring_rule-SpringActuatorFullyEnabled; ""A3:2017 - Sensitive Data Exposure""",2025-06-12 17:00:07 UTC,"{""file""=>""target/classes/bootstrap.yml"", ""end_line""=>11, ""start_line""=>1}",TRUE,,sdit-ra/reference-application/391604,,,391604,APP5428,5,SpecFlow 2 Demo
+SDIT-RA,reference-application,sast,Semgrep,detected,Improper limitation of a pathname to a restricted directory ('Path Traversal'),"The application dynamically constructs file or path information. If the path\ninformation comes from user input, it could be abused to read sensitive files,\naccess other users' data, or aid in exploitation to gain further system access.\n\nUser input should never be used in constructing paths or files for interacting\nwith the filesystem. This includes filenames supplied by user uploads or downloads.\nIf possible, consider hashing user input or replacing it with unique values and\nuse `Path.resolve` to resolve and validate the path information\nprior to processing any file functionality.\n\nExample using `Path.resolve` and not allowing direct user input:\n```\n// Class to store our user data along with a randomly generated file name\npublic static class UserData {\n    private String userFileNameUnsafe;\n    private String fileName;\n    public UserData(String userFileName) {\n        this.userFileNameUnsafe = userFileName;\n        // Generate a random ID for the filename\n        this.fileName = UUID.randomUUID().toString();\n    }\n    public String getUserFileNameUnsafe() { return userFileNameUnsafe; };\n    public String getFileName() { return fileName; };\n}\n\npublic static void main(String[] args) throws Exception {\n    // User input, saved only as a reference\n    UserData userData = new UserData(""..\\test.txt"");\n    // Restrict all file processing to this directory only\n    String base = ""/var/app/restricted"";\n    Path basePath = Paths.get(base);\n    // Resolve the full path, but only use our random generated filename\n    Path fullPath = basePath.resolve(userData.getFileName());\n    // verify the path is contained within our basePath\n    if (!fullPath.startsWith(base)) {\n        throw new Exception(""Invalid path specified!"");\n    }\n    // process / work with file\n}\n```\n\nFor more information on path traversal issues see OWASP:\nhttps://owasp.org/www-community/attacks/Path_Traversal\n",,medium,,CWE-22,"""A01:2021 - Broken Access Control""; find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1; ""A5:2017 - Broken Access Control""; ""Find Security Bugs-PT_ABSOLUTE_PATH_TRAVERSAL""",2025-07-14 17:20:10 UTC,"{""file""=>""src/main/java/com/charter/reference/controller/ReferenceController.java"", ""start_line""=>55}",FALSE,,sdit-ra/reference-application/415028,,,415028,APP5428,5,SpecFlow 2 Demo
+SDIT-RA,reference-application,sast,Semgrep,detected,Improper limitation of a pathname to a restricted directory ('Path Traversal'),"The application dynamically constructs file or path information. If the path\ninformation comes from user input, it could be abused to read sensitive files,\naccess other users' data, or aid in exploitation to gain further system access.\n\nUser input should never be used in constructing paths or files for interacting\nwith the filesystem. This includes filenames supplied by user uploads or downloads.\nIf possible, consider hashing user input or replacing it with unique values and\nuse `Path.resolve` to resolve and validate the path information\nprior to processing any file functionality.\n\nExample using `Path.resolve` and not allowing direct user input:\n```\n// Class to store our user data along with a randomly generated file name\npublic static class UserData {\n    private String userFileNameUnsafe;\n    private String fileName;\n    public UserData(String userFileName) {\n        this.userFileNameUnsafe = userFileName;\n        // Generate a random ID for the filename\n        this.fileName = UUID.randomUUID().toString();\n    }\n    public String getUserFileNameUnsafe() { return userFileNameUnsafe; };\n    public String getFileName() { return fileName; };\n}\n\npublic static void main(String[] args) throws Exception {\n    // User input, saved only as a reference\n    UserData userData = new UserData(""..\\test.txt"");\n    // Restrict all file processing to this directory only\n    String base = ""/var/app/restricted"";\n    Path basePath = Paths.get(base);\n    // Resolve the full path, but only use our random generated filename\n    Path fullPath = basePath.resolve(userData.getFileName());\n    // verify the path is contained within our basePath\n    if (!fullPath.startsWith(base)) {\n        throw new Exception(""Invalid path specified!"");\n    }\n    // process / work with file\n}\n```\n\nFor more information on path traversal issues see OWASP:\nhttps://owasp.org/www-community/attacks/Path_Traversal\n",,medium,,CWE-22,"""A01:2021 - Broken Access Control""; find_sec_bugs.PT_ABSOLUTE_PATH_TRAVERSAL-1; ""A5:2017 - Broken Access Control""; ""Find Security Bugs-PT_ABSOLUTE_PATH_TRAVERSAL""",2025-07-14 17:20:10 UTC,"{""file""=>""src/main/java/com/charter/reference/controller/ReferenceController.java"", ""start_line""=>41}",FALSE,,sdit-ra/reference-application/415029,,,415029,APP5428,5,SpecFlow 2 Demo
+SDIT-RA,reference-application,sast,Contrast Scan,detected,OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule in ReferenceController.java,Cross Site Scripting Rule in src/main/java/com/charter/reference/controller/ReferenceController.java,,critical,,,OPT.JAVA.SEC_JAVA.CrossSiteScriptingRule,2025-07-18 13:05:42 UTC,"{""file""=>""src/main/java/com/charter/reference/controller/ReferenceController.java"", ""start_line""=>68}",FALSE,,sdit-ra/reference-application/417001,,,417001,APP5428,10,SpecFlow 2 Demo
+SDIT-RA,reference-application,sast,Contrast Scan,detected,OPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage in ReferenceController.java,Information Exposure Through Error Message in src/main/java/com/charter/reference/controller/ReferenceController.java,,high,,,OPT.JAVA.SEC_JAVA.InformationExposureThroughErrorMessage,2025-07-18 13:05:42 UTC,"{""file""=>""src/main/java/com/charter/reference/controller/ReferenceController.java"", ""start_line""=>95}",FALSE,,sdit-ra/reference-application/417002,,,417002,APP5428,8,SpecFlow 2 Demo
+SDIT-RA,BadGPT,sast,Contrast Scan,detected,CWE-311 in badgpt.py,Server Insecure Transport in badgpt.py,,high,,CWE-311,OPT.PYTHON.SECURITY.ServerInsecureTransport,2025-09-12 13:38:17 UTC,"{""file""=>""badgpt.py"", ""start_line""=>45}",FALSE,,sdit-ra/BadGPT/474027,,,474027,APP5428,8,SpecFlow 2 Demo
+SDIT-RA,BadGPT,sast,Contrast Scan,detected,CWE-134 in badgpt.py,Format String Injection Rule in badgpt.py,,medium,,CWE-134,OPT.PYTHON.SECURITY.FormatStringInjectionRule,2025-09-12 13:38:17 UTC,"{""file""=>""badgpt.py"", ""start_line""=>31}",FALSE,,sdit-ra/BadGPT/474028,,,474028,APP5428,5,SpecFlow 2 Demo