Feature/demo e2e

[CalinL]

No description provided.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 4 vulnerable package(s)
• ❌ 7 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA f647f14.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

samples/Pipfile.lock

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate

src/webapp01/webapp01.csproj

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate
System.Text.Json	8.0.4	Microsoft Security Advisory CVE-2024-43485 | .NET Denial of Service Vulnerability	high

Only included vulnerabilities with severity moderate or higher.

License Issues

samples/Pipfile.lock

Package	Version	License	Issue Type
flask	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
werkzeug	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
jinja2	3.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
click	8.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
itsdangerous	2.0.1	BSD-2-Clause	Incompatible License
markupsafe	2.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
python-dotenv	0.19.0	BSD-2-Clause AND BSD-3-Clause	Incompatible License

Allowed Licenses: MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/flask	2.0.2	🟢 6.2	Details Check Score Reason Maintained 🟢 10 20 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 3 Found 6/20 approved changesets -- score normalized to 3 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 9 security policy file detected Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/werkzeug	2.0.2	🟢 5.8	Details Check Score Reason Maintained 🟢 6 0 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/19 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Packaging 🟢 10 packaging workflow detected Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/jinja2	3.0.2	🟢 6.8	Details Check Score Reason Code-Review ⚠️ 2 Found 4/18 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 9 6 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 9 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 4 out of the last 4 releases have a total of 4 signed artifacts. Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/click	8.0.1	🟢 6.8	Details Check Score Reason Code-Review ⚠️ 2 Found 2/10 approved changesets -- score normalized to 2 Maintained 🟢 10 23 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Security-Policy 🟢 9 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/itsdangerous	2.0.1	🟢 5.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 0/14 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 5 dependency not pinned by hash detected -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases 🟢 10 1 out of the last 1 releases have a total of 1 signed artifacts. Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/markupsafe	2.0.1	🟢 5.9	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/24 approved changesets -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Packaging 🟢 10 packaging workflow detected Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Signed-Releases 🟢 10 5 out of the last 5 releases have a total of 5 signed artifacts. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
pip/python-dotenv	0.19.0	🟢 4.7	Details Check Score Reason Maintained 🟢 10 9 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 10 security policy file detected Code-Review 🟢 5 Found 15/28 approved changesets -- score normalized to 5 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
nuget/System.Text.Json	8.0.4	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 8 2 existing vulnerabilities detected Binary-Artifacts ⚠️ 0 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0

Scanned Files

• samples/Pipfile.lock
• src/webapp01/webapp01.csproj

To fix the issue, we will add the readonly modifier to the adminUserName field. This ensures that the field cannot be reassigned after its initial assignment during declaration. The change will be made directly on line 10 where the field is declared.

---

To fix the issue, we will replace the Request.Query.ContainsKey("drive") and subsequent Request.Query["drive"] with a single call to Request.Query.TryGetValue. This will combine the existence check and retrieval into one operation, improving efficiency. Specifically:

1. Use Request.Query.TryGetValue("drive", out var driveValue) to check for the presence of the "drive" key and retrieve its value if it exists.
2. If the key is not found, assign the default value "C" to the drive variable.

This change will be made on line 23 of the file src/webapp01/Pages/Privacy.cshtml.cs.

---

To fix the issue, the user-provided input (drive) should be sanitized before being included in the log entry. Since the log is plain text, we can remove newline characters and other potentially harmful characters from the input using String.Replace or similar methods. This ensures that the log entry cannot be manipulated by malicious input.

The fix involves:

1. Sanitizing the drive variable by removing newline characters (\n and \r) and trimming any leading or trailing whitespace.
2. Using the sanitized version of drive when constructing the str variable and logging it.

---