Add initial package.json with dependencies and scripts

[juegge]

test if mal packs are shown in PR deco

[juegge]

Checkmarx One – Scan Summary & Details – 0bfe7d40-a04b-4112-a559-5d84dba4c537

---

New Issues (308)

Critical: 115 · High: 40 · Medium: 143 · Low: 10

AI Triage*: Suspected False Positive 8 · View triage analysis

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2019-10744	Npm-lodash-4.17.11	details Recommended version: 4.17.23 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2		Cx042e432f-e0c4	Npm-node-ipc-9.2.2	details Description: The malicious payload in this package has the ability to corrupt or destroy files on disk ### About File wiping or file destruction is a type of r... Vulnerable Package
3		Cx07931ce7-8224	Npm-ua-parser-js-0.7.29	details Description: This package exfiltrates stored credentials and sensitive information ### About Data exfiltration may be done in numerous ways such as through HTT... Vulnerable Package
4		Cx28bd7545-eb30	Npm-node-ipc-9.2.2	details Description: This package includes functionality which aims to protest or raise an issue and might include undesired behavior. ### About Similar to a malicious... Vulnerable Package
5		Cx299e146f-5a39	Npm-scs-0.0.1	details Description: This package executes a crypto mining software ### About Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem ... Vulnerable Package
6		Cx43050644-3add	Npm-momnet-2.29.1	details Description: This package name is similar to other popular package "moment" ### About Typosquatting attacks relies on user type errors being inputted into inst... Vulnerable Package
7		Cx4737011d-347c	Npm-ua-parser-js-0.7.29	details Description: This package executes a crypto mining software ### About Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem ... Vulnerable Package
8		Cx4a52ebed-4106	Npm-momnet-2.29.1	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... Vulnerable Package
9		Cx4ba6c921-c998	Npm-scs-0.0.1	details Description: This package exfiltrates computer and operating system information ### About Data exfiltration may be done in numerous ways such as through HTTP r... Vulnerable Package
10		Cx4eb613b4-04e7	Npm-scs-0.0.1	details Description: This package downloads a harmful file. File hash: ```ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e``` ### About Using a dynamic... Vulnerable Package
11		Cx558b006b-f4df	Npm-ua-parser-js-0.7.29	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... Vulnerable Package
12		Cx6b9a86a5-690c	Npm-flow-dev-tools-99.10.9	details Description: This package communicates with a suspicious service commonly used by threat actors "https://rt11\[\.\]ml" Vulnerable Package
13		Cx8ef77360-5422	Npm-node-ipc-9.2.2	details Description: The Contributor of this package, npm user [riaevangelist](https://www\.npmjs\.com/~riaevangelist\), previously seen corrupting one of his popular pack... Vulnerable Package
14		Cx8f9b1745-1402	Npm-scs-0.0.1	details Description: This package downloads a harmful file. File hash: ```2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd``` ### About Using a dynamic... Vulnerable Package
15		Cx9c42b5fe-7ada	Npm-ua-parser-js-0.7.29	details Description: This package downloads a harmful file. File hash: ```7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5``` ### About Using a dynamic... Vulnerable Package
16		Cx9c42f2c3-f75f	Npm-ua-parser-js-0.7.29	details Description: This package exfiltrates computer and operating system information ### About Data exfiltration may be done in numerous ways such as through HTTP r... Vulnerable Package
17		Cxa2b7a014-3ccf	Npm-flow-dev-tools-99.10.9	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... Vulnerable Package
18		Cxadcc9e15-660b	Npm-flow-dev-tools-99.10.9	details Description: This package is using dependency confusion attack ### About Dependency Confusion is a technique discovered by [@alex.birsan](https://medium\.com/@a\.\.\. Vulnerable Package
19		Cxae294227-318d	Npm-scs-0.0.1	details Description: This package downloads a harmful file. File hash: ```7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5``` ### About Using a dynamic... Vulnerable Package
20		Cxb548375c-73ad	Npm-momnet-2.29.1	details Description: There is a weak link between the package's listed metadata and the referenced Git repository "https://github\.com/moment/moment" ### About Package ... Vulnerable Package
21		Cxbe748a42-4843	Npm-scs-0.0.1	details Description: This package exfiltrates stored credentials and sensitive information ### About Data exfiltration may be done in numerous ways such as through HTT... Vulnerable Package
22		Cxd59efdf2-2f00	Npm-ua-parser-js-0.7.29	details Description: This package downloads a harmful file. File hash: ```2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd``` ### About Using a dynamic... Vulnerable Package
23		Cxe3a87c30-9600	Npm-scs-0.0.1	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... Vulnerable Package
24		Cxec41bee3-fc56	Npm-ua-parser-js-0.7.29	details Description: This package downloads a harmful file. File hash: ```ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e``` ### About Using a dynamic... Vulnerable Package
25		Cxed2acd22-9b01	Npm-node-ipc-9.2.2	details Description: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc... Vulnerable Package
26		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/XPathQuery.java: 36	details The application's method executes an SQL query with executeQuery, at line 14 of /src/main/webapp/vulnerability/Messages.jsp. The application con... Attack Vector
27		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/XPathQuery.java: 35	details The application's method executes an SQL query with executeQuery, at line 14 of /src/main/webapp/vulnerability/Messages.jsp. The application con... Attack Vector
28		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java: 25	details The application's method executes an SQL query with executeQuery, at line 37 of /src/main/java/org/cysecurity/cspf/jvl/controller/sqs.java. The ... Attack Vector
29		SQL_Injection	/src/main/webapp/vulnerability/csrf/changepassword.jsp: 33	details The application's method executes an SQL query with executeUpdate, at line 40 of /src/main/webapp/vulnerability/csrf/changepassword.jsp. The app... Attack Vector
30		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 60	details The application's method executes an SQL query with executeUpdate, at line 127 of /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java... Attack Vector
31		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58	details The application's method executes an SQL query with executeUpdate, at line 119 of /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java... Attack Vector
32		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Install.java: 58	details The application's method executes an SQL query with executeUpdate, at line 117 of /src/main/java/org/cysecurity/cspf/jvl/controller/Install.java... Attack Vector
33		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 47	details The application's method executes an SQL query with executeUpdate, at line 58 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
34		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java: 44	details The application's method executes an SQL query with executeQuery, at line 52 of /src/main/java/org/cysecurity/cspf/jvl/controller/EmailCheck.java... Attack Vector
35		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 44	details The application's method executes an SQL query with executeQuery, at line 52 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.... Attack Vector
36		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.java: 43	details The application's method executes an SQL query with executeQuery, at line 52 of /src/main/java/org/cysecurity/cspf/jvl/controller/UsernameCheck.j... Attack Vector
37		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 43	details The application's method executes an SQL query with executeQuery, at line 52 of /src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.... Attack Vector
38		SQL_Injection	/src/main/webapp/changeCardDetails.jsp: 39	details The application's method executes an SQL query with executeUpdate, at line 43 of /src/main/webapp/changeCardDetails.jsp. The application constru... Attack Vector
39		SQL_Injection	/src/main/webapp/changeCardDetails.jsp: 38	details The application's method executes an SQL query with executeUpdate, at line 43 of /src/main/webapp/changeCardDetails.jsp. The application constru... Attack Vector
40		SQL_Injection	/src/main/webapp/changeCardDetails.jsp: 37	details The application's method executes an SQL query with executeUpdate, at line 43 of /src/main/webapp/changeCardDetails.jsp. The application constru... Attack Vector
41		SQL_Injection	/src/main/webapp/vulnerability/idor/change-email.jsp: 27	details The application's method executes an SQL query with executeUpdate, at line 32 of /src/main/webapp/vulnerability/idor/change-email.jsp. The appl... Attack Vector
42		SQL_Injection	/src/main/webapp/vulnerability/csrf/change-info.jsp: 26	details The application's method executes an SQL query with executeUpdate, at line 31 of /src/main/webapp/vulnerability/csrf/change-info.jsp. The appli... Attack Vector
43		SQL_Injection	/src/main/webapp/vulnerability/sqli/download_id_union.jsp: 18	details The application's method executes an SQL query with executeQuery, at line 24 of /src/main/webapp/vulnerability/sqli/download_id_union.jsp. The... Attack Vector
44		SQL_Injection	/src/main/webapp/vulnerability/sqli/download_id.jsp: 18	details The application's method executes an SQL query with executeQuery, at line 24 of /src/main/webapp/vulnerability/sqli/download_id.jsp. The applic... Attack Vector
45		SQL_Injection	/src/main/webapp/myprofile.jsp: 16	details The application's method executes an SQL query with executeQuery, at line 29 of /src/main/webapp/myprofile.jsp. The application constructs this ... Attack Vector
46		SQL_Injection	/src/main/webapp/myprofile.jsp: 16	details The application's method executes an SQL query with executeQuery, at line 21 of /src/main/webapp/myprofile.jsp. The application constructs this ... Attack Vector
47		SQL_Injection	/src/main/webapp/vulnerability/UserDetails.jsp: 8	details The application's method executes an SQL query with executeQuery, at line 13 of /src/main/webapp/vulnerability/UserDetails.jsp. The application ... Attack Vector
48		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 46	details The application's method executes an SQL query with executeUpdate, at line 58 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
49		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 45	details The application's method executes an SQL query with executeUpdate, at line 58 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
50		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 44	details The application's method executes an SQL query with executeUpdate, at line 58 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
51		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 43	details The application's method executes an SQL query with executeUpdate, at line 59 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
52		SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/Register.java: 43	details The application's method executes an SQL query with executeUpdate, at line 58 of /src/main/java/org/cysecurity/cspf/jvl/controller/Register.java... Attack Vector
53		SQL_Injection	/src/main/webapp/vulnerability/idor/change-email.jsp: 28	details The application's method executes an SQL query with executeUpdate, at line 32 of /src/main/webapp/vulnerability/idor/change-email.jsp. The appl... Attack Vector
54		SQL_Injection	/src/main/webapp/admin/manageusers.jsp: 13	details The application's method executes an SQL query with executeUpdate, at line 14 of /src/main/webapp/admin/manageusers.jsp. The application constru... Attack Vector
55		SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 11	details The application's method executes an SQL query with executeQuery, at line 19 of /src/main/webapp/admin/adminlogin.jsp. The application construct... Attack Vector
56		SQL_Injection	/src/main/webapp/vulnerability/forumposts.jsp: 9	details The application's method executes an SQL query with executeQuery, at line 14 of /src/main/webapp/vulnerability/forumposts.jsp. The application c... Attack Vector
57		SQL_Injection	/src/main/webapp/ForgotPassword.jsp: 42	details The application's method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The application constructs ... Attack Vector
58		SQL_Injection	/src/main/webapp/ForgotPassword.jsp: 42	details The application's method executes an SQL query with executeQuery, at line 42 of /src/main/webapp/ForgotPassword.jsp. The application constructs ... Attack Vector
59		SQL_Injection	/src/main/webapp/vulnerability/DisplayMessage.jsp: 16	details The application's method executes an SQL query with executeQuery, at line 16 of /src/main/webapp/vulnerability/DisplayMessage.jsp. The applicati... Attack Vector
60		Second_Order_SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The application's method executes an SQL query with BinaryExpr, at line 43 of /src/main/webapp/changeCardDetails.jsp. The application constructs... Attack Vector
61		Second_Order_SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The application's method executes an SQL query with BinaryExpr, at line 31 of /src/main/webapp/vulnerability/csrf/change-info.jsp. The applicat... Attack Vector
62		Second_Order_SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The application's method executes an SQL query with BinaryExpr, at line 40 of /src/main/webapp/vulnerability/csrf/changepassword.jsp. The applic... Attack Vector
63		Second_Order_SQL_Injection	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The application's method executes an SQL query with BinaryExpr, at line 14 of /src/main/webapp/vulnerability/Messages.jsp. The application const... Attack Vector
64		Second_Order_SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 19	details The application's method executes an SQL query with BinaryExpr, at line 43 of /src/main/webapp/changeCardDetails.jsp. The application constructs... Attack Vector
65		Second_Order_SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 19	details The application's method executes an SQL query with BinaryExpr, at line 31 of /src/main/webapp/vulnerability/csrf/change-info.jsp. The applicat... Attack Vector
66		Second_Order_SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 19	details The application's method executes an SQL query with BinaryExpr, at line 40 of /src/main/webapp/vulnerability/csrf/changepassword.jsp. The applic... Attack Vector
67		Second_Order_SQL_Injection	/src/main/webapp/admin/adminlogin.jsp: 19	details The application's method executes an SQL query with BinaryExpr, at line 14 of /src/main/webapp/vulnerability/Messages.jsp. The application const... Attack Vector
68		Stored_XSS	/src/main/webapp/vulnerability/Injection/orm.jsp: 12	details The method embeds untrusted data in generated output with print, at line 50 of /src/main/webapp/vulnerability/Injection/orm.jsp. This untrusted ... Attack Vector
69		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 52 of /src/main/webapp/changeCardDetails.jsp. This untrusted data is em... Attack Vector
70		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 35 of /src/main/webapp/vulnerability/csrf/change-info.jsp. This untrus... Attack Vector
71		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 32 of /src/main/webapp/vulnerability/forum.jsp. This untrusted data is ... Attack Vector
72		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 24 of /src/main/webapp/vulnerability/forum.jsp. This untrusted data is ... Attack Vector
73		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 5 of /src/main/webapp/index.jsp. This untrusted data is embedded into t... Attack Vector
74		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with getAttribute, at line 21 of /src/main/webapp/vulnerability/SendMessage.jsp. This untru... Attack Vector
75		Stored_XSS	/src/main/java/org/cysecurity/cspf/jvl/controller/LoginValidator.java: 52	details The method embeds untrusted data in generated output with print, at line 148 of /src/main/webapp/header.jsp. This untrusted data is embedded int... Attack Vector

More results are available on the CxOne platform

---

*AI agents that triage & remediate new issues in your PR scan. Learn more

Use @Checkmarx to interact with Checkmarx PR Assistant. New: ask the AI agent for remediation and automatically create a new pull request.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR
@Checkmarx remediate issues 1, 2, 7

[juegge]

Checkmarx One – AI Triage – 0bfe7d40-a04b-4112-a559-5d84dba4c537

---

1. CVE-2019-10744 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

While lodash 4.17.11 is declared in package.json, it is never imported or used anywhere in the application code. The vulnerable defaultsDeep function cannot be reached through any execution path.

---

2. Cx042e432f-e0c4 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The vulnerable code executes only during Docker build phase via npm postinstall hooks, which is explicitly excluded from reachability definition. No runtime execution path exists in the Java-based production application.

---

3. Cx07931ce7-8224 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The malicious package is declared but never imported, used, or installed in the application. No code paths lead to ua-parser-js execution, and the package.json appears to be a demonstration file rather than functional configuration for this Java application.

---

4. Cx28bd7545-eb30 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The vulnerable node-ipc package is declared but never imported or invoked anywhere in the application code. This is a Java web application with no Node.js runtime usage, making the package completely unreachable through application execution paths.

---

5. Cx299e146f-5a39 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The vulnerable 'scs' package is never imported or invoked in the application code. This Java-based application has no Node.js runtime integration, and the Docker container has no mechanisms to execute the package at runtime.

---

6. Cx43050644-3add · Critical

Triage context: Reachable · Exploitable

The typosquatted package is exploitable through automatic execution of malicious npm lifecycle hooks during installation. This requires only running npm install (a standard operation) with no authentication, user interaction, or special conditions, making it a low-complexity, high-impact supply chain attack.

---

7. Cx4737011d-347c · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The package is declared but never imported or used anywhere in the application code. No runtime execution paths exist that would invoke ua-parser-js. Installation-time execution does not constitute reachability per the definition excluding build/development environments.

---

8. Cx4a52ebed-4106 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The malicious 'momnet' package is declared but never imported or used in the application code. While it could execute during npm install, this occurs only in development/build environments, which are explicitly excluded from reachability assessment per the guidelines.

---

9. Cx4ba6c921-c998 · Critical · Suspected False Positive

Triage context: Not Reachable · Not Exploitable

The 'scs' package is present in node_modules but has no import statements, require calls, or execution paths in the application code. Static analysis confirms zero integration points, making the malicious functionality unreachable.

---

10. Cx4eb613b4-04e7 · Critical

Triage context: Reachable · Not Exploitable

Exploitation is confined to build-time execution during npm install in CI/CD pipelines. The framework explicitly excludes vulnerabilities only reachable in development, testing, or build environments from being considered exploitable in production, and no runtime execution paths exist.

---

Use @Checkmarx to interact with Checkmarx PR Assistant. New: ask the AI agent for remediation and automatically create a new pull request.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx remediate issues 1, 2, 7