Merge pull request #8728 from ProcessMaker/feature/FOUR-29250 #10163
nolanproAnnotations
14 errors and 1 warning
|
io.Cross-Site Scripting (XSS) (1):
io#L1
The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/vendor/processmaker/packages/package-savedsearch/js/addSaveButton.js'. An attacker may be able to inject JavaScript using the the code 'location.href' at line 2:315254 and control its display using the code 'setTimeout' at line 2:230985
|
|
io.Cross-Site Scripting (XSS) (2):
io#L1
The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/vendor/processmaker/packages/package-ai/js/webhook.js'. An attacker may be able to inject JavaScript using the the code 'location.href' at line 2:288441 and control its display using the code 'setTimeout' at line 2:34103
|
|
io.Cross-Site Scripting (XSS) (3):
io#L1
The potentially vulnerable code was found on url 'https://performancetest-qa.processmaker.net/builds/login/js/app-login.js'. An attacker may be able to inject JavaScript using the the code 'document.cookie' at line 2:12994 and control its display using the code 'setTimeout' at line 2:1267
|
|
io.Transport Layer Security (TLS/SSL) (1):
io#L1
The cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 is weak.
|
|
io.Transport Layer Security (TLS/SSL) (2):
io#L1
The cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 is weak.
|
|
io.Transport Layer Security (TLS/SSL) (3):
io#L1
The CN or SAN in the certificate does not match the tested URL
|
|
io.Transport Layer Security (TLS/SSL) (4):
io#L1
TLS 1.0 is offered by the server. This version of TLS is deprecated. You should use TLS 1.2 or TLS 1.3
|
|
io.Transport Layer Security (TLS/SSL) (5):
io#L1
OCSP_stapling is not offered by the server.
|
|
io.HTTP Header (1):
io#L1
The content security policy is missing the report-to directive. This was found on URL https://performancetest-qa.processmaker.net
|
|
io.HTTP Header (2):
io#L1
The cookie with the name 'device_id' does not have the flag 'HttpOnly' set. This may leak sensitive information. This was found on URL https://performancetest-qa.processmaker.net.
|
|
io.HTTP Header (3):
io#L1
The Referrer-Policy header is not set for URL https://performancetest-qa.processmaker.net.
|
|
io.Portscan (1):
io#L1
Found open port '80/tcp' with service name 'awselb/2.0'
|
|
io.Portscan (2):
io#L1
Found open port '443/tcp' with service name 'awselb/2.0'
|
|
io.Fuzzer (1):
io#L1
Retrieved https://performancetest-qa.processmaker.net/metrics by using a GET request on the URL without prior knowledge.
|
|
Scan
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v2, sonarsource/sonarqube-scan-action@master. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
|