Skip to content

Cases:

AppParser

-(Valid) Infrastructure/ApkParseHelper.cs, line 741 (Privacy Violation: Heap Inspection)

Evidence

// Source – secrets passed as command-line arguments
await GetOutputFromCommand(
    "java",
    $"{_maxJavaMemorySize} -jar {BundleTool} build-apks --bundle=\"{filePath}\" " +
    $"--output=\"{targetApksFile}\" --ks=\"{keyStoreFile}\" " +
    $"--ks-pass=pass:{keyStorePass} --ks-key-alias={yourKeyAlias} " +
    $"--key-pass=pass:{yourKeyPassword} --mode=universal",
    cancellationToken);

AspnetCore

  • πŸ”΄ (FP – False Positive) Infrastructure/AppleConnectApi/AppleConnectApiWrapper.cs, line 23 (Key Management: Hardcoded Encryption Key)

  • πŸ”΄ (FP – False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 46 (Key Management: Hardcoded Encryption Key)

  • πŸ”΄ (FP – False Positive) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 33 (Key Management: Hardcoded Encryption Key)

  • 🟠 (Valid – Risk Accepted) Infrastructure/AppleConnectApi/AppleConnectApiWrapper.cs, line 26 (Privacy Violation: Heap Inspection) [Secret Handling 4]

  • 🟠 (Valid – Risk Accepted) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 36 (Privacy Violation: Heap Inspection)

  • 🟠 (Valid – Risk Accepted) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 36 (Privacy Violation: Heap Inspection)

  • 🟠 (Valid – Risk Accepted) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 49 (Privacy Violation: Heap Inspection)

  • 🟠 (FP – False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 123 (Server-Side Request Forgery)

  • 🟠 (FP – False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 95 (Server-Side Request Forgery)

  • 🟠 (FP – False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 705 (Server-Side Request Forgery)

Appcircle Core

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1360 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 182 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1091 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 87 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1850 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1527 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1254 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 345 (Header Manipulation)

  • 🟠 (FP – False Positive) Business/Keycloak/KeycloakClient.cs, line 1568 (Header Manipulation)

  • 🟠 (Valid – Fix Required) Helpers/StringExtension.cs, line 132 (Insecure Randomness) [Cryptography & Randomness 1]

  • πŸ”΄ Valid – Fix Required Business/Keycloak/KeycloakClient.cs, line 1797 (Insecure SSL: Server Identity Verification Disabled)

  • 🟠 (FP – False Positive) ErrorCodes.cs, line 99 (Password Management: Hardcoded Password)

  • πŸ”΄ (FP – False Positive) (Requires Fix Naming) Package: Appcircle.Core.Cryptography Cryptography/AesEncriptionHelper.cs, line 46 (Privacy Violation)

  • 🟠 (FP – False Positive) Workflow/Engine/MockWorkflowEngine.cs, line 115 (Unreleased Resource: Streams)

  • 🟠 (FP – False Positive) Workflow/Engine/WorkflowEngine.cs, line 236 (Unreleased Resource: Streams)

  • 🟠 (FP – False Positive) Workflow/Engine/WorkflowEngine.cs, line 191 (Unreleased Resource: Streams)

  • 🟠 (Valid – Fix Required) Cryptography/AesEncriptionHelper.cs, line 36 (Weak Encryption: Insecure Mode of Operation)

  • 🟠 (Valid – Fix Required) Cryptography/AesEncriptionHelper.cs, line 86 (Weak Encryption: Insecure Mode of Operation)

  • 🟠 (Valid – Fix Required) Cryptography/RijndaelHelper.cs, line 103 (Weak Encryption: Insecure Mode of Operation)

  • 🟠 (Valid – Fix Required) Cryptography/RijndaelHelper.cs, line 52
    (Weak Encryption: Insecure Mode of Operation)

License Server

  • 🟠 (FP – False Positive) (Remove unused method) Migrations/Migration4.cs, line 87 (Insecure Randomness)

Apigateway

  • 🟠 (FP – False Positive) Middlewares/IdentityModel/HttpClientUserInfoExtensions.cs, line 330 (Password Management: Empty Password)

  • 🟠 (Valid) Infrastructure/ConfigGenerator.cs, line 50 (Path Manipulation)

  • 🟠 (FP – False Positive) Middlewares/IdentityModel/HttpClientUserInfoExtensions.cs, line 280 (Privacy Violation: Heap Inspection)

  • 🟠 (Valid) Middlewares/KeycloakMiddleware.cs, line 564 (Privacy Violation: Heap Inspection)

Build Server

  • (Valid) Appcircle.BuildServer.WebApi/Controllers/VariableGroupsController.cs, line 629 [API Validation,1-2]

  • (Valid) Appcircle.BuildServer.WebApi/Controllers/VariableGroupsController.cs, line 617 [API Validation,1-2]

  • (Valid) Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 3262 (Insecure Randomness) [API Validation,1-2]

  • (Valid) Appcircle.BuildServer.Domain/Infrastructure/AgentUploadFeature/ AgentUploadMinio.cs, line 301 (Insecure Randomness) [Cryptography & Randomness 1]

- Test-only or diagnostic code is **wrapped in `#if DEBUG` / `#endif`** and **excluded from Release builds**.
- Any code path that should **never run in production** performs an explicit **environment check** (e.g., `ASPNETCORE_ENVIRONMENT != "Production"`).
  • (Need Analysis) Appcircle.BuildServer.Mongo/Migrations/Migrationv10.cs, line 137 (Insecure Randomness) [Cryptography & Randomness 1]

  • Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2525 (Privacy Violation: Heap Inspection)

  • Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2531 (Privacy Violation: Heap Inspection)
  • Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2531 (Privacy Violation: Heap Inspection)
  • Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2525 (Privacy Violation: Heap Inspection)
  • (Invalid) Appcircle.BuildServer.Domain/Infrastructure/GitClient/Bitbucket/Cloud/ BitbucketRepoHttpAccessTokenProvider.cs, line 384 (Server-Side Request Forgery)

  • (Invalid) Appcircle.BuildServer.Domain/Infrastructure/GitClient/Bitbucket/Cloud/ BitbucketOauthProvider.cs, line 391 (Server-Side Request Forgery)