Cases:¶
AppParser¶
-(Valid) Infrastructure/ApkParseHelper.cs, line 741 (Privacy Violation: Heap Inspection)
Evidence¶
// Source β secrets passed as command-line arguments
await GetOutputFromCommand(
"java",
$"{_maxJavaMemorySize} -jar {BundleTool} build-apks --bundle=\"{filePath}\" " +
$"--output=\"{targetApksFile}\" --ks=\"{keyStoreFile}\" " +
$"--ks-pass=pass:{keyStorePass} --ks-key-alias={yourKeyAlias} " +
$"--key-pass=pass:{yourKeyPassword} --mode=universal",
cancellationToken);
AspnetCore¶
-
π΄ (FP β False Positive) Infrastructure/AppleConnectApi/AppleConnectApiWrapper.cs, line 23 (Key Management: Hardcoded Encryption Key)
-
π΄ (FP β False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 46 (Key Management: Hardcoded Encryption Key)
-
π΄ (FP β False Positive) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 33 (Key Management: Hardcoded Encryption Key)
-
π (Valid β Risk Accepted) Infrastructure/AppleConnectApi/AppleConnectApiWrapper.cs, line 26 (Privacy Violation: Heap Inspection) [Secret Handling 4]
-
π (Valid β Risk Accepted) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 36 (Privacy Violation: Heap Inspection)
-
π (Valid β Risk Accepted) Infrastructure/AppleConnectApi/AppleEnterpriseApiWrapper.cs, line 36 (Privacy Violation: Heap Inspection)
-
π (Valid β Risk Accepted) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 49 (Privacy Violation: Heap Inspection)
-
π (FP β False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 123 (Server-Side Request Forgery)
-
π (FP β False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 95 (Server-Side Request Forgery)
-
π (FP β False Positive) Infrastructure/AppleConnectApi/AppleConnectApiConnectorBase.cs, line 705 (Server-Side Request Forgery)
Appcircle Core¶
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1360 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 182 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1091 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 87 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1850 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1527 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1254 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 345 (Header Manipulation)
-
π (FP β False Positive) Business/Keycloak/KeycloakClient.cs, line 1568 (Header Manipulation)
-
π (Valid β Fix Required) Helpers/StringExtension.cs, line 132 (Insecure Randomness) [Cryptography & Randomness 1]
-
π΄ Valid β Fix Required Business/Keycloak/KeycloakClient.cs, line 1797 (Insecure SSL: Server Identity Verification Disabled)
-
π (FP β False Positive) ErrorCodes.cs, line 99 (Password Management: Hardcoded Password)
-
π΄ (FP β False Positive) (Requires Fix Naming) Package: Appcircle.Core.Cryptography Cryptography/AesEncriptionHelper.cs, line 46 (Privacy Violation)
-
π (FP β False Positive) Workflow/Engine/MockWorkflowEngine.cs, line 115 (Unreleased Resource: Streams)
-
π (FP β False Positive) Workflow/Engine/WorkflowEngine.cs, line 236 (Unreleased Resource: Streams)
-
π (FP β False Positive) Workflow/Engine/WorkflowEngine.cs, line 191 (Unreleased Resource: Streams)
-
π (Valid β Fix Required) Cryptography/AesEncriptionHelper.cs, line 36 (Weak Encryption: Insecure Mode of Operation)
-
π (Valid β Fix Required) Cryptography/AesEncriptionHelper.cs, line 86 (Weak Encryption: Insecure Mode of Operation)
-
π (Valid β Fix Required) Cryptography/RijndaelHelper.cs, line 103 (Weak Encryption: Insecure Mode of Operation)
-
π (Valid β Fix Required) Cryptography/RijndaelHelper.cs, line 52
(Weak Encryption: Insecure Mode of Operation)
License Server¶
- π (FP β False Positive) (Remove unused method) Migrations/Migration4.cs, line 87 (Insecure Randomness)
Apigateway¶
-
π (FP β False Positive) Middlewares/IdentityModel/HttpClientUserInfoExtensions.cs, line 330 (Password Management: Empty Password)
-
π (Valid) Infrastructure/ConfigGenerator.cs, line 50 (Path Manipulation)
-
π (FP β False Positive) Middlewares/IdentityModel/HttpClientUserInfoExtensions.cs, line 280 (Privacy Violation: Heap Inspection)
-
π (Valid) Middlewares/KeycloakMiddleware.cs, line 564 (Privacy Violation: Heap Inspection)
Build Server¶
-
(Valid) Appcircle.BuildServer.WebApi/Controllers/VariableGroupsController.cs, line 629 [API Validation,1-2]
-
(Valid) Appcircle.BuildServer.WebApi/Controllers/VariableGroupsController.cs, line 617 [API Validation,1-2]
-
(Valid) Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 3262 (Insecure Randomness) [API Validation,1-2]
-
(Valid) Appcircle.BuildServer.Domain/Infrastructure/AgentUploadFeature/ AgentUploadMinio.cs, line 301 (Insecure Randomness) [Cryptography & Randomness 1]
- Test-only or diagnostic code is **wrapped in `#if DEBUG` / `#endif`** and **excluded from Release builds**.
- Any code path that should **never run in production** performs an explicit **environment check** (e.g., `ASPNETCORE_ENVIRONMENT != "Production"`).
-
(Need Analysis) Appcircle.BuildServer.Mongo/Migrations/Migrationv10.cs, line 137 (Insecure Randomness) [Cryptography & Randomness 1]
-
Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2525 (Privacy Violation: Heap Inspection)
- Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2531 (Privacy Violation: Heap Inspection)
- Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2531 (Privacy Violation: Heap Inspection)
- Appcircle.BuildServer.Domain/ApplicationAdapter.cs, line 2525 (Privacy Violation: Heap Inspection)
-
(Invalid) Appcircle.BuildServer.Domain/Infrastructure/GitClient/Bitbucket/Cloud/ BitbucketRepoHttpAccessTokenProvider.cs, line 384 (Server-Side Request Forgery)
-
(Invalid) Appcircle.BuildServer.Domain/Infrastructure/GitClient/Bitbucket/Cloud/ BitbucketOauthProvider.cs, line 391 (Server-Side Request Forgery)