Skip to content

New sca support v3 #976

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
orto17 merged 10 commits into from
Dec 11, 2025
Merged

New sca support v3 #976

orto17 merged 10 commits into from
Dec 11, 2025

Conversation

@kerenr-jfrog
Copy link
Contributor

@kerenr-jfrog kerenr-jfrog commented Dec 3, 2025
edited
Loading

  • All tests passed. If this feature is not already covered by the tests, I added new tests.
  • This pull request is on the dev branch.
  • I used gofmt for formatting the code before submitting the pull request.
  • Update documentation about new features / new supported technologies
  • Added new SCA support for scan pull request as well as scan repository
  • Deprecated JF_SKIP_AUTO_INSTALL env var

@kerenr-jfrog kerenr-jfrog requested a review from orto17 December 3, 2025 11:51
@kerenr-jfrog kerenr-jfrog added safe to test Approve running integration tests on a pull request improvement Automatically generated release notes labels Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 3, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 4, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 4, 2025
@jfrog jfrog deleted a comment from github-actions bot Dec 4, 2025
eyalk007
eyalk007 reviewed Dec 4, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 4, 2025
View reviewed changes
@kerenr-jfrog
Merge branch 'v3_er' into new-sca-support--v3-kr
54975e1 
# Conflicts:
#	go.mod
#	go.sum
#	scanpullrequest/scanpullrequest.go
#	scanrepository/scanrepository.go
#	utils/params.go
@kerenr-jfrog
merged v3_er into branch + added lock files for ScanPullRequestSubdir…
862d5d9 
… test
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
utils/scandetails.go
SetUseWrapper(*sc.UseWrapper).
SetMaxTreeDepth(sc.MaxPnpmTreeDepth).
SetDepsRepo(sc.DepsRepo).
SetIgnoreConfigFile(true).
Copy link
Contributor

@eyalk007 eyalk007 Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont even know what this is?
@attiasas

Copy link
Contributor

@attiasas attiasas Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IDW, I can't find any real usage at the Securtiy-CLI

eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
utils/scandetails.go
auditBasicParams := (&audit.AuditBasicParams{}).
SetXrayVersion(sc.XrayVersion).
SetXscVersion(sc.XscVersion).
SetPipRequirementsFile(sc.PipRequirementsFile).
Copy link
Contributor

@eyalk007 eyalk007 Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this scares me for scan and fix we dont support it on paper but how will our scan adn fix work without it?
isnt it mandatory for pip to work?
@orto17

eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
utils/scandetails.go
func (sc *ScanDetails) RunInstallAndAudit(workDirs ...string) (auditResults *results.SecurityCommandResults) {
auditBasicParams := (&audit.AuditBasicParams{}).
SetXrayVersion(sc.XrayVersion).
SetXscVersion(sc.XscVersion).
Copy link
Contributor

@eyalk007 eyalk007 Dec 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we please kill xsc @orto17

eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
eyalk007
eyalk007 reviewed Dec 7, 2025
View reviewed changes
@kerenr-jfrog kerenr-jfrog mentioned this pull request Dec 8, 2025
Merged
4 tasks
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 9, 2025
@kerenr-jfrog kerenr-jfrog added the safe to test Approve running integration tests on a pull request label Dec 10, 2025
@github-actions github-actions bot removed the safe to test Approve running integration tests on a pull request label Dec 10, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
5 Issues Found 5 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025

🚨 Frogbot scanned this pull request and found the below:

📗 Scan Summary

  • Frogbot scanned for vulnerabilities and found 5 issues
Scan Category Status Security Issues
Software Composition Analysis ✅ Done Not Found
Contextual Analysis ✅ Done -
Static Application Security Testing (SAST) ✅ Done
5 Issues Found 5 Medium
Secrets ✅ Done -
Infrastructure as Code (IaC) ✅ Done Not Found

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

file

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanrepository/scanrepository_test.go (line 780)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanrepository/scanrepository_test.go line 778)

↘️ file (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanrepository/scanrepository_test.go line 778)

↘️ file (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanrepository/scanrepository_test.go line 780)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

file

at scanrepository/scanrepository_test.go (line 780)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(fmt.Sprintf("%s.tar.gz", projectName)) (at scanrepository/scanrepository_test.go line 778)

↘️ file (at scanrepository/scanrepository_test.go line 778)

↘️ file (at scanrepository/scanrepository_test.go line 780)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

comments

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go (line 1123)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1121)

↘️ comments (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1121)

↘️ comments (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1123)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

discussions

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go (line 1158)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1156)

↘️ discussions (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1156)

↘️ discussions (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1158)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1109)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1107)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1107)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1109)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

repoFile

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go (line 1109)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "sourceBranch.gz")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1107)

↘️ repoFile (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1107)

↘️ repoFile (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1109)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

repoFile

at scanpullrequest/scanpullrequest_test.go (line 1116)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at scanpullrequest/scanpullrequest_test.go line 1114)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1114)

↘️ repoFile (at scanpullrequest/scanpullrequest_test.go line 1116)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

repoFile

at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go (line 1116)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", params.RepoName, "targetBranch.gz")) (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1114)

↘️ repoFile (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1114)

↘️ repoFile (at file:///C:/Users/runneradmin/AppData/Local/Temp/jfrog.cli.temp.-1765367994-2004562840/scanpullrequest/scanpullrequest_test.go line 1116)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

comments

at scanpullrequest/scanpullrequest_test.go (line 1123)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "commits.json")) (at scanpullrequest/scanpullrequest_test.go line 1121)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1121)

↘️ comments (at scanpullrequest/scanpullrequest_test.go line 1123)

@github-actions
Copy link
Contributor

github-actions bot commented Dec 10, 2025 

discussions

at scanpullrequest/scanpullrequest_test.go (line 1158)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding
medium
Medium		 Untrusted stored value is included in web page content
Full description

Vulnerability Details
Rule ID: go-stored-xss

Overview

Stored Cross-Site Scripting (XSS) is a type of vulnerability where malicious
scripts are injected into a web application and stored in a persistent state,
such as a database. When other users access the affected page, the stored
scripts are executed in their browsers, leading to various attacks.

Vulnerable example

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
    fmt.Fprintf(w, "<h1>%s</h1>", message)
}

In this example, the serveMessage function retrieves a message from the
database and directly embeds it into an HTML response without proper escaping.
If the message contains malicious scripts, it can lead to Stored XSS attacks
when other users view the page.

Remediation

To mitigate Stored XSS vulnerabilities, always sanitize and encode user
input before storing it in a persistent state and before displaying it
to other users:

func serveMessage(w http.ResponseWriter, r *http.Request) {
    db, _ := sql.Open("sqlite3", "test.db")
    message := db.QueryRow("SELECT message FROM messages WHERE id = 1")
-   fmt.Fprintf(w, "<h1>%s</h1>", message)
+   fmt.Fprintf(w, "<h1>%s</h1>", html.EscapeString(message))
}

In the remediation, we've used the html.EscapeString function to escape
the message before embedding it into the HTML response. This helps prevent
the execution of malicious scripts and mitigates the Stored XSS vulnerability.

Code Flows
Vulnerable data flow analysis result

↘️ os.ReadFile(filepath.Join("..", "list_merge_request_discussion_items.json")) (at scanpullrequest/scanpullrequest_test.go line 1156)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1156)

↘️ discussions (at scanpullrequest/scanpullrequest_test.go line 1158)

@kerenr-jfrog
Merge branch 'v3_er' into new-sca-support--v3-kr
086af5b 
# Conflicts:
#	scanpullrequest/scanpullrequest.go
#	scanrepository/scanrepository.go
#	utils/consts.go
#	utils/scandetails.go
@orto17 orto17 merged commit 43c1ffa into jfrog:v3_er Dec 11, 2025
4 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@attiasas attiasas attiasas left review comments

@eyalk007 eyalk007 eyalk007 left review comments

@orto17 orto17 orto17 approved these changes

Assignees

No one assigned

Labels

improvement Automatically generated release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kerenr-jfrog @attiasas @orto17 @eyalk007