Code Security Report: 10 high severity findings, 15 total findings [master]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2026-04-08 07:28am
Total Findings: 15 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 51
Detected Programming Languages: 1 (JavaScript / TypeScript*)

• Check this box to manually trigger a scan

Note: GitHub may take a few seconds to process actions triggered via checkboxes.
Please wait until the change is visible before continuing.

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	Code Injection	CWE-94	contributions.js:32	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/contributions.js Lines 27 to 32 in 7738111 this.handleContributionsUpdate = (req, res, next) => { /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 52 in 7738111 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); analytics-processor-1466/app/routes/contributions.js Line 28 in 7738111 this.handleContributionsUpdate = (req, res, next) => { analytics-processor-1466/app/routes/contributions.js Line 32 in 7738111 const preTax = eval(req.body.preTax); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	NoSQL Injection	CWE-943	user-dao.js:91	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/data/user-dao.js Lines 86 to 91 in 7738111 noSuchUserError.noSuchUser = true; callback(noSuchUserError, null); } }; usersCol.findOne({ 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 34 in 7738111 app.post("/login", sessionHandler.handleLoginRequest); analytics-processor-1466/app/routes/session.js Line 53 in 7738111 this.handleLoginRequest = (req, res, next) => { analytics-processor-1466/app/routes/session.js Line 57 in 7738111 } = req.body; analytics-processor-1466/app/routes/session.js Line 55 in 7738111 userName, analytics-processor-1466/app/routes/session.js Line 58 in 7738111 userDAO.validateLogin(userName, password, (err, user) => { analytics-processor-1466/app/data/user-dao.js Line 57 in 7738111 this.validateLogin = (userName, password, callback) => { analytics-processor-1466/app/data/user-dao.js Line 92 in 7738111 userName: userName analytics-processor-1466/app/data/user-dao.js Line 91 in 7738111 usersCol.findOne({ Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior NoSQL Injection Training ● Videos    ▪ Secure Code Warrior NoSQL Injection Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Server Side Request Forgery	CWE-918	research.js:16	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/research.js Lines 11 to 16 in 7738111 this.displayResearch = (req, res) => { if (req.query.symbol) { const url = req.query.url + req.query.symbol; return needle.get(url, (error, newResponse, body) => { 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 76 in 7738111 app.get("/research", isLoggedIn, researchHandler.displayResearch); analytics-processor-1466/app/routes/research.js Line 12 in 7738111 this.displayResearch = (req, res) => { analytics-processor-1466/app/routes/research.js Line 15 in 7738111 const url = req.query.url + req.query.symbol; analytics-processor-1466/app/routes/research.js Line 16 in 7738111 return needle.get(url, (error, newResponse, body) => { Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Server Side Request Forgery Training ● Videos    ▪ Secure Code Warrior Server Side Request Forgery Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	NoSQL Injection	CWE-943	user-dao.js:104	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/data/user-dao.js Lines 99 to 104 in 7738111 _id: parseInt(userId) }, callback); }; this.getUserByUserName = (userName, callback) => { usersCol.findOne({ 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 38 in 7738111 app.post("/signup", sessionHandler.handleSignup); analytics-processor-1466/app/routes/session.js Line 189 in 7738111 this.handleSignup = (req, res, next) => { analytics-processor-1466/app/routes/session.js Line 198 in 7738111 } = req.body; analytics-processor-1466/app/routes/session.js Line 193 in 7738111 userName, analytics-processor-1466/app/routes/session.js Line 208 in 7738111 userDAO.getUserByUserName(userName, (err, user) => { analytics-processor-1466/app/data/user-dao.js Line 103 in 7738111 this.getUserByUserName = (userName, callback) => { analytics-processor-1466/app/data/user-dao.js Line 105 in 7738111 userName: userName analytics-processor-1466/app/data/user-dao.js Line 104 in 7738111 usersCol.findOne({ Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior NoSQL Injection Training ● Videos    ▪ Secure Code Warrior NoSQL Injection Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Code Injection	CWE-94	contributions.js:33	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/contributions.js Lines 28 to 33 in 7738111 this.handleContributionsUpdate = (req, res, next) => { /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); const afterTax = eval(req.body.afterTax); 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 52 in 7738111 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); analytics-processor-1466/app/routes/contributions.js Line 28 in 7738111 this.handleContributionsUpdate = (req, res, next) => { analytics-processor-1466/app/routes/contributions.js Line 33 in 7738111 const afterTax = eval(req.body.afterTax); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	NoSQL Injection	CWE-943	memos-dao.js:23	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/data/memos-dao.js Lines 18 to 23 in 7738111 const memos = { memo, timestamp: new Date() }; memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 67 in 7738111 app.post("/memos", isLoggedIn, memosHandler.addMemos); analytics-processor-1466/app/routes/memos.js Line 11 in 7738111 this.addMemos = (req, res, next) => { analytics-processor-1466/app/routes/memos.js Line 13 in 7738111 memosDAO.insert(req.body.memo, (err, docs) => { analytics-processor-1466/app/data/memos-dao.js Line 15 in 7738111 this.insert = (memo, callback) => { analytics-processor-1466/app/data/memos-dao.js Line 19 in 7738111 memo, analytics-processor-1466/app/data/memos-dao.js Line 23 in 7738111 memosCol.insert(memos, (err, result) => !err ? callback(null, result) : callback(err, null)); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior NoSQL Injection Training ● Videos    ▪ Secure Code Warrior NoSQL Injection Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	NoSQL Injection	CWE-943	allocations-dao.js:86	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/data/allocations-dao.js Lines 81 to 86 in 7738111 return { userId: parsedUserId }; }; allocationsCol.find(searchCriteria()).toArray((err, allocations) => { 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 63 in 7738111 app.get("/allocations/:userId", isLoggedIn, allocationsHandler.displayAllocations); analytics-processor-1466/app/routes/allocations.js Line 11 in 7738111 this.displayAllocations = (req, res, next) => { analytics-processor-1466/app/routes/allocations.js Line 21 in 7738111 } = req.query; analytics-processor-1466/app/routes/allocations.js Line 20 in 7738111 threshold analytics-processor-1466/app/routes/allocations.js Line 23 in 7738111 allocationsDAO.getByUserIdAndThreshold(userId, threshold, (err, allocations) => { analytics-processor-1466/app/data/allocations-dao.js Line 57 in 7738111 this.getByUserIdAndThreshold = (userId, threshold, callback) => { analytics-processor-1466/app/data/allocations-dao.js Line 86 in 7738111 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { analytics-processor-1466/app/data/allocations-dao.js Line 60 in 7738111 const searchCriteria = () => { analytics-processor-1466/app/data/allocations-dao.js Line 78 in 7738111 $where: `this.userId == ${parsedUserId} && this.stocks > '${threshold}'` analytics-processor-1466/app/data/allocations-dao.js Line 86 in 7738111 allocationsCol.find(searchCriteria()).toArray((err, allocations) => { Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior NoSQL Injection Training ● Videos    ▪ Secure Code Warrior NoSQL Injection Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Code Injection	CWE-94	profile.js:65	7	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/profile.js Lines 60 to 65 in 7738111 // Allow only numbers with a suffix of the letter #, for example: 'XXXXXX#' const testComplyWithRequirements = regexPattern.test(bankRouting); // if the regex test fails we do not allow saving if (testComplyWithRequirements !== true) { const firstNameSafeString = firstName; return res.render("profile", { 7 Data Flow/s detected View Data Flow 1 analytics-processor-1466/app/routes/index.js Line 48 in 7738111 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); analytics-processor-1466/app/routes/profile.js Line 40 in 7738111 this.handleProfileUpdate = (req, res, next) => { analytics-processor-1466/app/routes/profile.js Line 50 in 7738111 } = req.body; analytics-processor-1466/app/routes/profile.js Line 47 in 7738111 address, analytics-processor-1466/app/routes/profile.js Line 71 in 7738111 address, analytics-processor-1466/app/routes/profile.js Line 65 in 7738111 return res.render("profile", { View Data Flow 2 analytics-processor-1466/app/routes/index.js Line 48 in 7738111 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); analytics-processor-1466/app/routes/profile.js Line 40 in 7738111 this.handleProfileUpdate = (req, res, next) => { analytics-processor-1466/app/routes/profile.js Line 50 in 7738111 } = req.body; analytics-processor-1466/app/routes/profile.js Line 48 in 7738111 bankAcc, analytics-processor-1466/app/routes/profile.js Line 72 in 7738111 bankAcc, analytics-processor-1466/app/routes/profile.js Line 65 in 7738111 return res.render("profile", { View Data Flow 3 analytics-processor-1466/app/routes/index.js Line 48 in 7738111 app.post("/profile", isLoggedIn, profileHandler.handleProfileUpdate); analytics-processor-1466/app/routes/profile.js Line 40 in 7738111 this.handleProfileUpdate = (req, res, next) => { analytics-processor-1466/app/routes/profile.js Line 50 in 7738111 } = req.body; analytics-processor-1466/app/routes/profile.js Line 49 in 7738111 bankRouting analytics-processor-1466/app/routes/profile.js Line 73 in 7738111 bankRouting, analytics-processor-1466/app/routes/profile.js Line 65 in 7738111 return res.render("profile", { View more Data Flows Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Code Injection	CWE-94	contributions.js:34	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/contributions.js Lines 29 to 34 in 7738111 /*jslint evil: true */ // Insecure use of eval() to parse inputs const preTax = eval(req.body.preTax); const afterTax = eval(req.body.afterTax); const roth = eval(req.body.roth); 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 52 in 7738111 app.post("/contributions", isLoggedIn, contributionsHandler.handleContributionsUpdate); analytics-processor-1466/app/routes/contributions.js Line 28 in 7738111 this.handleContributionsUpdate = (req, res, next) => { analytics-processor-1466/app/routes/contributions.js Line 34 in 7738111 const roth = eval(req.body.roth); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Code Injection	CWE-94	error.js:10	1	2026-04-08 07:28am
Vulnerable Code analytics-processor-1466/app/routes/error.js Lines 5 to 10 in 7738111 "use strict"; console.error(err.message); console.error(err.stack); res.status(500); res.render("error-template", { 1 Data Flow/s detected analytics-processor-1466/app/routes/index.js Line 82 in 7738111 app.use(ErrorHandler); analytics-processor-1466/app/routes/error.js Line 3 in 7738111 const errorHandler = (err, req, res,next) => { analytics-processor-1466/app/routes/error.js Line 11 in 7738111 error: err analytics-processor-1466/app/routes/error.js Line 10 in 7738111 res.render("error-template", { Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Code Injection Training ● Videos    ▪ Secure Code Warrior Code Injection Video ● Further Reading    ▪ OWASP Command Injection Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Code Injection	CWE-94	JavaScript / TypeScript*	5
High	Server Side Request Forgery	CWE-918	JavaScript / TypeScript*	1
High	NoSQL Injection	CWE-943	JavaScript / TypeScript*	4
Low	Regex Denial of Service (ReDoS)	CWE-1333	JavaScript / TypeScript*	1
Low	Unvalidated/Open Redirect	CWE-601	JavaScript / TypeScript*	1
Low	Log Forging	CWE-117	JavaScript / TypeScript*	2
Low	Sensitive Cookie Without 'Secure' Attribute	CWE-614	JavaScript / TypeScript*	1