refractor code,
This commit is contained in:
@@ -0,0 +1,67 @@
|
||||
# Compliance Framework Summary
|
||||
|
||||
**Total Findings:** 712
|
||||
**Findings with Compliance Mappings:** 712 (100.0%)
|
||||
|
||||
## Framework Coverage
|
||||
|
||||
| Framework | Coverage |
|
||||
|-----------|----------|
|
||||
| **OWASP Top 10 2021** | 4/10 categories |
|
||||
| **CWE Top 25 2024** | 6/25 weaknesses |
|
||||
| **CIS Controls v8.1** | 7 controls |
|
||||
| **NIST CSF 2.0** | 1427 mappings across 4 functions |
|
||||
| **PCI DSS 4.0** | 5 requirements |
|
||||
| **MITRE ATT&CK** | 4 techniques |
|
||||
|
||||
## OWASP Top 10 2021
|
||||
|
||||
| Category | Findings |
|
||||
|----------|----------|
|
||||
| A01:2021 | 4 |
|
||||
| A02:2021 | 42 |
|
||||
| A03:2021 | 6 |
|
||||
| A10:2021 | 2 |
|
||||
|
||||
## CWE Top 25 2024 (Top 10 Most Frequent)
|
||||
|
||||
| CWE ID | Rank | Findings |
|
||||
|--------|------|----------|
|
||||
| CWE-798 | 18 | 41 |
|
||||
| CWE-863 | 24 | 3 |
|
||||
| CWE-79 | 1 | 3 |
|
||||
| CWE-918 | 19 | 2 |
|
||||
| CWE-20 | 4 | 1 |
|
||||
| CWE-362 | 21 | 1 |
|
||||
|
||||
## NIST Cybersecurity Framework 2.0
|
||||
|
||||
| Function | Findings |
|
||||
|----------|----------|
|
||||
| GOVERN | 671 |
|
||||
| IDENTIFY | 671 |
|
||||
| PROTECT | 82 |
|
||||
| DETECT | 3 |
|
||||
|
||||
## PCI DSS 4.0
|
||||
|
||||
**Requirements with Findings:** 5
|
||||
|
||||
See `PCI_DSS_COMPLIANCE.md` for detailed PCI DSS compliance report.
|
||||
|
||||
## MITRE ATT&CK
|
||||
|
||||
**Techniques Detected:** 4
|
||||
|
||||
See `attack-navigator.json` for interactive ATT&CK Navigator visualization.
|
||||
|
||||
**Top 5 Techniques:**
|
||||
|
||||
1. **T1195** - Supply Chain Compromise (671 findings)
|
||||
2. **T1552** - Unsecured Credentials (41 findings)
|
||||
3. **T1078** - Valid Accounts (41 findings)
|
||||
4. **T1190** - Exploit Public-Facing Application (3 findings)
|
||||
|
||||
---
|
||||
|
||||
*Generated by JMo Security Audit Tool Suite*
|
||||
@@ -0,0 +1,174 @@
|
||||
# PCI DSS 4.0 Compliance Report
|
||||
|
||||
**Total Findings:** 712
|
||||
**Requirements Affected:** 5
|
||||
|
||||
## Executive Summary
|
||||
|
||||
| Severity | Count |
|
||||
|----------|-------|
|
||||
| **CRITICAL** | 1 |
|
||||
| **HIGH** | 21 |
|
||||
| **MEDIUM** | 59 |
|
||||
| **LOW** | 9 |
|
||||
|
||||
## Findings by PCI DSS Requirement
|
||||
|
||||
### Requirement 6.2.4: Prevent XSS attacks in bespoke software
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 3
|
||||
|
||||
- **MEDIUM**: 3 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `CVE-2026-44580` - Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[MEDIUM]** `CVE-2026-44581` - Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-41305` - postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 6.3.3: Security vulnerabilities are identified and managed
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 671
|
||||
|
||||
- **CRITICAL**: 1 findings
|
||||
- **HIGH**: 21 findings
|
||||
- **MEDIUM**: 18 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 8.2.1: Verify user identity before credential modification
|
||||
|
||||
**Priority:** HIGH
|
||||
**Findings:** 41
|
||||
|
||||
- **MEDIUM**: 41 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
||||
- Location: `/scan/.env.docker.production.example:0`
|
||||
|
||||
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.local:0`
|
||||
|
||||
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.dev:0`
|
||||
|
||||
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.test:0`
|
||||
|
||||
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 8.3.2: Strong cryptography for authentication credentials
|
||||
|
||||
**Priority:** CRITICAL
|
||||
**Findings:** 41
|
||||
|
||||
- **MEDIUM**: 41 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[MEDIUM]** `Postgres` - postgresql://postgres:24DY&1u5FLCkNMeiO_p@postgres:5432
|
||||
- Location: `/scan/.env.docker.production.example:0`
|
||||
|
||||
2. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.local:0`
|
||||
|
||||
3. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.dev:0`
|
||||
|
||||
4. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.env.docker.test:0`
|
||||
|
||||
5. **[MEDIUM]** `Postgres` - postgresql://postgres:password@postgres:5432
|
||||
- Location: `/scan/.git/objects/36/f1f2601e97763eb410cb11da1550822df5da7c:0`
|
||||
|
||||
---
|
||||
|
||||
### Requirement 11.3.1: Internal vulnerability scans are performed
|
||||
|
||||
**Priority:** HIGH
|
||||
**Findings:** 671
|
||||
|
||||
- **CRITICAL**: 1 findings
|
||||
- **HIGH**: 21 findings
|
||||
- **MEDIUM**: 18 findings
|
||||
|
||||
**Top Findings:**
|
||||
|
||||
1. **[LOW]** `CVE-2026-3449` - @tootallnate/once: @tootallnate/once: Denial of Service due to incorrect control flow scoping with A
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
2. **[HIGH]** `CVE-2026-44665` - fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
3. **[MEDIUM]** `CVE-2026-44664` - fast-xml-builder: fast-xml-builder: Arbitrary XML/HTML injection via insufficient sanitization of XM
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
4. **[HIGH]** `CVE-2025-47935` - Multer vulnerable to Denial of Service via memory leaks from unclosed streams
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
5. **[HIGH]** `CVE-2025-47944` - Multer vulnerable to Denial of Service from maliciously crafted requests
|
||||
- Location: `package-lock.json:0`
|
||||
|
||||
---
|
||||
|
||||
## Recommendations
|
||||
|
||||
### Critical Actions Required
|
||||
|
||||
The following PCI DSS requirements have CRITICAL findings that must be addressed immediately:
|
||||
|
||||
1. **Requirement 6.3.3**: Security vulnerabilities are identified and managed
|
||||
- 1 CRITICAL findings
|
||||
|
||||
1. **Requirement 11.3.1**: Internal vulnerability scans are performed
|
||||
- 1 CRITICAL findings
|
||||
|
||||
### Compliance Status
|
||||
|
||||
- **Requirements Passed**: N/A (manual validation required)
|
||||
- **Requirements with Findings**: 5
|
||||
- **Requirements Not Tested**: N/A (scope determined by organization)
|
||||
|
||||
### Next Steps
|
||||
|
||||
1. **Remediate CRITICAL findings** within 24 hours (per PCI DSS remediation SLAs)
|
||||
2. **Remediate HIGH findings** within 7 days
|
||||
3. **Document compensating controls** for accepted risks
|
||||
4. **Re-scan** after remediation to verify fixes
|
||||
5. **Submit ASV scan report** to Qualified Security Assessor (if applicable)
|
||||
|
||||
---
|
||||
|
||||
*This report was generated by JMo Security Audit Tool Suite.*
|
||||
*Report generation date: Auto-generated*
|
||||
@@ -0,0 +1,76 @@
|
||||
# Security Summary
|
||||
|
||||
Total findings: 712 | 🔴 1 CRITICAL | 🔴 21 HIGH | 🟡 59 MEDIUM | ⚪ 9 LOW
|
||||
|
||||
## Top Risks by File
|
||||
|
||||
| File | Findings | Severity | Top Issue |
|
||||
|------|----------|----------|-----------|
|
||||
| package-lock.json | 43 | 🔴 CRITICAL | CVE-2026-3449 |
|
||||
| Dockerfile.dev | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||||
| Dockerfile.production | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||||
| Dockerfile.test | 2 | 🔴 HIGH | Image user should not be 'root' |
|
||||
| /scan/node_modules/zod/...emplate-literal.test.ts | 6 | 🟡 MEDIUM | MongoDB (6×) |
|
||||
| /scan/node_modules/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) |
|
||||
| /scan/node_modules/fire...es/@types/node/url.d.ts | 3 | 🟡 MEDIUM | URI (3×) |
|
||||
| /scan/.env.docker.production.example | 1 | 🟡 MEDIUM | Postgres |
|
||||
| /scan/.env.local | 1 | 🟡 MEDIUM | Postgres |
|
||||
| /scan/.env.docker.dev | 1 | 🟡 MEDIUM | Postgres |
|
||||
|
||||
## By Severity
|
||||
|
||||
- 🔴 CRITICAL: 1
|
||||
- 🔴 HIGH: 21
|
||||
- 🟡 MEDIUM: 59
|
||||
- ⚪ LOW: 9
|
||||
- 🔵 INFO: 622
|
||||
|
||||
## Priority Analysis (EPSS/KEV)
|
||||
|
||||
Real-world exploit intelligence to focus on actual threats:
|
||||
|
||||
### 📊 High Exploit Probability: 2 CVEs
|
||||
|
||||
CVEs with >50% probability of being exploited in the next 30 days:
|
||||
|
||||
- 🔴 **CVE-2025-29927** (EPSS: 92.1%, 100th percentile)
|
||||
- File: `package-lock.json`
|
||||
- 🔴 **CVE-2024-51479** (EPSS: 78.5%, 99th percentile)
|
||||
- File: `package-lock.json`
|
||||
|
||||
### Priority Distribution
|
||||
|
||||
- 🔴 Critical Priority (≥80): 2
|
||||
- 🟠 High Priority (60-79): 1
|
||||
- 🟡 Medium Priority (40-59): 0
|
||||
- ⚪ Low Priority (<40): 709
|
||||
|
||||
## By Tool
|
||||
|
||||
- **syft**: 622 findings (🔵 622 INFO)
|
||||
- **trivy**: 49 findings (🔴 1 CRITICAL, 🔴 21 HIGH, 🟡 18 MEDIUM, ⚪ 9 LOW)
|
||||
- **trufflehog**: 41 findings (🟡 41 MEDIUM)
|
||||
|
||||
## Remediation Priorities
|
||||
|
||||
1. **Fix Image user should not be 'root'** (3 findings) → Review container security best practices
|
||||
2. **Update vulnerable dependencies** (19 CRITICAL/HIGH CVEs) → Run package updates
|
||||
|
||||
## By Category
|
||||
|
||||
- 📦 Other: 622 findings (87% of total)
|
||||
- 🛡️ Vulnerabilities: 49 findings (7% of total)
|
||||
- 🔑 Secrets: 41 findings (6% of total)
|
||||
|
||||
## Top Rules
|
||||
|
||||
- SBOM.PACKAGE: 622
|
||||
- Postgres: 13
|
||||
- URI: 13
|
||||
- MongoDB: 8
|
||||
- GitHubOauth2: 5
|
||||
- Image user should not be 'root': 3
|
||||
- No HEALTHCHECK defined: 3
|
||||
- GCP: 1
|
||||
- Circle: 1
|
||||
- CVE-2026-3449: 1
|
||||
@@ -0,0 +1,121 @@
|
||||
{
|
||||
"name": "JMo Security Scan Results",
|
||||
"versions": {
|
||||
"attack": "17",
|
||||
"navigator": "5.1.0",
|
||||
"layer": "4.5"
|
||||
},
|
||||
"domain": "enterprise-attack",
|
||||
"description": "Security findings mapped to MITRE ATT&CK techniques. Total findings: 712, Techniques covered: 4",
|
||||
"filters": {
|
||||
"platforms": [
|
||||
"Linux",
|
||||
"macOS",
|
||||
"Windows",
|
||||
"Cloud",
|
||||
"Containers"
|
||||
]
|
||||
},
|
||||
"sorting": 3,
|
||||
"layout": {
|
||||
"layout": "side",
|
||||
"aggregateFunction": "average",
|
||||
"showID": true,
|
||||
"showName": true,
|
||||
"showAggregateScores": false,
|
||||
"countUnscored": false
|
||||
},
|
||||
"hideDisabled": false,
|
||||
"techniques": [
|
||||
{
|
||||
"techniqueID": "T1552.001",
|
||||
"tactic": "credential-access",
|
||||
"score": 6.110283159463488,
|
||||
"color": "#99ccff",
|
||||
"comment": "41 finding(s) detected",
|
||||
"enabled": true,
|
||||
"metadata": [
|
||||
{
|
||||
"name": "Findings",
|
||||
"value": "41"
|
||||
}
|
||||
],
|
||||
"showSubtechniques": true
|
||||
},
|
||||
{
|
||||
"techniqueID": "T1078",
|
||||
"tactic": "initial-access",
|
||||
"score": 6.110283159463488,
|
||||
"color": "#99ccff",
|
||||
"comment": "41 finding(s) detected",
|
||||
"enabled": true,
|
||||
"metadata": [
|
||||
{
|
||||
"name": "Findings",
|
||||
"value": "41"
|
||||
}
|
||||
],
|
||||
"showSubtechniques": false
|
||||
},
|
||||
{
|
||||
"techniqueID": "T1195.001",
|
||||
"tactic": "initial-access",
|
||||
"score": 100,
|
||||
"color": "#ff6666",
|
||||
"comment": "671 finding(s) detected",
|
||||
"enabled": true,
|
||||
"metadata": [
|
||||
{
|
||||
"name": "Findings",
|
||||
"value": "671"
|
||||
}
|
||||
],
|
||||
"showSubtechniques": true
|
||||
},
|
||||
{
|
||||
"techniqueID": "T1190",
|
||||
"tactic": "initial-access",
|
||||
"score": 0.44709388971684055,
|
||||
"color": "#99ccff",
|
||||
"comment": "3 finding(s) detected",
|
||||
"enabled": true,
|
||||
"metadata": [
|
||||
{
|
||||
"name": "Findings",
|
||||
"value": "3"
|
||||
}
|
||||
],
|
||||
"showSubtechniques": false
|
||||
}
|
||||
],
|
||||
"gradient": {
|
||||
"colors": [
|
||||
"#99ccff",
|
||||
"#ffcc66",
|
||||
"#ff9966",
|
||||
"#ff6666"
|
||||
],
|
||||
"minValue": 0,
|
||||
"maxValue": 100
|
||||
},
|
||||
"legendItems": [
|
||||
{
|
||||
"label": "Total Findings: 712",
|
||||
"color": "#ffffff"
|
||||
},
|
||||
{
|
||||
"label": "Techniques Covered: 4",
|
||||
"color": "#ffffff"
|
||||
}
|
||||
],
|
||||
"metadata": [
|
||||
{
|
||||
"name": "Generated by",
|
||||
"value": "JMo Security Audit Tool Suite"
|
||||
}
|
||||
],
|
||||
"showTacticRowBackground": true,
|
||||
"tacticRowBackground": "#dddddd",
|
||||
"selectTechniquesAcrossTactics": true,
|
||||
"selectSubtechniquesWithParent": true
|
||||
}
|
||||
@@ -0,0 +1,50 @@
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<title>JMo Security - Findings Report</title>
|
||||
<style>
|
||||
body {
|
||||
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
|
||||
line-height: 1.6;
|
||||
max-width: 1200px;
|
||||
margin: 0 auto;
|
||||
padding: 20px;
|
||||
background: #f5f5f5;
|
||||
}
|
||||
h1 {
|
||||
color: #333;
|
||||
border-bottom: 3px solid #007bff;
|
||||
padding-bottom: 10px;
|
||||
}
|
||||
.alert {
|
||||
background: #fff3cd;
|
||||
border: 1px solid #ffc107;
|
||||
border-radius: 4px;
|
||||
padding: 15px;
|
||||
margin: 20px 0;
|
||||
}
|
||||
.stats {
|
||||
background: white;
|
||||
border-radius: 8px;
|
||||
padding: 20px;
|
||||
margin: 20px 0;
|
||||
box-shadow: 0 2px 4px rgba(0,0,0,0.1);
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<h1>JMo Security Findings Report</h1>
|
||||
<div class="alert">
|
||||
<strong>⚠️ Fallback HTML Mode</strong><br>
|
||||
This is a simplified HTML report. The interactive React dashboard was not available.<br>
|
||||
To view the full interactive dashboard, build the React app with <code>npm run build</code> in <code>scripts/dashboard/</code>.
|
||||
</div>
|
||||
<div class="stats">
|
||||
<h2>Summary</h2>
|
||||
<p><strong>Total Findings:</strong> 712</p>
|
||||
<p>For detailed findings, please view the JSON report at <code>findings.json</code>.</p>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user