codedx

1.9.1

codedx_xml/codedx_input_sample.xml

                                <?xml version="1.0"?>

<report date="2019-08-06" tool="My Custom Tool">

    <findings>                        

        <finding severity="high">

            <native-id name="My Tool ID" value="abc123" />

            <cwe id="259" />

            <tool name="My Custom Tool" category="Security" code="Hardcoded-Password" />

            <location type="file" path="java/org/owasp/webgoat/lessons/WsSAXInjection.java">

                <line start="64" end="66" />

            </location>

            <description format="plain-text">A password is hardcoded here.</description>

            <metadata>

                <value key="Password">password</value>

            </metadata>

        </finding>

        <finding severity="high" type="dynamic">

            <cwe id="310" />

            <tool name="My Custom Tool" category="Security" code="Cookie without HttpOnly flag set" />

            <location type="url" path="/webgoat/attack">

                <variants>

                    <variant>

                        <request method="GET" path="/webgoat/attack" query="">

                            <headers>

                                Accept: text/html, application/xhtml+xml, */*

                                Accept-Language: en-US

                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

                                Accept-Encoding: gzip, deflate

                                Host: 192.168.216.139:8080

                                Authorization: Basic Z3Vlc3Q6Z3Vlc3Q=

                                Proxy-Connection: Keep-Alive

                                DNT: 1

                            </headers>

                            <body truncated="false" original-length="0" length="0"></body>

                        </request>

                        <response code="200">

                            <headers>

                                Server: Apache-Coyote/1.1

                                Pragma: No-cache

                                Cache-Control: no-cache

                                Expires: Wed, 31 Dec 1969 19:00:00 EST

                                Set-Cookie: JSESSIONID=1115D46CB13A097B975996BF90C21455; Path=/WebGoat

                                Content-Type: text/html;charset=ISO-8859-1

                                Content-Length: 3931

                                Date: Thu, 16 Oct 2014 18:04:24 GMT

                            </headers>

                            <body truncated="false" original-length="3930" length="3930">DQoNCg0KDQo8IURPQ1RZUEUgaHRtbCBQVUJMSUMgIi0vL1czQy8vRFREIFhIVE1MIDEuMCBUcmFuc2l0aW9uYWwvL0VOIiAiaHR0cDovL3d3dy53My5vcmcvVFIveGh0bWwxL0RURC94aHRtbDEtdHJhbnNpdGlvbmFsLmR0ZCI+DQo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PUlTTy04ODU5LTEiIC8+DQo8dGl0bGU+V2ViR29hdCBWNS40PC90aXRsZT4NCjxsaW5rIHJlbD0ic3R5bGVzaGVldCIgaHJlZj0iY3NzL3dlYmdvYXQuY3NzIiB0eXBlPSJ0ZXh0L2NzcyIgLz4NCjwvaGVhZD4NCg0KPGJvZHk+DQoNCjxkaXYgaWQ9IndyYXAiPg0KPGRpdiBpZD0idG9wIj48L2Rpdj4NCjxkaXYgaWQ9InN0YXJ0Ij4NCjxwPlRoYW5rIHlvdSBmb3IgdXNpbmcgV2ViR29hdCEgVGhpcyBwcm9ncmFtIGlzIGEgZGVtb25zdHJhdGlvbiBvZiBjb21tb24gd2ViIGFwcGxpY2F0aW9uIGZsYXdzLg0KVGhlIGV4ZXJjaXNlcyBhcmUgaW50ZW5kZWQgdG8gcHJvdmlkZSBoYW5kcyBvbiBleHBlcmllbmNlIHdpdGgNCmFwcGxpY2F0aW9uIHBlbmV0cmF0aW9uIHRlc3RpbmcgdGVjaG5pcXVlcy4gPC9wPg0KPHA+VGhlIFdlYkdvYXQgcHJvamVjdCBpcyBsZWQNCmJ5IEJydWNlIE1heWhldy4gUGxlYXNlIHNlbmQgYWxsIGNvbW1lbnRzIHRvIEJydWNlIGF0IFdlYkdvYXRAb3dhc3Aub3JnLjwvcD4NCg0KPGRpdiBpZD0idGVhbSI+DQo8dGFibGUgYm9yZGVyPSIwIiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ibGVzc29uVGV4dCI+DQoJPHRyPg0KCQk8dGQgd2lkdGg9IjUwJSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PGEgaHJlZj0iaHR0cDovL3d3dy5vd2FzcC5vcmciPjxpbWcNCgkJCWJvcmRlcj0iMCIgc3JjPSJpbWFnZXMvbG9nb3Mvb3dhc3AuanBnIiBhbHQ9Ik9XQVNQIEZvdW5kYXRpb24iDQoJCQlsb25nZGVzYz0iaHR0cDovL3d3dy5vd2FzcC5vcmciIC8+PC9hPjwvZGl2Pg0KCQk8L3RkPg0KCQk8dGQgd2lkdGg9IjUwJSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PGEgaHJlZj0iaHR0cDovL3d3dy5hc3BlY3RzZWN1cml0eS5jb20iPjxpbWcNCgkJCWJvcmRlcj0iMCIgc3JjPSJpbWFnZXMvbG9nb3MvYXNwZWN0LmpwZyIgYWx0PSJBc3BlY3QgU2VjdXJpdHkiDQoJCQlsb25nZGVzYz0iaHR0cDovL3d3dy5hc3BlY3RzZWN1cml0eS5jb20iIC8+PC9hPjwvZGl2Pg0KCQk8L3RkPg0KCTwvdHI+DQoJPHRyPg0KCQk8dGQgd2lkdGg9IjUwJSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PHNwYW4gY2xhc3M9InN0eWxlMSI+PGJyIC8+DQoJCVdlYkdvYXQgRGVzaWduIFRlYW0gPC9zcGFuPjwvZGl2Pg0KCQk8L3RkPg0KCQk8dGQgd2lkdGg9IjUwJSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PHNwYW4gY2xhc3M9InN0eWxlMSI+PGJyIC8+DQoJCVY1LjMgTGVzc29uIENvbnRyaWJ1dGVycyA8L3NwYW4+PC9kaXY+DQoJCTwvdGQ+DQoJPC90cj4NCgk8dHI+DQoJCTx0ZCB2YWxpZ249InRvcCI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+QnJ1Y2UgTWF5aGV3PC9kaXY+DQoJCTxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+RGF2aWQgQW5kZXJzb248L2Rpdj4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5Sb2dhbiBEYXdlczwvZGl2Pg0KCQk8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPkxhdXJlbmNlIENhc2V5IChHcmFwaGljcyk8L2Rpdj4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5CcmlhbiBDaW9tZWk8L2Rpdj4NCgkJPC90ZD4NCgkJPHRkIHZhbGlnbj0idG9wIj4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5DaHVjayBXaWxsaXM8L2Rpdj4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5DYW0gTW9ycmlzPC9kaXY+DQoJCTxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+WWlhbm5pcyBQYXZsb3NvZ2xvdTwvZGl2Pg0KCQk8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPjwvZGl2Pg0KDQoJCTwvdGQ+DQoJPC90cj4NCgk8dHI+DQoJCTx0ZCBoZWlnaHQ9IjI1IiB2YWxpZ249ImJvdHRvbSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PHNwYW4gY2xhc3M9InN0eWxlMSI+U3BlY2lhbCBUaGFua3MNCgkJZm9yIFY1LjM8L3NwYW4+PC9kaXY+DQoJCTwvdGQ+DQoJCTx0ZCBoZWlnaHQ9IjI1IiB2YWxpZ249ImJvdHRvbSI+DQoJCTxkaXYgYWxpZ249ImNlbnRlciI+PHNwYW4gY2xhc3M9InN0eWxlMSI+RG9jdW1lbnRhdGlvbg0KCQlDb250cmlidXRlcnM8L3NwYW4+PC9kaXY+DQoJCTwvdGQ+DQoJPC90cj4NCgk8dHI+DQoJCTx0ZD4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5DaHJpc3RpbmUgKE1hdmVuKTwvZGl2Pg0KCQk8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPk1hcmVrIEphd3VyZWsgKEludGVybmF0aW9uYWxpemF0aW9uKTwvZGl2Pg0KCQk8YnIvPjxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+VG8gYWxsIHdobyBoYXZlIHNlbnQgY29tbWVudHM8L2Rpdj4NCgkJDQoJCTwvdGQ+DQoJCTx0ZD4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5TaGVyaWYgS291c3NhPGJyIC8+DQoJCQkoaHR0cDovL3d3dy5zb2Z0d2FyZXNlY3VyZWQuY29tKQ0KCQk8L2Rpdj4NCgkJPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj5BdW5nIEtoYW50PGJyIC8+DQoJCShodHRwOi8veWVoZy5vcmcvKTwvZGl2Pg0KCQk8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPkVyd2luIEdlaXJuYWVydDxiciAvPg0KCQkoaHR0cDovL3d3dy56aW9uc2VjdXJpdHkuY29tLyk8L2Rpdj4NCgkJPC90ZD4NCgk8L3RyPg0KCTx0cj4NCgkJPHRkIGNvbHNwYW49IjIiPg0KCQk8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPg0KCQk8Zm9ybSBpZD0iZm9ybSIgbmFtZT0iZm9ybSIgbWV0aG9kPSJwb3N0IiBhY3Rpb249ImF0dGFjayI+PGlucHV0DQoJCQl0eXBlPSJzdWJtaXQiIG5hbWU9InN0YXJ0IiB2YWx1ZT0iU3RhcnQgV2ViR29hdCIgLz48L2Zvcm0+DQoJCTwvZGl2Pg0KCQk8L3RkPg0KCTwvdHI+DQoJPHRyPg0KCQk8dGQ+DQoJCTxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+Jm5ic3A7PC9kaXY+DQoJCTwvdGQ+DQoJPC90cj4NCjwvdGFibGU+DQo8L2Rpdj4NCjwvZGl2Pg0KPGRpdiBhbGlnbj0iY2VudGVyIiBjbGFzcz0ic3R5bGUyIj4mbmJzcDs8L2Rpdj4NCjxkaXYgYWxpZ249ImNlbnRlciIgY2xhc3M9InN0eWxlMiI+Jm5ic3A7PC9kaXY+DQo8ZGl2IGFsaWduPSJjZW50ZXIiIGNsYXNzPSJzdHlsZTIiPiZuYnNwOzwvZGl2Pg0KPGRpdiBpZD0id2FybmluZyI+V0FSTklORzxiciAvPg0KV2hpbGUgcnVubmluZyB0aGlzIHByb2dyYW0sIHlvdXIgbWFjaGluZSBpcyBleHRyZW1lbHkgdnVsbmVyYWJsZSB0bw0KYXR0YWNrIGlmIHlvdSBhcmUgbm90IHJ1bm5pbmcgb24gbG9jYWxob3N0LiBJZiB0b3UgYXJlIE5PVCBydW5uaW5nIG9uIGxvY2FsaG9zdCAoZGVmYXVsdCBjb25maWd1cmF0aW9uKSwgWW91IHNob3VsZCBkaXNjb25uZWN0IGZyb20gdGhlIG5ldHdvcmsgd2hpbGUgdXNpbmcgdGhpcyBwcm9ncmFtLg0KPGJyIC8+DQo8YnIgLz4NClRoaXMgcHJvZ3JhbSBpcyBmb3IgZWR1Y2F0aW9uYWwgcHVycG9zZXMgb25seS4gVXNlIG9mIHRoZXNlIHRlY2huaXF1ZXMNCndpdGhvdXQgcGVybWlzc2lvbiBjb3VsZCBsZWFkIHRvIGpvYiB0ZXJtaW5hdGlvbiwgZmluYW5jaWFsIGxpYWJpbGl0eSwNCmFuZC9vciBjcmltaW5hbCBwZW5hbHRpZXMuPC9kaXY+DQo8L2Rpdj4NCjwvYm9keT4NCjwvaHRtbD4N</body>

                        </response>

                    </variant>

                </variants>

            </location>

        </finding>

    </findings>

</report>