Veracode RPA+BI DetailedReport A2019 6 Mar 2021 Patch Build 8122

Veracode Detailed Report
Application Security Report

As of 6 Mar 2021
Prepared for: Automation Anywhere
Prepared on: 09 March 2021
Application: A2019
Sandbox: A2019
Industry: Not Specified
Business Criticality: BC5 (Very High)
Required Analysis: Manual Penetration Test, Static
Type(s) of Analysis Conducted: Static
Scope of Static Scan: 245 of 254 Modules Analyzed
Inside This Report

Executive Summary 1
Summary of Flaws by Severity 1
Action Items 1
Flaw Types by Category 14
Policy Summary 15
Findings & Recommendations 17
Methodology
While every precaution has been taken in the preparation of this document, Veracode, Inc. assumes no responsibility for errors, omissions, or for
damages resulting from the use of the information herein. The Veracode platform uses static and/or dynamic analysis techniques to discover
potentially exploitable flaws. Due to the nature of software security testing, the lack of discoverable flaws does not mean the software is 100%
secure.
© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Veracode Detailed Report prepared for Automation Anywhere – 09-Mar-2021
Veracode Detailed Report Mitigated Veracode Level: VL5

Application Security Report Original Veracode Level: VL1
Rated: 06-Mar-2021
As of 6 Mar 2021
Application: A2019 Business Criticality: Very High
Target Level: VL5 Adjusted/Published Rating: A*/F
Scans Included in Report

Static Scan Dynamic Scan Manual Penetration Test
A2019.19-Patch Not Included in Report Not Included in Report
Score: 94
Completed: 06/03/21
Executive Summary
This report contains a summary of the security flaws identified in the application using manual penetration testing, automated static
and/or automated dynamic security analysis techniques. This is useful for understanding the overall security quality of an individual
application or for comparisons between applications.
Application Business Criticality: BC5 (Very High) Summary of Flaws Found by Severity
Impacts:Operational Risk (High), Financial Loss (High)
An application's business criticality is determined by business
risk factors such as: reputation damage, financial loss,
operational risk, sensitive information disclosure, personal safety,
and legal violations. The Veracode Level and required
assessment techniques are selected based on the policy
assigned to the application.
Analyses Performed vs. Required
Manual Penetration
Dynamic
Static
Test
Any
Performed:
Required:
Action Items:
Veracode recommends the following approaches ranging from the most basic to the strong security measures that a vendor can
undertake to increase the overall security level of the application.
Required Analysis
Your policy requires Manual Penetration Test but it has not been performed. Please submit your application for Manual
Penetration Test and remediate the required detected flaws to conform to your assigned policy.
Your policy requires periodic Static Scan. Your next analysis must be completed by 06/06/21. Please submit your
application for Static Scan by the deadline and remediate the required detected flaws to conform to your assigned policy.
Flaw Severities
65 Network Drive, Burlington, MA 01803 1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Medium severity flaws and above must be fixed for policy compliance.
Longer Timeframe (6 - 12 months)

Certify that software engineers have been trained on application security principles and practices.

Application Trend Data
Scope of Static Scan

The following modules were included in the static scan because the scan submitter selected them as entry points, which are modules that accept external data.
Engine Version: 20210219202837
The following modules were included in the application scan:

Module Name Compiler Operating Environment Engine
Version
aae-bot-scanner-ui-5.1.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
all.jar 2837
aae-bot-scanner-ui-5.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
activemq-5.15.13.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
adapters-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
adapters-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
aggregator-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
audit-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
audit-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
authn-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
authn-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
boot-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
boot-bot-insight-1.0.0-SNAPSHOT-all.jar JAVAC_8 Java J2SE 8 2021021920
2837
boot-bot-insight-1.0.0-SNAPSHOT- JAVASCRIPT_5_1 JavaScript 2021021920
all.jar_htmljscode.veracodegen.htmla.jsa 2837


Version
bot-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-aspects.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-asynchronous-messenger-1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-classloader.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-command-activedirectory-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-analyze-2.2.4- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-annotationsample-1.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-appintegration-3.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-application-2.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-boolean-2.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-browser-2.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-browser-2.3.0- JAVASCRIPT_5_1 JavaScript 2021021920
SNAPSHOT.jar_htmljscode.veracodegen. 2837
htmla.jsa
bot-command-calendar-2.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-clipboard-2.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-comment-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-csvtxt-2.3.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-database-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-datetime-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-delay-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-dictionary-3.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-email-3.3.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-error-handler-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-file-3.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-folder-3.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-forms-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837


Version
bot-command-forms-1.0.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-ftp-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-if-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-image-recognition-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-iqbot-2.0.2-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-iqbotadvance-3.0.1- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-javascript-2.5.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-javascript-2.5.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-keystroke-2.7.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-legacyautomation-3.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-legacytask-1.5.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-list-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-logtofile-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-loop-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-messagebox-2.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-migrate-3.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-mouse-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-msexcel-5.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-number-2.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-ocr-abbyy-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-ocr-abbyy-2.4.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-oexcelonline-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-onedrive-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-operation-1.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837


Version
bot-command-pdf-2.8.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-pgp-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-ping-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-playsound-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-poi-2.4.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-printer-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-prompt-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-python-2.5.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-recorder-2.0.11- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-recorder-2.0.11- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-rest-webservice-3.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-rundll-3.4.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-rundll-3.4.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-sap-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-sapbapi-2.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-screen-2.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-service-3.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-snmp-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-soap-3.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-step-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-string-3.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-system-3.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-table-2.6.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-task-2.0.1-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-terminalemulator-3.7.0- JAVAC_11 Java J2SE 11 2021021920


Version
SNAPSHOT.jar 2837
bot-command-trigger-loop-0.5.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-vbscript-2.5.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-vbscript-2.5.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-command-wait-3.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-window-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-wlm-2.5.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-command-xml-2.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-compiler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-compiler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-compiler.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-core-api.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-core.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-debugger-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-debugger-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-engine-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-external-function-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-external-function-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-insight-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-insight-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-launcher-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-launcher-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
bot-lifecycle-management-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
bot-lifecycle-management-api-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
bot-migration-cr-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920


Version
2837
bot-migration-sdk-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-migration-service-1.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-recorder-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-recorder-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-runtime-1.4.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-synchronous-messenger-1.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
bot-tester-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
bot-trigger-email-1.2.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-trigger-file-folder-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-trigger-hotkey-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-trigger-uiobject-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
botcontent-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
botcontent-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
botstore-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
botstore-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
browser-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
browser-shdocvw-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
certmgr-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
command-generic-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
common-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
common-trace-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
common-trace-aspect-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
common-utils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
configuration-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
configuration-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920


Version
2837
controlroom-jwt-validation-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
credentialvault-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
credentialvault-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
crhttpd-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
crutils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
dashboard-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
dashboard-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
devices-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
devices-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
distributed-cache-2.8.1.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
durablemessaging-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
email-notification-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
email-notification-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
error-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
es-client-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
excel-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
expiry-map-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
feature-flag-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
feature-flag-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
file-api-1.0.0-SNAPSHOT-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
file-folder-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
gdpr-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
gdpr-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
geolocation-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
geolocation-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920


Version
2837
globalvalues-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
globalvalues-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
grpc-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
i18n-api-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
ignite-2.8.1.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
ignite-server-2.8.1.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
ignite-server-2.8.1.1- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
installutils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
ipc-api-1.0.0-SNAPSHOT-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
ir-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
JS files within bi-hopper-frontend.zip JAVASCRIPT_5_1 JavaScript 2021021920
2837
JS files within cr-frontend.zip JAVASCRIPT_5_1 JavaScript 2021021920
2837
json-util-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
kernel-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
kernel-1.0.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
license-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
license-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
log-collector-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
log-management-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
logger-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
mapstruct-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
metrics-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
mfa-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
mfa-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837


Version
migration-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
migration-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
monitor-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
monitor-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
mouse-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
network-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
node-manager-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
node-manager-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa
node-manager-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
ocr-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
office365-auth-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
operationsroom-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
operationsroom-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
organizations-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
organizations-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
packages-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
packages-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
packaging-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
process-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
protobuf-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
proxy-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
proxy-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
proxy-shared-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
queryfilter-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
queryfilter-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837


Version
realtimeservice-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
recorder-sdk-2.0.8-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
repository-consistency-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
requeststatus-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
requeststatus-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
rest-util-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
scheduler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
scheduler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
screencapture-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
serverrepository-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
serverrepository-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
session-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
settings-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
settings-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
spcompiler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
spcompiler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
string-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
tenants-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
tenants-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
token-refresh-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
token-refresh-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
trigger-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
trigger-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
triggerlistener-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
triggerlistener-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
htmla.jsa


Version
upgrades-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
upgrades-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
usermanagement-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
usermanagement-api-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
webbrowser-adapter-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
webbrowser-adapter-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
websocket-client-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
window-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
wlm-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
wlm-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
File Differences Between Scans

The uploaded modules for this scan do not match the modules you uploaded for the previous scan. This disparity can affect the scan results even if Veracode did
not find flaws in the files with differences. See appendix for more details.
The following modules were not selected for a full scan. Code paths in these modules that are not called from a scanned module are
not included in this report.
Version
kernel-1_mapfile_swagger-ui- JAVASCRIPT_5_1 JavaScript 2021021920
bundle.js.map.jsa 2837
kernel-1_mapfile_swagger-ui-standalone- JAVASCRIPT_5_1 JavaScript 2021021920
preset.js.map.jsa 2837
kernel-1_mapfile_swagger-ui.js.map.jsa JAVASCRIPT_5_1 JavaScript 2021021920
2837
msvcp140.dll MSVC14_X86_64 Windows X86_64 2021021920
2837
msvcp140_1.dll MSVC14_X86_64 Windows X86_64 2021021920
2837
msvcp140_2.dll MSVC14_X86_64 Windows X86_64 2021021920
2837
msvcp140_codecvt_ids.dll MSVC14_X86 Windows 2021021920
2837
vcruntime140.dll MSVC14_X86_64 Windows X86_64 2021021920
2837
vcruntime140_1.dll MSVC14_X86_64 Windows X86_64 2021021920
2837

Flaw Types by Severity and Category

Static Scan
Security Quality Score =
94
(+8) from prior scan
Very High 0*
High 0*
Medium 0* (-27)
Cryptographic Issues 0* (-9)
Directory Traversal 0* (-18)
Low 61 (+2)
API Abuse 7 (+2)
Code Quality 34 (+1)
Cryptographic Issues 2
Information Leakage 11 (-1)
Time and State 7
Very Low 0
Informational 53 (+3)
Code Quality 53 (+3)
Total 114* (-22)

Policy Evaluation
Policy Name: Veracode Recommended Very High
Revision: 1
Policy Status: Not Assessed
Description: Veracode provides default policies to make it easier for organizations to begin measuring their applications against
policies. Veracode Recommended Policies are available for customers as an option when they are ready to move beyond the initial bar
set by the Veracode Transitional Policies. The policies are based on the Veracode Level definitions.
Rules
Rule type Requirement Findings Status
Minimum Veracode Level VL5 VL5* Passed
(VL5) Min Analysis Score 90 94* Passed
(VL5) Max Severity Medium Flaws found: 0* Passed
* - Reflects violated rules that have mitigated flaws

Unsupported Frameworks
This report may have incomplete results based on the following unsupported frameworks identified during the static scan:
* Castor
* Jython
* Apache Tapestry
* Jaxen
* Google GSON
The lack of support for all frameworks in use by this application and/or its supporting libraries may prevent the static discovery of some
flaws in the application, however, it does not invalidate the flaws that were found.

Findings & Recommendations
Detailed Flaws by Severity
Very High (0 flaws*) Fix Required by Policy.

No flaws of this type were found
High (0 flaws*) Fix Required by Policy.

Medium (0 flaws*) Fix Required by Policy.

Low (61 flaws)

API Abuse(7 flaws)
Description
An API is a contract between a caller and a callee. Incorrect usage of certain API functions can result in exploitable security
vulnerabilities.
The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a
program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in
a secure fashion. Providing too few arguments to a varargs function such as printf() also violates the API contract and will
cause the missing parameters to be populated with unexpected data from the stack.
Another common mishap is when the caller makes false assumptions about the callee's behavior. One example of this is
when a caller expects a DNS-related function to return trustworthy information that can be used for authentication purposes.
This is a bad assumption because DNS responses can be easily spoofed.
Recommendations
When calling API functions, be sure to fully understand and adhere to the specifications to avoid introducing security
vulnerabilities. Do not make assumptions about trustworthiness of the data returned from API calls or use the data in a
context that was unintended by that API.
Associated Flaws by CWE ID:
J2EE Bad Practices: Direct Management of Connections (CWE ID 245)(7 flaws)
Description
The J2EE application directly manages connections rather than using the container's resource management facilities to
obtain connections as specified in the J2EE standard. Every major web application container provides pooled
database connection management as part of its resource management framework. Duplicating this functionality in an
application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
Request the connection from the container rather than attempting to access it directly.

Instances found via Static Scan

Flaw Id Module # Class # Module Location Fix By
2794 41 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/ker
nel-1.0.0-
SNAPSHOT.jar
3249 54 - node-manager-1.0- com/.../Configuration.java 601
SNAPSHOT.jar
3125 72 - bot-command- .../DatabaseConnectionService.java 80
database-2.4.0-
SNAPSHOT.jar
3126 72 - bot-command- .../DatabaseConnectionService.java 99
database-2.4.0-
SNAPSHOT.jar
2869 74 - installutils-1.0.0- .../common/DbConnectionHelper.java 28
SNAPSHOT.jar
3049 75 - crutils-1.0.0- .../db/DbConnectionHelper.java 38
SNAPSHOT.jar
2808 76 - boot-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar/boo
t-bot-insight-1.0.0-
SNAPSHOT-all.jar
Code Quality(34 flaws)
Description
Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may
include but are not limited to:
* Neglecting to remove debug code or dead code
* Improper resource management, such as using a pointer after it has been freed
* Using the incorrect operator to compare objects
* Failing to follow an API or framework specification
* Using a language feature or API in an unintended manner
While code quality flaws are generally less severe than other categories and usually are not directly exploitable, they may
serve as indicators that developers are not following practices that increase the reliability and security of an application. For
an attacker, code quality issues may provide an opportunity to stress the application in unexpected ways.
Recommendations
The wide variance of code quality issues makes it impractical to generalize how these issues should be addressed. Refer to
individual categories for specific recommendations.
Use of Wrong Operator in String Comparison (CWE ID 597)(34 flaws)
Description
Using '==' to compare two strings for equality or '!=' for inequality actually compares the object references rather than
their values. It is unlikely that this reflects the intended application logic.

Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Recommendations
Use the equals() method to compare strings, not the '==' or '!=' operator

7490 3 - bot-command- .../AddUsersToGroupPathBuilderOperati
activedirectory- onDesktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7496 4 - bot-command- .../AddUsersTreeChangeOperationDeskt
activedirectory- opOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7508 5 - bot-command- .../AddUsersTreeOperationDesktopOper
activedirectory- ationTree.java 35
2.2.0-
SNAPSHOT.jar
7495 6 - bot-command- .../AddUserTableOperationDesktopOper
activedirectory- ationTable.java 35
2.2.0-
SNAPSHOT.jar
3182 122 - bot-command- .../IfWebControlExists.java 398
legacyautomation-
3.3.0-
SNAPSHOT.jar
3183 122 - bot-command- .../IfWebControlExists.java 467
legacyautomation-
3.3.0-
SNAPSHOT.jar
3184 123 - bot-command- .../IfWebControlNotExists.java 389
legacyautomation-
3.3.0-
SNAPSHOT.jar
3187 123 - bot-command- .../IfWebControlNotExists.java 455
legacyautomation-
3.3.0-
SNAPSHOT.jar
4243 134 - ir-sdk-2.0.0- com/.../Impl/IRExecutorImpl.java 78
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
4258 155 - bot-command- com/.../ManageWebControl.java 1161
legacyautomation-
3.3.0-
SNAPSHOT.jar
7505 161 - bot-command- .../MoveComputerPathBuilderOperationD
activedirectory- esktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7499 162 - bot-command- .../MoveComputerPathSelectGroupBuild
activedirectory- erOperationDesktopOperationButton.jav


2.2.0- a 35
SNAPSHOT.jar
7498 163 - bot-command- .../MoveComputerTreeChangeOperation
activedirectory- DesktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7489 164 - bot-command- .../MoveComputerTreeOperationDesktop
activedirectory- OperationTree.java 35
2.2.0-
SNAPSHOT.jar
7502 165 - bot-command- .../MoveOrgUnitPathBuilderOperationDe
activedirectory- sktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7493 166 - bot-command- .../MoveOrgUnitPathSelectGroupBuilder
activedirectory- OperationDesktopOperationButton.java
2.2.0- 35
SNAPSHOT.jar
7500 167 - bot-command- .../MoveOrgUnitTreeChangeOperationDe
activedirectory- sktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7503 168 - bot-command- .../MoveOrgUnitTreeOperationDesktopO
activedirectory- perationTree.java 35
2.2.0-
SNAPSHOT.jar
7501 185 - bot-command- .../PathBuilderOperationDesktopOperatio
activedirectory- nButton.java 35
2.2.0-
SNAPSHOT.jar
2816 189 - bot-compiler-1.0.0- com/.../impl/PropertiesValue.java 35
SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar
3137 197 - bot-command- com/.../data/impl/RecordValue.java 116
activedirectory-
2.2.0-
SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar
7487 199 - bot-command- .../RemoveUsersFromGroupPathBuilder
2.2.0- 35
SNAPSHOT.jar
7506 200 - bot-command- .../RemoveUsersFromGroupTreeChange
2.2.0- 35
SNAPSHOT.jar
7488 201 - bot-command- .../RemoveUsersFromGroupTreeOperati
activedirectory- onDesktopOperationTree.java 35
2.2.0-
SNAPSHOT.jar
7491 202 - bot-command- .../RemoveUserTableOperationDesktopO
activedirectory- perationTable.java 35
2.2.0-
SNAPSHOT.jar
3326 214 - kernel-1.0.0- .../model/ScheduleAutomation.java 274
SNAPSHOT.jar
7497 219 - bot-command- .../SelectUserGroupPathBuilderOperatio


activedirectory- nDesktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7494 220 - bot-command- .../SelectUserGroupTreeChangeOperatio
activedirectory- nDesktopOperationButton.java 35
2.2.0-
SNAPSHOT.jar
7504 221 - bot-command- .../SelectUserGroupTreeOperationDeskt
activedirectory- opOperationTree.java 35
2.2.0-
SNAPSHOT.jar
7492 235 - bot-command- .../TreeChangeOperationDesktopOperati
activedirectory- onButton.java 35
2.2.0-
SNAPSHOT.jar
7507 236 - bot-command- .../TreeOperationDesktopOperationTree.j
activedirectory- ava 35
2.2.0-
SNAPSHOT.jar
Cryptographic Issues(2 flaws)
Description
Applications commonly use cryptography to implement authentication mechanisms and to ensure the confidentiality and
integrity of sensitive data, both in transit and at rest. The proper and accurate implementation of cryptography is extremely
critical to its efficacy. Configuration or coding mistakes as well as incorrect assumptions may negate a large degree of the
protection it affords, leaving the crypto implementation vulnerable to attack.
Common cryptographic mistakes include, but are not limited to, selecting weak keys or weak cipher modes, unintentionally
exposing sensitive cryptographic data, using predictable entropy sources, and mismanaging or hard-coding keys.
Developers often make the dangerous assumption that they can improve security by designing their own cryptographic
algorithm; however, one of the basic tenets of cryptography is that any cipher whose effectiveness is reliant on the secrecy of
the algorithm is fundamentally flawed.
Recommendations
Select the appropriate type of cryptography for the intended purpose. Avoid proprietary encryption algorithms as they typically
rely on "security through obscurity" rather than sound mathematics. Select key sizes appropriate for the data being protected;
for high assurance applications, 256-bit symmetric keys and 2048-bit asymmetric keys are sufficient. Follow best practices for
key storage, and ensure that plaintext data and key material are not inadvertently exposed.
Improper Verification of Cryptographic Signature (CWE ID 347)(1 flaw)
Description
A digital signature is a type of asymmetric cryptography used to electronically simulate a handwritten signature. A
message fingerprint is encrypted using the signer's private key and decrypted by the recipient using the senders public
key. The recipient calculates the fingerprint of the original message and compares it against the decrypted fingerprint
to confirm that the message is authentic and has not been tampered with in transmission. An application must properly
execute the signature comparison in order to derive the intended benefits of the digital signature scheme.

Recommendations
Be sure that the calculated message fingerprint is compared against the decrypted fingerprint. Most cryptographic
APIs provide a method call to perform this step automatically when provided the algorithm to follow.

2967 141 - authn-1.0.0- .../JwtValidationService.java 78
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE ID 614)(1 flaw)
Description
Setting the Secure attribute on an HTTP cookie instructs the web browser to send it only over a secure channel, such
as a TLS connection. Issuing a cookie without the Secure attribute allows the browser to transmit it over unencrypted
connections, which are susceptible to eavesdropping. It is particularly important to set the Secure attribute on any
cookies containing sensitive data, such as authentication information (e.g. "remember me" style functionality).
Recommendations
Set the Secure attribute for all cookies used by HTTPS sessions.

3776 114 - authn-1.0.0- .../spring/FirewalledResponse.java 48
SNAPSHOT.jar
Information Leakage(11 flaws)
Description
An information leak is the intentional or unintentional disclosure of information that is either regarded as sensitive within the
product's own functionality or provides information about the product or its environment that could be useful in an attack.
Information leakage issues are commonly overlooked because they cannot be used to directly exploit the application.
However, information leaks should be viewed as building blocks that an attacker uses to carry out other, more complicated
attacks.
There are many different types of problems that involve information leaks, with severities that can range widely depending on
the type of information leaked and the context of the information with respect to the application. Common sources of
information leakage include, but are not limited to:

* Source code disclosure

* Browsable directories
* Log files or backup files in web-accessible directories
* Unfiltered backend error messages
* Exception stack traces
* Server version information
* Transmission of uninitialized memory containing sensitive data
Recommendations
Configure applications and servers to return generic error messages and to suppress stack traces from being displayed to end
users. Ensure that errors generated by the application do not provide insight into specific backend issues.
Remove all backup files, binary archives, alternate versions of files, and test files from web-accessible directories of production
servers. The only files that should be present in the application's web document root are files required by the application.
Ensure that deployment procedures include the removal of these file types by an administrator. Keep web and application
servers fully patched to minimize exposure to publicly-disclosed information leakage vulnerabilities.
Insertion of Sensitive Information Into Sent Data (CWE ID 201)(11 flaws)
Description
Sensitive information may be exposed as a result of outbound network connections made by the application.
Recommendations
Ensure that the transfer of sensitive data is intended and that it does not violate application security policy or user
expectations.

3316 29 - kernel-1.0.0- .../BotStoreAdapterImpl.java 590
SNAPSHOT.jar
3913 114 - kernel-1.0.0- .../spring/FirewalledResponse.java 30
SNAPSHOT.jar
5925 138 - kernel-1.0.0- com/.../common/util/JarUtils.java 56
SNAPSHOT.jar
7186 - 13 bot-command- java.io.InputStream a() 33%
email-3.3.0-
SNAPSHOT.jar
8966 - 3 bot-trigger-email- java.io.InputStream a() 33%
1.2.0-
SNAPSHOT.jar
recorder-2.0.11-
SNAPSHOT.jar
2733 - 28 bot-command- java.util.List a() 5%
recorder-2.0.11-
SNAPSHOT.jar
recorder-2.0.11-


SNAPSHOT.jar
2790 143 - boot-bot-insight- .../KubernetesDiscoveryAgent.java 77
1.0.0-SNAPSHOT-
all.jar
3312 193 - kernel-1.0.0- .../QueueExportServiceImpl.java 299
SNAPSHOT.jar
4515 206 - serverrepository- .../RepositoryResourceV1.java 294
1.0.0-
SNAPSHOT.jar
Time and State(7 flaws)
Description
Time and State flaws are related to unexpected interactions between threads, processes, time, and information. These
interactions happen through shared state: semaphores, variables, the filesystem, and basically anything that can store
information. Vulnerabilities occur when there is a discrepancy between the programmer's assumption of how a program
executes and what happens in reality.
State issues result from improper management or invalid assumptions about system state, such as assuming mutable objects
are immutable. Though these conditions are less commonly exploited by attackers, state issues can lead to unpredictable or
undefined application behavior.
Recommendations
Limit the interleaving of operations on resources from multiple processes. Use locking mechanisms to protect resources
effectively. Follow best practices with respect to mutable objects and internal references. Pay close attention to
asynchronous actions in processes and make copious use of sanity checks in systems that may be subject to synchronization
errors.
J2EE Bad Practices: Use of System.exit() (CWE ID 382)(7 flaws)
Description
A web applications should not attempt to shut down its container. A call to System.exit() is probably part of leftover
debug code or code imported from a non-J2EE application. Non-web applications may contain a main() method that
calls System.exit(), but generally should not call it from other locations in the code.
Recommendations
Ensure that System.exit() is never called by web applications.

3050 55 - crutils-1.0.0- com/.../utils/ConsoleUtils.java 31
SNAPSHOT.jar
4402 94 - audit-1.0.0- com/.../util/ESInstallerUtil.java 426


SNAPSHOT.jar/boo
SNAPSHOT-all.jar
583 125 - boot-bot-insight- com/.../ignite/IgniteFactory.java 170
1.0.0-SNAPSHOT-
all.jar
5865 213 - aae-bot-scanner-ui- .../ScannerRunningWindowController.jav
5.1.0-SNAPSHOT- a 110
all.jar
5866 213 - aae-bot-scanner-ui- .../ScannerRunningWindowController.jav
5.1.0-SNAPSHOT- a 126
all.jar
2735 - 14 bot-command- void c() 69%
email-3.3.0-
SNAPSHOT.jar
2754 - 12 bot-command- void d(void) 91%
email-3.3.0-
SNAPSHOT.jar
Very Low (0 flaws)

Info (53 flaws)

Description
Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may
include but are not limited to:
* Neglecting to remove debug code or dead code
* Improper resource management, such as using a pointer after it has been freed
* Using the incorrect operator to compare objects
* Failing to follow an API or framework specification
* Using a language feature or API in an unintended manner
While code quality flaws are generally less severe than other categories and usually are not directly exploitable, they may
serve as indicators that developers are not following practices that increase the reliability and security of an application. For
an attacker, code quality issues may provide an opportunity to stress the application in unexpected ways.
Recommendations
The wide variance of code quality issues makes it impractical to generalize how these issues should be addressed. Refer to
individual categories for specific recommendations.

Improper Resource Shutdown or Release (CWE ID 404)(53 flaws)
Description
The application fails to release (or incorrectly releases) a system resource before it is made available for re-use. This
condition often occurs with resources such as database connections or file handles. Most unreleased resource issues
result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, it may be
possible to launch a denial of service attack by depleting the resource pool.
Recommendations
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as
accounting for all potential paths of expiration or invalidation. Ensure that all code paths properly release resources.

2862 14 - bot-command- .../ApacheDataUploader.java 56
analyze-2.2.4-
SNAPSHOT.jar
4831 15 - browser-api-1.0.0- com/.../jniwrapper/ar.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-
SNAPSHOT.jar
3117 16 - bot-command- com/.../com/jniwrapper/ar.java 1
email-3.3.0-
SNAPSHOT.jar
2750 17 - bot-command- com/.../com/jniwrapper/as.java 1
keystroke-2.7.0-
SNAPSHOT.jar
4517 27 - boot-bot-insight- com/.../utils/BotInsightUtils.java 63
1.0.0-SNAPSHOT-
all.jar
2825 31 - bot-command- com/.../fxml/BrowserWindow.java 206
forms-1.0.0-
SNAPSHOT.jar
2795 41 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/ker
nel-1.0.0-
SNAPSHOT.jar
4835 48 - bot-command- com/.../CommandGenerator.java 80
recorder-2.0.11-
SNAPSHOT.jar
3118 70 - bot-command- com/.../store/CSVStore.java 75
browser-2.3.0-
SNAPSHOT.jar
2868 74 - installutils-1.0.0- .../common/DbConnectionHelper.java 28
SNAPSHOT.jar
2792 76 - boot-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
3231 79 - node-manager-1.0- .../DeviceUpgradeHandler.java 162
SNAPSHOT.jar


4834 80 - browser-api-1.0.0- com/.../win32/dg.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-
SNAPSHOT.jar
2748 81 - bot-command- com/.../jniwrapper/win32/dg.java 1
email-3.3.0-
SNAPSHOT.jar
7707 82 - node-manager-1.0- .../DiagnosticServiceImpl.java 261
SNAPSHOT.jar
3271 89 - bot-command- com/.../win32/jexcel/eC.java 1
msexcel-5.4.0-
SNAPSHOT.jar
4404 94 - audit-1.0.0- com/.../util/ESInstallerUtil.java 548
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
2803 95 - audit-1.0.0- com/.../ESRestClient.java 190
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
4832 96 - recorder-sdk-2.0.8- com/.../jxcapture/ev.class.java 1
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar
2773 97 - bot-command- com/.../teamdev/jxcapture/ev.java 1
recorder-2.0.11-
SNAPSHOT.jar
2860 103 - bot-command- com/.../csv/utils/FileReader.java 53
csvtxt-2.3.0-
SNAPSHOT.jar
2769 104 - bot-command- com/.../file/FileServiceImpl.java 516
application-2.1.0-
SNAPSHOT.jar
6053 109 - authn-1.0.0- com/.../common/util/FileUtils.java 104
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
6054 109 - authn-1.0.0- com/.../common/util/FileUtils.java 105
SNAPSHOT.jar/boo
SNAPSHOT-all.jar
2843 121 - bot-command-wlm- com/.../wlm/util/HttpUtil.java 105
2.5.0-
SNAPSHOT.jar
3186 136 - bot-command- .../JarResourceExtractor.java 47
legacyautomation-
3.3.0-
SNAPSHOT.jar
3112 - 19 bot-trigger-file- java.lang.String g(void) 14%
folder-1.1.0-
SNAPSHOT.jar
recorder-2.0.11-
SNAPSHOT.jar


recorder-2.0.11-
SNAPSHOT.jar
2747 - 4 bot-command- java.util.List b() 9%
keystroke-2.7.0-
SNAPSHOT.jar
email-3.3.0-
SNAPSHOT.jar
8940 - 3 browser-api-1.0.0- java.util.List b() 9%
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-
SNAPSHOT.jar
6630 147 - boot-bot-insight- .../LocallyBufferedFileOutputStream.java
1.0.0-SNAPSHOT- 35
all.jar
6546 147 - boot-bot-insight- .../LocallyBufferedFileOutputStream.java
1.0.0-SNAPSHOT- 44
all.jar
4463 150 - kernel-1.0.0- .../LogManagementServiceImpl.java 129
SNAPSHOT.jar
3324 160 - kernel-1.0.0- com/.../utils/MonitorUtils.java 40
SNAPSHOT.jar
4837 174 - bot-command- com/.../oab/OABAdapter.java 98
recorder-2.0.11-
SNAPSHOT.jar
2941 187 - bot-command-pdf- com/.../PdfRowBuilder.java 93
2.8.0-
SNAPSHOT.jar
3289 188 - boot-bot-insight- com/.../PermissionDaoImpl.java 354
1.0.0-SNAPSHOT-
all.jar
3290 188 - boot-bot-insight- com/.../PermissionDaoImpl.java 356
1.0.0-SNAPSHOT-
all.jar
3127 192 - bot-command- com/.../QueryTypeProvider.java 44
database-2.4.0-
SNAPSHOT.jar
3124 192 - bot-command- com/.../QueryTypeProvider.java 50
database-2.4.0-
SNAPSHOT.jar
5183 196 - node-manager-1.0- .../RDPLoginServiceImpl.java 273
SNAPSHOT.jar
3292 210 - boot-bot-insight- com/.../dao/impl/RoleDaoImpl.java 296
1.0.0-SNAPSHOT-
all.jar
3291 210 - boot-bot-insight- com/.../dao/impl/RoleDaoImpl.java 298
1.0.0-SNAPSHOT-
all.jar
3286 216 - bot-compiler.jar com/.../helper/ScriptUtil.java 183
2771 226 - bot-command- .../StandardInputOutputMessenger.java
browser-2.3.0- 41
SNAPSHOT.jar
5864 228 - aae-bot-scanner-ui- com/.../analysis/Summary.java 232


5.1.0-SNAPSHOT-
all.jar
3285 237 - triggerlistener-1.0- com/.../util/TriggerUtil.java 49
SNAPSHOT.jar
3293 243 - boot-bot-insight- com/.../dao/impl/UserDaoImpl.java 348
1.0.0-SNAPSHOT-
all.jar
3287 243 - boot-bot-insight- com/.../dao/impl/UserDaoImpl.java 350
1.0.0-SNAPSHOT-
all.jar
2787 - 25 bot-command- void !ctor(EncodingParameters) 10%
recorder-2.0.11-
SNAPSHOT.jar
2757 - 26 bot-command- void <clinit>(void) 37%
recorder-2.0.11-
SNAPSHOT.jar

About Veracode's Methodology

The Veracode platform uses static and dynamic analysis (for web applications) to identify software security flaws in your applications.
Using both static and dynamic analysis helps reduce false negatives and detect a broader range of security flaws. Veracode static
analysis models the application into an intermediate representation, which is then analyzed for security flaws using a set of automated
security tests. Dynamic analysis uses an automated penetration testing technique to detect security flaws at runtime. Once the automated
process is complete, a security technician verifies the output to ensure the lowest false positive rates in the industry. The end result
is an accurate list of security flaws for the classes of automated scans applied to the application.
Veracode Rating System Using Multiple Analysis Techniques

Higher assurance applications require more comprehensive analysis to accurately score their security quality. Because each analysis
technique (automated static, automated dynamic, manual penetration testing or manual review) has differing false negative (FN) rates
for different types of security flaws, any single analysis technique or even combination of techniques is bound to produce a certain level
of false negatives. Some false negatives are acceptable for lower business critical applications, so a less expensive analysis using only
one or two analysis techniques is acceptable. At higher business criticality the FN rate should be close to zero, so multiple analysis
techniques are recommended.
Application Security Policies

The Veracode platform allows an organization to define and enforce a uniform application security policy across all applications in its
portfolio. The elements of an application security policy include the target Veracode Level for the application; types of flaws that should
not be in the application (which may be defined by flaw severity, flaw category, CWE, or a common standard including OWASP,
CWE/SANS Top 25, or PCI); minimum Veracode security score; required scan types and frequencies; and grace period within which
any policy-relevant flaws should be fixed.
Policy constraints
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating applications against a policy

When an application is evaluated against a policy, it can receive one of four assessments:
Not assessed The application has not yet had a scan published
Passed The application has passed all the aspects of the policy, including rules, required scans, and grace period.
Did not pass The application has not completed all required scans; has not achieved the target Veracode Level; or has one or
more policy relevant flaws that have exceeded the grace period to fix.
Conditional pass The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.
Understand Veracode Levels

The Veracode Level (VL) achieved by an application is determined by type of testing performed on the application, and the severity and
types of flaws detected. A minimum security score (defined below) is also required for each level.
There are five Veracode Levels denoted as VL1, VL2, VL3, VL4, and VL5. VL1 is the lowest level and is achieved by demonstrating
that security testing, automated static or dynamic, is utilized during the SDLC. VL5 is the highest level and is achieved by performing
automated and manual testing and removing all significant flaws. The Veracode Levels VL2, VL3, and VL4 form a continuum of
increasing software assurance between VL1 and VL5.
For IT staff operating applications, Veracode Levels can be used to set application security policies. For deployment scenarios of
different business criticality, differing VLs should be made requirements. For example, the policy for applications that handle credit card
transactions, and therefore have PCI compliance requirements, should be VL5. A medium business criticality internal application could
have a policy requiring VL3.
Software developers can decide which VL they want to achieve based on the requirements of their customers. Developers of software
that is mission critical to most of their customers will want to achieve VL5. Developers of general purpose business software may want

to achieve VL3 or VL4. Once the software has achieved a Veracode Level it can be communicated to customers through a Veracode
Report or through the Veracode Directory on the Veracode web site.
Criteria for achieving Veracode Levels

The following table defines the details to achieve each Veracode Level. The criteria for all columns: Flaw Severities Not
Allowed, Flaw Categories not Allowed, Testing Required, and Minimum Score.
*Dynamic is only an option for web applications.
Veracode Level Flaw Severities Not Allowed Testing Required* Minimum Score
VL5 V.High, High, Medium Static AND Manual 90
VL4 V.High, High, Medium Static 80
VL3 V.High, High Static 70
VL2 V.High Static OR Dynamic OR Manual 60
VL1 Static OR Dynamic OR Manual
When multiple testing techniques are used it is likely that not all testing will be performed on the exact same build. If that is the
case the latest test results from a particular technique will be used to calculate the current Veracode Level. After 6 months test
results will be deemed out of date and will no longer be used to calculate the current Veracode Level.
Business Criticality
The foundation of the Veracode rating system is the concept that more critical applications require higher security quality scores to be
acceptable risks. Less business critical applications can tolerate lower security quality. The business criticality is dictated by the typical
deployed environment and the value of data used by the application. Factors that determine business criticality are: reputation damage,
financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.
US. Govt. OMB Memorandum M-04-04; NIST FIPS Pub. 199
Business Criticality Description
Very High Mission critical for business/safety of life and limb on the line
High Exploitation causes serious brand damage and financial loss with long term business impact
Medium Applications connected to the internet that process financial or private customer information
Low Typically internal applications with non-critical business impact
Very Low Applications with no material business impact
Business Criticality Definitions

Very High (BC5) This is typically an application where the safety of life or limb is dependent on the system; it is mission critical
the application maintain 100% availability for the long term viability of the project or business. Examples are control software
for industrial, transportation or medical equipment or critical business systems such as financial trading systems.
High (BC4) This is typically an important multi-user business application reachable from the internet and is critical that the
application maintain high availability to accomplish its mission. Exploitation of high criticality applications cause serious brand
damage and business/financial loss and could lead to long term business impact.
Medium (BC3) This is typically a multi-user application connected to the internet or any system that processes financial or
private customer information. Exploitation of medium criticality applications typically result in material business impact resulting

in some financial loss, brand damage or business liability. An example is a financial services company's internal 401K
management system.
Low (BC2) This is typically an internal only application that requires low levels of application security such as authentication to
protect access to non-critical business information and prevent IT disruptions. Exploitation of low criticality applications may
lead to minor levels of inconvenience, distress or IT disruption. An example internal system is a conference room reservation
or business card order system.
Very Low (BC1) Applications that have no material business impact should its confidentiality, data integrity and availability be
affected. Code security analysis is not required for applications at this business criticality, and security spending should be
directed to other higher criticality applications.
Scoring Methodology
The Veracode scoring system, Security Quality Score, is built on the foundation of two industry standards, the Common Weakness
Enumeration (CWE) and Common Vulnerability Scoring System (CVSS). CWE provides the dictionary of security flaws and CVSS
provides the foundation for computing severity, based on the potential Confidentiality, Integrity and Availability impact of a flaw if
exploited.
The Security Quality Score is a single score from 0 to 100, where 0 is the most insecure application and 100 is an application with no
detectable security flaws. The score calculation includes non-linear factors so that, for instance, a single Severity 5 flaw is weighted
more heavily than five Severity 1 flaws, and so that each additional flaw at a given severity contributes progressively less to the score.
Veracode assigns a severity level to each flaw type based on three foundational application security requirements — Confidentiality,
Integrity and Availability. Each of the severity levels reflects the potential business impact if a security breach occurs across one or
more of these security dimensions.
Confidentiality Impact
According to CVSS, this metric measures the impact on confidentiality if a exploit should occur using the vulnerability on the
target system. At the weakness level, the scope of the Confidentiality in this model is within an application and is measured at
three levels of impact -None, Partial and Complete.
Integrity Impact
This metric measures the potential impact on integrity of the application being analyzed. Integrity refers to the trustworthiness
and guaranteed veracity of information within the application. Integrity measures are meant to protect data from unauthorized
modification. When the integrity of a system is sound, it is fully proof from unauthorized modification of its contents.
Availability Impact
This metric measures the potential impact on availability if a successful exploit of the vulnerability is carried out on a target
application. Availability refers to the accessibility of information resources. Almost exclusive to this domain are denial-of-
service vulnerabilities. Attacks that compromise authentication and authorization for application access, application memory,
and administrative privileges are examples of impact on the availability of an application.
Security Quality Score Calculation

The overall Security Quality Score is computed by aggregating impact levels of all weaknesses within an application and representing
the score on a 100 point scale. This score does not predict vulnerability potential as much as it enumerates the security weaknesses
and their impact levels within the application code.
The Raw Score formula puts weights on each flaw based on its impact level. These weights are exponential and determined by
empirical analysis by Veracode's application security experts with validation from industry experts. The score is normalized to a scale of
0 to 100, where a score of 100 is an application with 0 detected flaws using the analysis technique for the application's business
criticality.
Understand Severity, Exploitability, and Remediation Effort

Severity and exploitability are two different measures of the seriousness of a flaw. Severity is defined in terms of the potential impact to
confidentiality, integrity, and availability of the application as defined in the CVSS, and exploitability is defined in terms of the likelihood

or ease with which a flaw can be exploited. A high severity flaw with a high likelihood of being exploited by an attacker is potentially
more dangerous than a high severity flaw with a low likelihood of being exploited.
Remediation effort, also called Complexity of Fix, is a measure of the likely effort required to fix a flaw. Together with severity, the
remediation effort is used to give Fix First guidance to the developer.
Veracode Flaw Severities

Veracode flaw severities are defined as follows:
Severity Description
The offending line or lines of code is a very serious weakness and is an easy target for an
Very High
attacker. The code should be modified immediately to avoid potential attacks.
The offending line or lines of code have significant weakness, and the code should be
High
modified immediately to avoid potential attacks.
A weakness of average severity. These should be fixed in high assurance software. A fix for
Medium this weakness should be considered after fixing the very high and high for medium
assurance software.
This is a low priority weakness that will have a small impact on the security of the software.
Low Fixing should be consideration for high assurance software. Medium and low assurance
software can ignore these flaws.
Minor problems that some high assurance software may want to be aware of. These flaws
Very Low
can be safely ignored in medium and low assurance software.
Issues that have no impact on the security quality of the application but which may be of
Informational
interest to the reviewer.
Informational findings
Informational severity findings are items observed in the analysis of the application that have no impact on the security quality
of the application but may be interesting to the reviewer for other reasons. These findings may include code quality issues, API
usage, and other factors.
Informational severity findings have no impact on the security quality score of the application and are not included in the
summary tables of flaws for the application.
Exploitability
Each flaw instance in a static scan may receive an exploitability rating. The rating is an indication of the intrinsic likelihood that the flaw
may be exploited by an attacker. Veracode recommends that the exploitability rating be used to prioritize flaw remediation within a
particular group of flaws with the same severity and difficulty of fix classification.
The possible exploitability ratings include:
Exploitability Description
V. Unlikely Very unlikely to be exploited
Unlikely Unlikely to be exploited

Exploitability Description
Neutral Neither likely nor unlikely to be exploited.
Likely Likely to be exploited
V. Likely Very likely to be exploited
Note: All reported flaws found via dynamic scans are assumed to be exploitable, because the dynamic scan actually executes
the attack in question and verifies that it is valid.
Effort/Complexity of Fix
Each flaw instance receives an effort/complexity of fix rating based on the classification of the flaw. The effort/complexity of fix
rating is given on a scale of 1 to 5, as follows:
Effort/Complexity of Fix Description
5 Complex design error. Requires significant redesign.
4 Simple design error. Requires redesign and up to 5 days to fix.
3 Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
2 Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
1 Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Flaw Types by Severity Level

The flaw types by severity level table provides a summary of flaws found in the application by Severity and Category. The table puts the
Security Quality Score into context by showing the specific breakout of flaws by severity, used to compute the score as described
above. If multiple analysis techniques are used, the table includes a breakout of all flaws by category and severity for each analysis
type performed.
Flaws by Severity
The flaws by severity chart shows the distribution of flaws by severity. An application can get a mediocre security rating by having a few
high risk flaws or many medium risk flaws.
Flaws in Common Modules

The flaws in common modules listing shows a summary of flaws in shared dependency modules in this application. A shared
dependency is a dependency that is used by more than one analyzed module. Each module is listed with the number of executables
that consume it as a dependency and a summary of the impact on the application's security score of the flaws found in the dependency.
The score impact represents the amount that the application score would increase if all the flaws in the shared dependency module
were fixed. This information can be used to focus remediation efforts on common modules with a higher impact on the application
security score.
Only common modules that were uploaded with debug information are included in the Flaws in Common Modules listing.

Action Items
The Action Items section of the report provides guidance on the steps required to bring the application to a state where it passes its
assigned policy. These steps may include fixing or mitigating flaws or performing additional scans. The section also includes best
practice recommendations to improve the security quality of the application.
Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is an industry standard classification of types of software weaknesses, or flaws, that can
lead to security problems. CWE is widely used to provide a standard taxonomy of software errors. Every flaw in a Veracode report is
classified according to a standard CWE identifier.
More guidance and background about the CWE is available at http://cwe.mitre.org/data/index.html.
About Manual Assessments

The Veracode platform can include the results from a manual assessment (usually a penetration test or code review) as part of a report.
These results differ from the results of automated scans in several important ways, including objectives, attack vectors, and common
attack patterns.
A manual penetration assessment is conducted to observe the application code in a run-time environment and to simulate real-world
attack scenarios. Manual testing is able to identify design flaws, evaluate environmental conditions, compound multiple lower risk flaws
into higher risk vulnerabilities, and determine if identified flaws affect the confidentiality, integrity, or availability of the application.
Objectives
The stated objectives of a manual penetration assessment are:
• Perform testing, using proprietary and/or public tools, to determine whether it is possible for an attacker to:
• Circumvent authentication and authorization mechanisms
• Escalate application user privileges
• Hijack accounts belonging to other users
• Violate access controls placed by the site administrator
• Alter data or data presentation
• Corrupt application and data integrity, functionality and performance
• Circumvent application business logic
• Circumvent application session management
• Break or analyze use of cryptography within user accessible components
• Determine possible extent access or impact to the system by attempting to exploit vulnerabilities
• Score vulnerabilities using the Common Vulnerability Scoring System (CVSS)
• Provide tactical recommendations to address security issues of immediate consequence
Provide strategic recommendations to enhance security by leveraging industry best practices
Attack vectors
In order to achieve the stated objectives, the following tests are performed as part of the manual penetration assessment,
when applicable to the platforms and technologies in use:
• Cross Site Scripting (XSS)

• SQL Injection
• Command Injection
• Cross Site Request Forgery (CSRF)
• Authentication/Authorization Bypass
• Session Management testing, e.g. token analysis, session expiration, and logout effectiveness
• Account Management testing, e.g. password strength, password reset, account lockout, etc.
• Directory Traversal
• Response Splitting
• Stack/Heap Overflows
• Format String Attacks

• Cookie Analysis
• Server Side Includes Injection
• Remote File Inclusion
• LDAP Injection
• XPATH Injection
• Internationalization attacks
• Denial of Service testing at the application layer only
• AJAX Endpoint Analysis
• Web Services Endpoint Analysis
• HTTP Method Analysis
• SSL Certificate and Cipher Strength Analysis
• Forced Browsing
CAPEC Attack Pattern Classification

The following attack pattern classifications are used to group similar application flaws discovered during manual penetration
testing. Attack patterns describe the general methods employed to access and exploit the specific weaknesses that exist
within an application. CAPEC (Common Attack Pattern Enumeration and Classification) is an effort led by Cigital, Inc. and is
sponsored by the United States Department of Homeland Security's National Cyber Security Division.
Abuse of Functionality
Exploitation of business logic errors or misappropriation of programmatic resources. Application functions are developed to
specifications with particular intentions, and these types of attacks serve to undermine those intentions.
Examples:
• Exploiting password recovery mechanisms

• Accessing unpublished or test APIs
• Cache poisoning
Spoofing
Impersonation of entities or trusted resources. A successful attack will present itself to a verifying entity with an acceptable
level of authenticity.
Examples:
• Man in the middle attacks

• Checksum spoofing
• Phishing attacks
Probabilistic Techniques
Using predictive capabilities or exhaustive search techniques in order to derive or manipulate sensitive information. Attacks
capitalize on the availability of computing resources or the lack of entropy within targeted components.
Examples:
• Password brute forcing

• Cryptanalysis
• Manipulation of authentication tokens
Exploitation of Authentication
Circumventing authentication requirements to access protected resources. Design or implementation flaws may allow
authentication checks to be ignored, delegated, or bypassed.
Examples:
• Cross-site request forgery

• Reuse of session identifiers
• Flawed authentication protocol

Resource Depletion
Affecting the availability of application components or resources through symmetric or asymmetric consumption. Unrestricted
access to computationally expensive functions or implementation flaws that affect the stability of the application can be
targeted by an attacker in order to cause denial of service conditions.
Examples:
• Flooding attacks
• Unlimited file upload size
• Memory leaks
Exploitation of Privilege/Trust
Undermining the application's trust model in order to gain access to protected resources or gain additional levels of access as
defined by the application. Applications that implicitly extend trust to resources or entities outside of their direct control are
susceptible to attack.
Examples:
• Insufficient access control lists

• Circumvention of client side protections
• Manipulation of role identification information
Injection
Inserting unexpected inputs to manipulate control flow or alter normal business processing. Applications must contain
sufficient data validation checks in order to sanitize tainted data and prevent malicious, external control over internal
processing.
Examples:
• SQL Injection
• Cross-site scripting
• XML Injection
Data Structure Attacks

Supplying unexpected or excessive data that results in more data being written to a buffer than it is capable of holding.
Successful attacks of this class can result in arbitrary command execution or denial of service conditions.
Examples:
• Buffer overflow
• Integer overflow
• Format string overflow
Data Leakage Attacks

Recovering information exposed by the application that may itself be confidential or may be useful to an attacker in discovering
or exploiting other weaknesses. A successful attack may be conducted passive observation or active interception methods.
This attack pattern often manifests itself in the form of applications that expose sensitive information within error messages.
Examples:
• Sniffing clear-text communication protocols

• Stack traces returned to end users
• Sensitive information in HTML comments
Resource Manipulation
Manipulating application dependencies or accessed resources in order to undermine security controls and gain unauthorized
access to protected resources. Applications may use tainted data when constructing paths to local resources or when
constructing processing environments.

Examples:
• Carriage Return Line Feed log file injection

• File retrieval via path manipulation
• User specification of configuration files
Time and State Attacks

Undermining state condition assumptions made by the application or capitalizing on time delays between security checks and
performed operations. An application that does not enforce a required processing sequence or does not handle concurrency
adequately will be susceptible to these attack patterns.
Examples:
• Bypassing intermediate form processing steps

• Time-of-check and time-of-use race conditions
• Deadlock triggering to cause a denial of service
Terms of Use
Use and distribution of this report are governed by the agreement between Veracode and its customer. In particular, this report and the
results in the report cannot be used publicly in connection with Veracode’s name without written permission.

Appendix A: Changes from Last Scan

Latest Scan Prior Scan
Static Scan
Scan Name: A2019.19-Patch Scan Name: 1_2021-03-04-16:00:34-cr
Completed: 06/03/21 Completed: 04/03/21
Score: 94 Score: 86
Changes in scope of scan (static)

New Modules


Version
all.jar 2837
2837
bot-asynchronous-messenger-1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar_htmljscode.veracodegen 2837
.htmla.jsa
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
bot-command-csvtxt-2.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
bot-command-email-3.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
bot-command-folder-3.1.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837


Version
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
bot-command-rundll-3.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
.htmla.jsa
2837
bot-command-string-3.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
2837
2837
bot-launcher-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
bot-launcher-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
.htmla.jsa
JS files within cr-frontend.zip JAVASCRIPT_5_1 JavaScript 2021021920
2837
log-collector-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920


Version
2837
node-manager-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
node-manager-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
.htmla.jsa
node-manager-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
operationsroom-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
organizations-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
packages-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
proxy-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
queryfilter-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
realtimeservice-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
repository-consistency-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
requeststatus-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
requeststatus-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
scheduler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
scheduler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
serverrepository-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
settings-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
settings-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
spcompiler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
spcompiler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
tenants-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
token-refresh-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
token-refresh-api-1.0.0.jar JAVAC_11 Java J2SE 11 2021021920
2837
trigger-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
trigger-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837


Version
triggerlistener-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
triggerlistener-1.0- JAVASCRIPT_5_1 JavaScript 2021021920
.htmla.jsa
upgrades-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
upgrades-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
usermanagement-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
usermanagement-api-1.0.0- JAVAC_8 Java J2SE 8 2021021920
SNAPSHOT.jar 2837
wlm-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
wlm-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2021021920
2837
Removed modules


Version
all.jar 2837
2837
SNAPSHOT.jar 2837
bot-command-activedirectory-2.3.0- JAVASCRIPT_5_1 JavaScript 2021021920
.htmla.jsa
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
bot-command-csvtxt-2.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
bot-command-email-3.4.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
bot-command-folder-3.2.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-gsuite-authorization-2.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-gsuite-calendar-2.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-gsuite-drive-2.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
bot-command-gsuite-sheets-2.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837


Version
2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
bot-command-operation-1.0.0- JAVASCRIPT_5_1 JavaScript 2021021920
.htmla.jsa
2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837
bot-command-rundll-4.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
.htmla.jsa
2837
bot-command-string-3.3.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
2837
SNAPSHOT.jar 2837
SNAPSHOT.jar 2837
.htmla.jsa
SNAPSHOT.jar 2837


Version
2837
2837
bot-gsuite-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2021021920
2837
serverrepository-sdk-1.0.0- JAVAC_11 Java J2SE 11 2021021920
SNAPSHOT.jar 2837
Flaws not detected in current scan

The following is a list of all flaws found in the prior scan of this application that were not detected in the current scan.
Medium (18 flaws) Fix Required by Policy.
Directory Traversal(18 flaws*)
External Control of File Name or Path (CWE ID 73)(18 flaws*)

8764 19 - kernel-1.0.0- .../AttributeCodeGeneratorImpl.java 1063
SNAPSHOT.jar
8767 19 - kernel-1.0.0- .../AttributeCodeGeneratorImpl.java 1081
SNAPSHOT.jar
8608 39 - boot-bot-insight- .../CertificateAuthFileServiceImpl.java 60
1.0.0-SNAPSHOT-
all.jar
1.0.0-SNAPSHOT-
all.jar
1.0.0-SNAPSHOT-
all.jar
1.0.0-SNAPSHOT-
all.jar
8609 39 - boot-bot-insight- .../CertificateAuthFileServiceImpl.java
1.0.0-SNAPSHOT- 101
all.jar
1.0.0-SNAPSHOT- 120
all.jar
1.0.0-SNAPSHOT- 121
all.jar
1.0.0-SNAPSHOT- 139
all.jar
1.0.0-SNAPSHOT- 171
all.jar


1.0.0-SNAPSHOT- 186
all.jar
8765 180 - kernel-1.0.0- .../impl/PackageServiceImpl.java 503
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
Low (5 flaws)
Insertion of Sensitive Information Into Sent Data (CWE ID 201)(4 flaws)

email-3.4.0-
SNAPSHOT.jar
image-recognition-
2.2.0-
SNAPSHOT.jar
8199 - 16 bot-command- java.util.List c() 76%
image-recognition-
2.2.0-
SNAPSHOT.jar
8200 - 5 bot-command- java.util.List c() 76%
image-recognition-
2.2.0-
SNAPSHOT.jar
Time and State(1 flaw)

J2EE Bad Practices: Use of System.exit() (CWE ID 382)(1 flaw)

8579 55 - crutils-1.0.0- com/.../utils/ConsoleUtils.java 34
SNAPSHOT.jar
Info (4 flaws)
Improper Resource Shutdown or Release (CWE ID 404)(4 flaws)

email-3.4.0-
SNAPSHOT.jar
8734 179 - devices-1.0.0- .../PackageDownloadServiceImpl.java
SNAPSHOT.jar 337
7965 226 - bot-command- .../StandardInputOutputMessenger.java
activedirectory- 46
2.3.0-
SNAPSHOT.jar
8491 227 - bot-command-poi- .../StreamingSheetWriter.java 66
2.5.0-
SNAPSHOT.jar

Appendix B: Approved Mitigated Flaws (by Automation Anywhere)

NOTE: Except in circumstances where the Customer has purchased Veracode’s Mitigation Proposal Review Solution, Veracode does
not review the mitigation strategy described below and is not responsible for its contents or the accuracy of any statements provided.
Very High (9 flaws) Fix Required by Policy: Flaw no longer impacts results..
Flaw continues to impact results.
Untrusted Search Path(6 flaws)
Process Control (CWE ID 114)(6 flaws)

Flaw Id Exploitability Module # Class # Module Location
3130 Neutral 93 - bot-command-ocr- com/.../abbyy/FREngine/Engine.java 238
abbyy-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (jniwrapper).
Approve Mitigation (Automation Anywhere): Approved

2895 Neutral 140 - bot-command- com/.../tterm/JTTerm.java 1022
terminalemulator-
3.7.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (turbosoft).

2943 Neutral 146 - bot-command-file- com/.../chilkat/LibraryLoader.java 85
3.2.0-SNAPSHOT.jar
Mitigate by Design (Automation Anywhere):

Technique : M1 : Establish and maintain control over all of your inputs
Specifics : It loads library from a temp location. The temp location is created by the same method and
hence the location is a trusted location.
Remaining Risk : Little to none.
Verification : Manually reviewed with security team.

3140 Neutral 171 - bot-command-ftp- com/.../utility/NativeUtils.java 111
2.2.0-SNAPSHOT.jar

Specifics : It loads library from a temp location. The temp location is created by the same method and

3090 Neutral - 17 bot-trigger-file-folder- void b(java.lang.String) 96%
1.1.0-SNAPSHOT.jar

Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper). Since
the library is complaint with cross platform , need load native library and initialize the watching process in
native system.

3274 Neutral - 1 bot-command- void loadLibrary(java.lang.String) 96%
keystroke-2.7.0-
SNAPSHOT.jar
Command or Argument Injection(3 flaws)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

(CWE ID 78)(3 flaws)

7721 Likely 79 - node-manager-1.0- .../DeviceUpgradeHandler.java 160
SNAPSHOT.jar

Specifics : Path is constructed from the temp directory and is used for writing logs to it. This file will be
used by the installer to write the installation related information. We are not reading any data from it.
Remaining Risk : Little to none
Verification : Code review

4502 Likely 94 - audit-1.0.0- com/.../util/ESInstallerUtil.java 546
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The inputs are set by trusted admin during installation.

7736 Likely 196 - node-manager-1.0- .../RDPLoginServiceImpl.java 138
SNAPSHOT.jar


Specifics : Establish and maintain control over all of your inputs, Inputs are set by trusted admin
Remaining Risk : None
High (53 flaws) Fix Required by Policy: Flaw no longer impacts results..
SQL Injection(53 flaws)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE
ID 89)(27 flaws)

2996 Neutral 1 - serverrepository- com/.../impl/AAFileDaoImplV2.java 375
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The IN clause in the query has been split into
multiple statements as DBMS has limits on maximum elements in a single IN clause. The parameter
values are not concatenated here.

1.0.0-SNAPSHOT.jar

Specifics : The IN clause is being split into multiple clauses due to DBMS limits. There is no user input
concatenation.

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar


1.0.0-SNAPSHOT.jar

8351 Likely 63 - credentialvault-1.0.0- .../CredentialAttributeValueDaoImpl.java
SNAPSHOT.jar 117

Specifics : Parameterized statements here throws error in case large number of records found in IN
clause. The input parameter is generated via internal function and not accepted as input from end user.
(Refer 11.3.4.2 flaw id - 21392).
Verification : Manual code review

2978 Neutral 77 - serverrepository- com/.../DependencyDaoImpl.java 167
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The DBMS IN clause is being split into multiple
statements as DBMS limit maximum elements into a single IN clause. This is not an SQL Injection.

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar


6160 Neutral 85 - bot-lifecycle- .../DurableMessageTransactionalPublishe
management-1.0.0- r.java 262
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : No user input has been used to form the query.

8358 Neutral 115 - serverrepository- .../FolderAttributesDaoImpl.java 48
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The IN clause has been split into multiple IN
clauses as DBMS has a limit on maximum elements in a single IN clause. There is no user value
concatenation.

2987 Neutral 156 - serverrepository- .../ManualDependencyDaoImpl.java 188
1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

8385 Neutral 178 - kernel-1.0.0- com/.../impl/PackageDaoMTImpl.java 451
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): All the user inputs in the SQL are parameterized.

8317 Neutral 178 - packages-1.0.0- com/.../impl/PackageDaoMTImpl.java 494


SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

8370 Neutral 188 - usermanagement- com/.../PermissionDaoImpl.java 131
1.0.0-SNAPSHOT.jar

clause. The input parameter is generated via internal function and not accepted as input from end user. It
calls QueryUtils.appendMultipleInClauses method. (Refer 11.3.4.2 flaw id - 21392)

8369 Neutral 244 - usermanagement- .../impl/UserDetailsDaoImpl.java 107
1.0.0-SNAPSHOT.jar


(Refer 11.3.4.2 flaw id - 21392)

1.0.0-SNAPSHOT.jar
concatenation.
SQL Injection: Hibernate (CWE ID 564)(26 flaws)

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar



3046 Likely 63 - credentialvault-1.0.0- .../CredentialAttributeValueDaoImpl.java
SNAPSHOT.jar 117

(Refer 11.3.4.2 flaw id - 21392).
Verification : Manual review with security team.

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

6162 Neutral 85 - bot-lifecycle- .../DurableMessageTransactionalPublishe
management-1.0.0- r.java 250
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


6161 Neutral 85 - credentialvault-1.0.0- .../DurableMessageTransactionalPublishe
SNAPSHOT.jar/boot- r.java 532
bot-insight-1.0.0-
SNAPSHOT-all.jar



6163 Neutral 85 - credentialvault-1.0.0- .../DurableMessageTransactionalPublishe
SNAPSHOT.jar/boot- r.java 663
bot-insight-1.0.0-
SNAPSHOT-all.jar


3464 Neutral 115 - serverrepository- .../FolderAttributesDaoImpl.java 48
1.0.0-SNAPSHOT.jar
concatenation.

2923 Neutral 120 - license-1.0.0- com/.../util/jpa/HQLHelper.java 158
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The user inputs are passed are provided via
parameters. The query contruction here includes a constant which is the column name. No user inputs
are concatenated.
Approve Mitigation (Automation Anywhere): Approved. The issues are already mitigated and
approved previously (Old Flaw ID: 35058-> New Flaw ID 41256, Old Flaw ID: 35059 -> New Flaw ID:
41258, Old Flaw ID: 35060 -> New Flaw ID: 41257 )
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
are concatenated.
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
are concatenated.

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar


SNAPSHOT.jar

3156 Neutral 188 - usermanagement- com/.../PermissionDaoImpl.java 131
1.0.0-SNAPSHOT.jar

clause. The input parameter is generated via internal function and not accepted as input from end user. It
calls QueryUtils.appendMultipleInClauses method. (Refer 11.3.4.2 flaw id - 21392)
Verification : Manually reviewed with security team

1.0.0-SNAPSHOT.jar

(Refer 11.3.4.2 flaw id - 21392)
Verification : Manually reviewed by Security team
Medium (584 flaws) Fix Required by Policy: Flaw no longer impacts results..
Directory Traversal(411 flaws)
External Control of File Name or Path (CWE ID 73)(411 flaws)

6049 Likely 9 - recorder-sdk-2.0.8- .../AISenseExecutionContext.java 243
SNAPSHOT.jar



Specifics : Temp file path is used for image processing, gets deleted on bot exit.
Verification : code review.

4809 Likely 9 - recorder-sdk-2.0.8- .../AISenseExecutionContext.java 262
SNAPSHOT.jar

Specifics : External path used for image and metadata file processing
Remaining Risk : none
Verification : reviewed

4833 Likely 10 - recorder-sdk-2.0.8- com/.../util/AISenseUtils.java 44
SNAPSHOT.jar

Specifics : External path used for image and metadata processing

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar



Specifics : External path is generated runtime to pass store image which is being used by external
module
Verification : Reviewed with security team earlier

SNAPSHOT.jar

Specifics : External path used for image and metadata processing

SNAPSHOT.jar

Specifics : External path used for image processing

SNAPSHOT.jar


4823 Likely 11 - recorder-sdk-2.0.8- com/.../jxcapture/al.class.java 1
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar

Specifics : Issue is reported from third party library
Remaining Risk : Little to None
Verification : Self-reviewed

6156 Neutral 12 - organizations-1.0.0- .../AmazonS3StagingServiceImpl.java
SNAPSHOT.jar 363


Specifics : The path is set by the trusted admin of the system.

6153 Neutral 12 - organizations-1.0.0- .../AmazonS3StagingServiceImpl.java
SNAPSHOT.jar 363

Specifics : The path is set by the trusted admin of the system.

3065 Likely 13 - aae-bot-scanner-ui- com/.../analysis/Analyze.java 83
5.1.0-
SNAPSHOT.jar/aae-
bot-scanner-ui-5.1.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The file being used internal and trusted.

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The file is used internally and trusted

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The file is used internally and trusted

5853 Likely 18 - migration-1.0.0- com/.../model/AtmxBot.java 82
SNAPSHOT.jar

Specifics : The path is created within application routines and does not take input from the user.



SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


6618 Neutral 19 - kernel-1.0.0- .../AttributeCodeGeneratorImpl.java 1043


SNAPSHOT.jar

Specifics : The method is used to get the absolute path of the local drive to store the generated source
files. There is no external control of this path, it is completely managed by compiler module.
Verification : code review

6537 Neutral 21 - kernel-1.0.0- .../impl/BiBlmExportAPIImpl.java 123
SNAPSHOT.jar

Specifics : Path refers to predefined path which is set by the application itself. Its not been taken by the
user input

5634 Likely 22 - aae-bot-scanner-ui- com/.../ui/BotAnalysis.java 79
5.1.0-SNAPSHOT.jar

Specifics : Part of internal API. The path is created internally and not provided by the user.
Remaining Risk : little to none.
Verification : manual review

5.1.0-SNAPSHOT.jar

Specifics : As data come from the application and not entered by the user
Remaining Risk : Little/None

5.1.0-SNAPSHOT.jar

Specifics : Paths generated by logic based on user inputs


5.1.0-SNAPSHOT.jar


5.1.0-SNAPSHOT.jar


6679 Neutral 24 - serverrepository- .../BotDependencyResource.java 55
1.0.0-SNAPSHOT.jar

Specifics : The patch constructed by system not provided by the user
Remaining Risk : little to none

6536 Neutral 25 - kernel-1.0.0- .../BotInsightBLMService.java 94
SNAPSHOT.jar

Specifics : Path refers to predefined path which is set by the application itself. Its not been taken by the
user input

6529 Neutral 25 - boot-bot-insight- .../BotInsightBLMService.java 282
1.0.0-SNAPSHOT-
all.jar

Specifics : Path refers to predefined path which is set by the trusted user of the application. Its not been
taken by the user input


Verification : Code Review

3035 Likely 26 - migration-1.0.0- .../BotInsightDashboardMigrationService.j
SNAPSHOT.jar ava 100

Specifics : This reads details from the properties file which is set during installation by a trusted admin.

4316 Neutral 28 - ignite-server-2.8.1.1- com/.../toolchain/BotService.java 233
SNAPSHOT.jar
Mitigated by Custom Cleansing Function (Veracode): This flaw was proposed as a mitigation by the
custom cleansing function "botcore.api.dto.CommandMetrics
getCommandMetrics(botcore.api.dto.GetCommandMetricsRequest)".

6436 Neutral 30 - kernel-1.0.0- .../BotStoreSubscriber.java 194
SNAPSHOT.jar

Specifics : The path constructed by the system not provided by the user.

4819 Likely 32 - browser-api-1.0.0- com/.../jniwrapper/bu.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): These codes are from the third party library.

3272 Likely 33 - bot-command- com/.../com/jniwrapper/bu.java 1
msexcel-5.4.0-
SNAPSHOT.jar

2958 Likely 34 - bot-command- com/.../com/jniwrapper/bv.java 1
keystroke-2.7.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper)


6678 Likely 35 - aae-bot-scanner-ui- com/.../sdk/utils/CacheUtils.java 161
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The Path is constructed internally and no part of it
is provided by user. Hence the path cannot be manipulated.

6677 Likely 35 - aae-bot-scanner-ui- com/.../sdk/utils/CacheUtils.java 161
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The Path is constructed internally and no part of it
is provided by user. Hence the path cannot be manipulated.

2909 Likely 43 - bot-asynchronous- .../ChronicleQueueAsyncImpl.java 75
messenger-1.0-
SNAPSHOT.jar

Specifics : This is a path validation routine.

messenger-1.0-
SNAPSHOT.jar

Specifics : This is a path validation routine.

2914 Likely 43 - triggerlistener-1.0- .../ChronicleQueueAsyncImpl.java 81
SNAPSHOT.jar

Specifics : This is used for internal system communication and does not take input from non-trusted
sources.



SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Duplicate issue

SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Duplicate record

SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar




messenger-1.0-
SNAPSHOT.jar
custom cleansing function "void cleanOldData()".

messenger-1.0-
SNAPSHOT.jar
custom cleansing function "void cleanOldData()".

3256 Likely 43 - bot-launcher-1.0- .../ChronicleQueueAsyncImpl.java 234
SNAPSHOT.jar

Specifics : All The value of the path coming from trusted location.


3255 Likely 43 - bot-launcher-1.0- .../ChronicleQueueAsyncImpl.java 236
SNAPSHOT.jar



2886 Likely 44 - bot-tester-1.0- com/.../impl/CleanerImpl.java 170
SNAPSHOT.jar/bot-
command-browser-
2.3.0-SNAPSHOT.jar
custom cleansing function "void deleteFunctions(dataobject.BotContext)".

2884 Likely 44 - bot-tester-1.0- com/.../impl/CleanerImpl.java 170
SNAPSHOT.jar/bot-
command-browser-
2.3.0-SNAPSHOT.jar


2883 Likely 44 - bot-engine-1.0- com/.../impl/CleanerImpl.java 172
SNAPSHOT.jar

3252 Likely 44 - bot-launcher-1.0- com/.../impl/CleanerImpl.java 179
SNAPSHOT.jar
custom cleansing function "botengine.dataobject.BotContext loadBotContext(java.lang.String)".

2866 Likely 45 - log-collector-1.0- com/.../services/Collector.java 60
SNAPSHOT.jar

Specifics : All The value of the path coming from trusted location.The non-trusted path will not be
accepted by application

3578 Likely 46 - log-collector-1.0- com/.../CollectorState.java 27
SNAPSHOT.jar

Specifics : The path refers to a specific location within system and does not set via user input.

SNAPSHOT.jar

Specifics : The path refers to a specific location within system and does not set via user input.

SNAPSHOT.jar
custom cleansing function "void checkpoint()".


3014 Likely 49 - kernel-1.0.0- .../CompositeFileDependency.java 32
SNAPSHOT.jar

Specifics : The paths used are set by trusted admin and validated.

3024 Likely 49 - kernel-1.0.0- .../CompositeFileDependency.java 39
SNAPSHOT.jar


5168 Likely 50 - bot-command- .../CompositeX509ExtendedTrustManage
javascript-2.5.0- r.java 190
SNAPSHOT.jar

Specifics : The path is fetched from system properties.

3028 Likely 51 - migration-1.0.0- com/.../CompressedArchive.java 31
SNAPSHOT.jar

Specifics : The path is validated and set by a trusted user.

3016 Likely 51 - migration-1.0.0- com/.../CompressedArchive.java 31
SNAPSHOT.jar

Specifics : The path is validated and set by a trusted user.


3135 Likely 52 - bot-command- com/.../Configuration.java 39
javascript-2.5.0-
SNAPSHOT.jar

Specifics : It reads property files from internal properties folder and does not accept input from un trusted
sources.
Remaining Risk : Little or none


3208 Likely 54 - node-manager-1.0- com/.../Configuration.java 51
SNAPSHOT.jar

sources.


SNAPSHOT.jar

sources.


SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Duplicate issue

SNAPSHOT.jar

sources.



2865 Likely 53 - log-collector-1.0- com/.../Configuration.java 68
SNAPSHOT.jar

sources.


SNAPSHOT.jar

Specifics : The path refers to system configuration and does not take user input.

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


Specifics : Path is constructed from the parameter

SNAPSHOT.jar


SNAPSHOT.jar

Specifics : Path is constructed with the user directory

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar



SNAPSHOT.jar


SNAPSHOT.jar

Specifics : It reads property files from internal properties folder and does not accept input from untrusted

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar



SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar
custom cleansing function "java.lang.String localFilePath(java.lang.String, devices.api.dto.Dependency,
GlobalCacheServiceImpl$ExecutionInfo)".

SNAPSHOT.jar


SNAPSHOT.jar




SNAPSHOT.jar


SNAPSHOT.jar

Specifics : Path is constructed from the user directory

SNAPSHOT.jar


2882 Likely 59 - bot-engine-1.0- com/.../utils/ContextHelper.java 44
SNAPSHOT.jar
custom cleansing function "void addToClasspath(java.lang.String, java.lang.ClassLoader)".

2878 Likely 59 - bot-command- com/.../utils/ContextHelper.java 87
browser-2.3.0-
SNAPSHOT.jar
custom cleansing function "void copyJarResourcesToDirectory(java.util.jar.JarFile, java.lang.String,
java.lang.String)".

4600 Likely 59 - bot-engine-1.0- com/.../utils/ContextHelper.java 141


SNAPSHOT.jar

Specifics : The path is set by trusted user.

3273 Likely 61 - bot-command- com/.../win32/jexcel/cQ.java 1
msexcel-5.4.0-
SNAPSHOT.jar

Specifics : This is appearing through jniwrapper, a third party API teamdev which we are using for excel
commands
Verification : verification through code

3296 Neutral 62 - kernel-1.0.0- .../CRConfigurationServiceImpl.java 632
SNAPSHOT.jar

Specifics : The path is set by a trusted admin during the initial configuration.

SNAPSHOT.jar

Specifics : This checks the access to the given path during validation process. The path is set by trusted
admin.

SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This is a path validation routine.

3314 Neutral 69 - kernel-1.0.0- com/.../CsvFileConnection.java 30
SNAPSHOT.jar

Potential False Positive (Automation Anywhere): There is no untrusted user input in 'filePath', it is set
internally.
Potential False Positive (Automation Anywhere): There is no untrusted user input in 'filePath', it is set
internally.

5680 Likely 73 - audit-1.0.0- .../db/DBConfigProperties.java 52
SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

Specifics : The path is configuration directory set by trusted admin during installation.

SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

Specifics : The path is to get configurations and set by trusted admin.

SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

Specifics : The path is configuration directory set by trusted admin during installation.

2898 Likely 78 - bot-command- .../DependencyResolverImpl.java 56
terminalemulator-
3.7.0-SNAPSHOT.jar

Verification : The non-trusted path will not be accepted by application



terminalemulator-
3.7.0-SNAPSHOT.jar
Mitigate by Network Environment (Automation Anywhere):

Remaining Risk : The non-trusted path will not be accepted by application
Verification : Manual Code Review

terminalemulator-
3.7.0-SNAPSHOT.jar

Specifics : Specifics : All The value of the path coming from trusted location.

terminalemulator-
3.7.0-SNAPSHOT.jar

The non-trusted path will not be accepted by application

7734 Likely 82 - node-manager-1.0- .../DiagnosticServiceImpl.java 72
SNAPSHOT.jar

Specifics : The path is fetched from the configurations.

SNAPSHOT.jar


Specifics : Path is constructed from the Java home and not from any untrusted source

SNAPSHOT.jar

Specifics : Path is constructed from the Java home and not from any untrusted source

SNAPSHOT.jar

Specifics : Path is constructed from the Java Home and not from untrusted source

6138 Likely 86 - aggregator-1.0.0- .../DurableMessagingBase.java 92
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
custom cleansing function "java.lang.String getBrokerUrl(void)".

4812 Likely 87 - browser-api-1.0.0- com/.../win32/e.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-SNAPSHOT.jar

3279 Likely 88 - bot-command- com/.../jniwrapper/win32/e.java 1
keystroke-2.7.0-
SNAPSHOT.jar

abbyy-2.4.0-
SNAPSHOT.jar

Potential False Positive (Automation Anywhere): Files are created within the program. There is no
user input provided to create the file name

abbyy-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): File names are created using constants. They are
not taken from user input

3129 Likely 93 - bot-command-ocr- com/.../abbyy/FREngine/Engine.java 297
abbyy-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (abby).

abbyy-2.4.0-
SNAPSHOT.jar

abbyy-2.4.0-
SNAPSHOT.jar

abbyy-2.4.0-
SNAPSHOT.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The path is set by the trusted admin during installation.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar



SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The path is set via trusted system admin during the installation.


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar



SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar





SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar




2918 Likely 95 - audit-1.0.0- com/.../ESRestClient.java 171
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : Specifics : System property can only be altered by trusted administrator.
Verification : Code reivew

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : System property can only be altered by trusted administrator.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The path is set by trusted admin.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar




SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


2831 Likely 99 - ignite-2.8.1.1- com/.../ignite/ExternalConfig.java 111
SNAPSHOT.jar

Specifics : The input 'propDir' is not controlled externally. It is set by a trusted admin.



4601 Likely 100 - bot-engine-1.0- .../ExternalEnvironmentImpl.java 55
SNAPSHOT.jar/bot-
command-browser-
2.3.0-SNAPSHOT.jar

Specifics : It gets the environment path from the bot context, which is a trusted source.

2938 Likely 100 - bot-tester-1.0- .../ExternalEnvironmentImpl.java 69
SNAPSHOT.jar/bot-
command-browser-
2.3.0-SNAPSHOT.jar
custom cleansing function "void openFunction(java.util.UUID, bot.service.SupportedLanguage)".

Specifics : Specifics : It gets the environment path from the bot context, which is a trusted source.

2939 Likely 100 - bot-tester-1.0- .../ExternalEnvironmentImpl.java 69
SNAPSHOT.jar/bot-
command-browser-
2.3.0-SNAPSHOT.jar
custom cleansing function "void openFunction(java.util.UUID, bot.service.SupportedLanguage)".

Specifics : It gets the environment path from the bot context, which is a trusted source.

2950 Likely 101 - bot-command- .../FileAttributePathHelper.java 52
activedirectory-2.2.0-
SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar


Specifics : The path is set by a trusted admin of the system.

SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar

Specifics : The path is set by a trusted admin of the system.

SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar

Specifics : The path is set by a trusted admin of the system

3023 Likely 102 - kernel-1.0.0- .../FileDependencyServiceImpl.java 70
SNAPSHOT.jar

Remaining Risk : little or none

7795 Neutral 105 - kernel-1.0.0- com/.../impl/FileServiceImpl.java 41
SNAPSHOT.jar

Specifics : The path is constructed by the system and does not take any user input.


3123 Likely 104 - file-folder-sdk-2.0.0- com/.../file/FileServiceImpl.java 52
SNAPSHOT.jar/bot-
command-
application-2.1.0-
SNAPSHOT.jar
custom cleansing function "java.io.File getInstant(java.lang.String)".

7788 Neutral 105 - kernel-1.0.0- com/.../impl/FileServiceImpl.java 53
SNAPSHOT.jar


8239 Likely 104 - file-folder-sdk-2.0.0- com/.../file/FileServiceImpl.java 119
SNAPSHOT.jar/bot-
command-
application-2.1.0-
SNAPSHOT.jar

Specifics : Return root drive of path. This method called by internal purpose only.

7609 Likely 104 - bot-command- com/.../file/FileServiceImpl.java 428
screen-2.2.0-
SNAPSHOT.jar
custom cleansing function "java.lang.String getUniqueFileName(java.lang.String)".

screen-2.2.0-
SNAPSHOT.jar

application-2.1.0-
SNAPSHOT.jar


Specifics : It gets the length of the file provided by the trusted user while creating bot.


screen-2.2.0-
SNAPSHOT.jar

screen-2.2.0-
SNAPSHOT.jar

3594 Neutral 106 - serverrepository- com/.../FileServiceV2Impl.java 492
1.0.0-SNAPSHOT.jar
custom cleansing function "model.AAFile createDirectory(api.dto.CreateFolderRequest)".

2988 Neutral 106 - serverrepository- com/.../FileServiceV2Impl.java 2667
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The path is validated through a validation routine.

6426 Neutral 107 - kernel-1.0.0- .../FileSystemStoreImpl.java 63
SNAPSHOT.jar


8243 Likely 108 - file-folder-sdk-2.0.0- com/.../folder/sdk/FileUtil.java 68
SNAPSHOT.jar
custom cleansing function "java.lang.String
appendCopyAtBeginningOfDirectoryName(sdk.file.FileService, java.lang.String)".


SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar
custom cleansing function "java.lang.String appendCopyAtBeginningOfFileName(sdk.file.FileService,
java.lang.String)".

SNAPSHOT.jar
java.lang.String)".

SNAPSHOT.jar
java.lang.String)".

SNAPSHOT.jar


java.lang.String)".

7513 Neutral 110 - license-1.0.0- com/.../utils/FileUtils.java 27
SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

Specifics : The value of file path is generated from application, not from user input.

2999 Likely 111 - command-generic- com/.../helper/FileUtils.java 35
1.0.0-SNAPSHOT-
SNAPSHOT.jar


7861 Likely 110 - audit-1.0.0- com/.../utils/FileUtils.java 38
SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar


5822 Likely 112 - aae-bot-scanner-ui- com/.../sdk/utils/FileUtils.java 57
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : Bot scanner is for internal dev team only and it's never exposed to any customers . And
secondly ,user can't alter the path as there is no UI for the same .

Verification : Manual Code review with security team .


5821 Likely 112 - aae-bot-scanner-ui- com/.../sdk/utils/FileUtils.java 57
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar





2952 Neutral 109 - bot-compiler-1.0.0- com/.../common/util/FileUtils.java 251
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : This path refers to system configuration location which is set by trusted admin.

6669 Likely 109 - credentialvault-1.0.0- com/.../common/util/FileUtils.java 262
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The path is to get configurations and set by trusted admin.

7165 Likely 109 - credentialvault-1.0.0- com/.../common/util/FileUtils.java 262
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


Specifics : This reads from application configuration which is set by trusted admin during installation. It
does not read from any user input.

2951 Neutral 109 - bot-compiler-1.0.0- com/.../common/util/FileUtils.java 283
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The input fileName' is not controlled externally. It is set by a trusted admin.

7558 Neutral 116 - kernel-1.0.0- .../GdprReportDirectoryService.java 50
SNAPSHOT.jar

Specifics : The path is generated by system and does not take any input from user.

7557 Neutral 116 - kernel-1.0.0- .../GdprReportDirectoryService.java 50
SNAPSHOT.jar


7556 Neutral 117 - kernel-1.0.0- .../GdprReportServiceImpl.java 216
SNAPSHOT.jar



6453 Neutral 118 - kernel-1.0.0- com/.../GdprReportZip.java 53
SNAPSHOT.jar


6604 Likely 119 - node-manager-1.0- .../GlobalCacheServiceImpl.java 180
SNAPSHOT.jar

Specifics : Path read from database

SNAPSHOT.jar

Specifics : Path read from the database

SNAPSHOT.jar

Specifics : Path constructed from constant

SNAPSHOT.jar



SNAPSHOT.jar


SNAPSHOT.jar

Specifics : Path is read from the database

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar
custom cleansing function "java.util.List checkForLargeBinaryExtraction(java.lang.String)".

SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar
custom cleansing function "java.lang.String checkForDynamicResourceExtraction(java.lang.String)".

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar
custom cleansing function "void cacheRemovalCleanup(model.CachedFile)".

SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar
custom cleansing function "java.nio.file.Path extractedDynamicResourcePath(java.lang.String)".

SNAPSHOT.jar

6184 Likely 124 - settings-1.0.0- .../IgniteClusterServiceImpl.java 106
SNAPSHOT.jar



2830 Likely 126 - ignite-2.8.1.1- com/.../ignite/IgniteUtil.java 172
SNAPSHOT.jar

Specifics : The path refers to the configuration folder which is set by trusted admin during the initial setup.

2829 Likely 126 - ignite-2.8.1.1- com/.../ignite/IgniteUtil.java 176
SNAPSHOT.jar

Specifics : The path refers to the configuration folder which is set by trusted admin during the initial setup.

6966 Likely 127 - recorder-sdk-2.0.8- .../ImageButtonProcessor.java 256
SNAPSHOT.jar

Specifics : The code is not externally accessible/configurable and temp used during execution to store
temp files.
Remaining Risk : Zero to none
Verification : Verified by team

5536 Likely 128 - bot-command- com/.../ImageProcessor.java 35
migrate-3.1.0-
SNAPSHOT.jar

Specifics : The file name is not reading from any config of setting file. We are making at runtime and it is
generating via code only.

5535 Likely 128 - bot-migration- com/.../ImageProcessor.java 48
service-1.2.0-
SNAPSHOT.jar




5534 Likely 128 - bot-migration- com/.../ImageProcessor.java 49
service-1.2.0-
SNAPSHOT.jar


4824 Likely 129 - recorder-sdk-2.0.8- com/.../utils/ImageUtils.java 21
SNAPSHOT.jar


SNAPSHOT.jar

Specifics : External path is used to store debug images only if log level is above information
Verification : Reviewed with security team earlier.

SNAPSHOT.jar


SNAPSHOT.jar



5921 V.Likely 130 - boot-bot-insight- .../ImportLegacyDashboardTask.java 61
1.0.0-SNAPSHOT-
all.jar

taken as part of user input

1.0.0-SNAPSHOT-
all.jar


5862 Neutral 130 - bot-insight-1.0.0- .../ImportLegacyDashboardTask.java 154
SNAPSHOT.jar


5861 Neutral 130 - bot-insight-1.0.0- .../ImportLegacyDashboardTask.java 184
SNAPSHOT.jar




1.0.0-SNAPSHOT-
all.jar


6534 Neutral 131 - kernel-1.0.0- com/.../ImportServiceImpl.java 101
SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


3113 Likely 132 - bot-migration- com/.../InputValidator.java 12
service-1.2.0-
SNAPSHOT.jar


Specifics : There is no use provided path has been used.

2847 Neutral 133 - bot-command-iqbot- .../IQBotClientServiceImpl.java 94
2.0.2-SNAPSHOT.jar

Specifics : All the input data from trusted user and the input doesn't gets propagated to the system.

3091 Likely - 19 bot-trigger-file-folder- j f(void) 75%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (teamdev).

7796 Neutral 135 - boot-bot-insight- com/.../util/JarPathUtil.java 35
1.0.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): Duplicate of 7792

7792 Neutral 135 - boot-bot-insight- com/.../util/JarPathUtil.java 35
1.0.0-SNAPSHOT-
all.jar

Specifics : The path is generated by application routine and does not take any user input.

6687 Likely 136 - bot-command- .../JarResourceExtractor.java 60
legacyautomation-
3.3.0-SNAPSHOT.jar

Specifics : It coming from internal only also not visible for any external

2880 Likely 137 - bot-engine-1.0- com/.../utils/JarUtil.java 22
SNAPSHOT.jar


Specifics : The path is validated and set by a trusted admin.

5800 Likely 138 - common-utils-1.0.0- com/.../common/util/JarUtils.java 90
SNAPSHOT.jar
custom cleansing function "void copyJarContentToDir(java.lang.String, java.nio.file.Path,
java.lang.String)".

2818 Neutral 138 - boot-bot-insight- com/.../common/util/JarUtils.java 96
1.0.0-SNAPSHOT-
all.jar
java.lang.String)".

6528 Neutral 138 - common-utils-1.0.0- com/.../common/util/JarUtils.java 98
SNAPSHOT.jar
java.lang.String)".

6418 Neutral 138 - common-utils-1.0.0- com/.../common/util/JarUtils.java 98
SNAPSHOT.jar
java.lang.String)".

5790 Neutral 138 - boot-bot-insight- com/.../common/util/JarUtils.java 144
1.0.0-SNAPSHOT-
all.jar
custom cleansing function "java.util.Map extractHashedJarContentToDir(java.nio.file.Path,
java.nio.file.Path, java.lang.String, java.nio.file.Path, java.util.function.Function)".

5766 Likely 138 - boot-bot-insight- com/.../common/util/JarUtils.java 180
1.0.0-SNAPSHOT-
all.jar

custom cleansing function "java.util.Map extractHashedJarContentToDir(java.nio.file.Path,
java.nio.file.Path, java.lang.String, java.nio.file.Path, java.util.function.Function)".

3275 Likely - 16 bot-command- java.io.File a(java.io.File) 34%
keystroke-2.7.0-
SNAPSHOT.jar

2962 Likely - 5 browser-api-1.0.0- java.io.File a(java.io.File) 34%
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-SNAPSHOT.jar

3098 Likely - 17 bot-trigger-file-folder- java.io.File a(java.lang.String) 4%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper).

1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar

3104 Likely - 17 bot-trigger-file-folder- java.io.File a(java.net.URL,
1.1.0-SNAPSHOT.jar java.lang.String) 28%


2761 Neutral - 1 bot-command-email- java.io.File c() 3%
3.3.0-SNAPSHOT.jar


2765 Neutral - 1 bot-command-email- java.io.File c() 70%
3.3.0-SNAPSHOT.jar

3278 Likely - 9 bot-command- java.net.URL [] a(java.lang.String) 61%
keystroke-2.7.0-
SNAPSHOT.jar

4804 Likely - 27 recorder-sdk-2.0.8- java.util.List a() 21%
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar


4805 Likely - 22 recorder-sdk-2.0.8- java.util.List a() 28%
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar


3283 Likely - 2 bot-command- java.util.Map a(java.lang.String) 40%
keystroke-2.7.0-
SNAPSHOT.jar

3281 Likely - 2 bot-command- java.util.Map a(void) 26%
keystroke-2.7.0-
SNAPSHOT.jar


3282 Likely - 2 bot-command- java.util.Map a(void) 58%
keystroke-2.7.0-
SNAPSHOT.jar

5854 Likely 139 - kernel-1.0.0- com/.../impl/JsonDataUploader.java 115
SNAPSHOT.jar

Specifics : The path is a trusted location.

6431 Neutral 139 - kernel-1.0.0- com/.../impl/JsonDataUploader.java 116
SNAPSHOT.jar


2710 Likely 142 - bot-api-1.0- com/.../impl/KeyStoreImpl.java 44
SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

Specifics : This code is not having call reference. Refer AAE-42005 (11.3.4.2-46558_46559_46560.docx)
(11.3.4.2 Flaw Id - 46560)
Approve Mitigation (Automation Anywhere): approved

SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

(11.3.4.2 Flaw Id - 46559)



SNAPSHOT.jar/activ
emq-5.15.13.1-
SNAPSHOT.jar

(11.3.4.2 flaw id - 46558)

3253 Likely 144 - bot-launcher-1.0- .../LauncherConfiguration.java 49
SNAPSHOT.jar

Specifics : The input is from properties directory which is a trusted source.

SNAPSHOT.jar
custom cleansing function "java.lang.String getBotDirectory()".

SNAPSHOT.jar

Specifics : This is a validated path.

SNAPSHOT.jar

Specifics : This is a validated path.


SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar
custom cleansing function "botengine.dataobject.BotContext
loadBotContext(devices.api.dto.DeployCommand)".

SNAPSHOT.jar

SNAPSHOT.jar



8249 Likely 146 - file-folder-sdk-2.0.0- com/.../chilkat/LibraryLoader.java 73
SNAPSHOT.jar

Specifics : It reads library from a temp location. The temp location is created by the same method and

SNAPSHOT.jar

Specifics : It reads library from a temp location. The temp location is created by the same method and

2944 Likely 146 - bot-command-file- com/.../chilkat/LibraryLoader.java 114
3.2.0-SNAPSHOT.jar

Specifics : There is no File.io at given source code.


SNAPSHOT.jar

Specifics : There is no File.io at given source code.


SNAPSHOT.jar


Specifics : We are creating a "AutomationAnywhere" directory in temp location. There is not user input
needed here.

3845 Likely 148 - log-collector-1.0- .../LogDeleteAndArchiveTask.java 57
SNAPSHOT.jar

Specifics : This is the location of where the agent logs are written and log collector reads these logs that
are written by the agent to push to the control room to store it in elastic search.
Verification : By Code Inspection

8840 Likely 149 - node-manager-1.0- com/.../service/LoginService.java 36
SNAPSHOT.jar

Specifics : This routines validates the existence of the path which is fetched from system property. It does
not take any user input.

4811 Likely 151 - recorder-sdk-2.0.8- com/.../utils/LogUtils.java 60
SNAPSHOT.jar


3108 Likely - 7 bot-trigger-file-folder- long b(java.lang.String) 10%
1.1.0-SNAPSHOT.jar

3109 Likely - 7 bot-trigger-file-folder- long b(java.lang.String) 31%
1.1.0-SNAPSHOT.jar


2784 Neutral - 8 bot-command-email- long c(java.lang.String) 7%
3.3.0-SNAPSHOT.jar

2785 Neutral - 8 bot-command-email- long c(java.lang.String) 22%
3.3.0-SNAPSHOT.jar

3074 Likely 152 - aae-bot-scanner-ui- com/.../sdk/LookupXml.java 51
5.1.0-SNAPSHOT-
all.jar

Specifics : The xml file is for internal processing and not user supplied. No user input required for this
process.
Remaining Risk : Little or None


2840 Likely 153 - email-notification- com/.../impl/MailServiceImpl.java 121
1.0.0-SNAPSHOT.jar

Specifics : The path is configuration directory which is set by trusted admin.

3084 Likely 154 - aae-bot-scanner-ui- com/.../botscanner/ui/Main.java 38
5.1.0-SNAPSHOT.jar

Specifics : Only authenticated user can perform the operation.



3086 Likely 154 - aae-bot-scanner-ui- com/.../botscanner/ui/Main.java 44
5.1.0-SNAPSHOT.jar

Specifics : Only authenticated user can perform the operation.


3539 Likely 157 - aae-bot-scanner-ui- com/.../MetaBotAnalyzer.java 124
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : As this function accepts data from the application not from the user

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar


5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : This is already mitigated by flaw id 49227 with report of 14 may

5.1.0-


SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : This is already mitigated by design with flaw id 49223 in the report of 14 May


5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar



5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : As Data come from the application and not entered by the user

6078 Likely 158 - migration-1.0.0- .../MigratedDataReconciliationService.jav
SNAPSHOT.jar a 224


SNAPSHOT.jar a 227



SNAPSHOT.jar a 227

Specifics : The path is constructed by system and does not take any user input.

3298 Neutral 169 - boot-bot-insight- .../MultiPartFileUploadServiceImpl.java 34
1.0.0-SNAPSHOT-
all.jar

Specifics : The path is set by trusted admin of the system

5167 Likely 171 - bot-command-ftp- com/.../utility/NativeUtils.java 133
2.2.0-SNAPSHOT.jar

Specifics : It loads library from a temp location. The temp location is created by the same class and hence
the location is a trusted location.
Verification : This is same case like ID 3140

3203 Likely 172 - node-manager-1.0- .../NodeMessagingServiceImpl.java 375
SNAPSHOT.jar

Specifics : The path is being validated for the expected path.

4829 Likely 174 - recorder-sdk-2.0.8- com/.../oab/OABAdapter.java 98
SNAPSHOT.jar


Specifics : Path is used to enabled Java accessibility for specific use case. From JDK 1.8 and later java it
self providing this.
Verification : Reviewed

4827 Likely 175 - recorder-sdk-2.0.8- com/.../aisense/OcrResult.java 67
SNAPSHOT.jar

Specifics : External path used for ocr metadata processing

SNAPSHOT.jar

Specifics : External path is generated runtime to pass OCR information between recorder and external
module
Verification : Reviewed with security team earlier.

SNAPSHOT.jar

Specifics : External path used for ocr metadata processing

7794 Neutral 180 - kernel-1.0.0- .../impl/PackageServiceImpl.java 138
SNAPSHOT.jar



SNAPSHOT.jar


SNAPSHOT.jar

Specifics : The code in question is constructing file paths by adding hard-coded sub-directory names to
the application repo path. The application repo path is set during first admin setup via API
CRConfigurationService::saveFirstAdminSettings

SNAPSHOT.jar

CRConfigurationService::saveFirstAdminSettings . Therefore, these are false positives.

SNAPSHOT.jar

Verification : Manual code Review

SNAPSHOT.jar



SNAPSHOT.jar


5541 Neutral 181 - boot-bot-insight- .../PackagingServiceImpl.java 184
1.0.0-SNAPSHOT-
all.jar


3003 Likely 182 - migration-1.0.0- com/.../common/PackagingUtil.java 38
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


2888 Likely 186 - bot-compiler.jar com/.../helper/PathUtils.java 34

Specifics : Fetches the temp directory path which is set by the system.
Remaining Risk : Remaining Risk : Little to none



4810 Likely 190 - browser-api-1.0.0- com/.../win32/q.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-SNAPSHOT.jar

3280 Likely 191 - bot-command- com/.../jniwrapper/win32/q.java 1
keystroke-2.7.0-
SNAPSHOT.jar

6443 Neutral 193 - kernel-1.0.0- .../QueueExportServiceImpl.java 111
SNAPSHOT.jar

Specifics : The path constructed by the system not user input

3000 Neutral 193 - wlm-1.0.0- .../QueueExportServiceImpl.java 296
SNAPSHOT.jar

Specifics : The path refers to system location and does not take any input.

6451 Neutral 194 - kernel-1.0.0- .../QueueImportServiceImpl.java 176
SNAPSHOT.jar


6438 Neutral 194 - kernel-1.0.0- .../QueueImportServiceImpl.java 176
SNAPSHOT.jar




3029 Likely 198 - migration-1.0.0- .../ReferenceDependenciesScanner.java
SNAPSHOT.jar 34


3007 Likely 198 - migration-1.0.0- .../ReferenceDependenciesScanner.java
SNAPSHOT.jar 34


2972 Neutral 203 - serverrepository- com/.../repository/RepoPath.java 36
1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): RepoPath is used to validate the path within the
system.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
system.

6419 Neutral 203 - boot-bot-insight- com/.../repository/RepoPath.java 124
1.0.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): RepoPath is a path validation routine.

3004 Neutral 203 - devices-1.0.0- com/.../repository/RepoPath.java 248
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Potential False Positive (Automation Anywhere): RepoPath validates the input path and returns a
valid path.

3005 Neutral 203 - devices-1.0.0- com/.../repository/RepoPath.java 250
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): RepoPath validates the input path and returns a
valid path.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
system.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
system.

6454 Neutral 204 - kernel-1.0.0- .../RepositoryCompleteMigrationServiceI
SNAPSHOT.jar mpl.java 149

Specifics : The path is generated by system and does not take any user input.

2994 Neutral 205 - serverrepository- .../RepositoryDeleteFolderAuditAdapterIm
1.0.0-SNAPSHOT.jar pl.java 108

Specifics : The path is retrieved from system routines which is trusted. This does not being fetched from
user input.


6414 Neutral 205 - serverrepository- .../RepositoryDeleteFolderAuditAdapterIm
1.0.0-SNAPSHOT.jar pl.java 109
custom cleansing function "model.AAFile createDirectory(api.dto.CreateFolderRequest)".

2810 Neutral 207 - kernel-1.0.0- .../RepositoryTenantMigration.java 81
SNAPSHOT.jar

2813 Likely 208 - bot-command- com/.../util/ResourceUtil.java 32
SNAPSHOT.jar/bot-
runtime-1.4.0-
SNAPSHOT.jar
custom cleansing function "botcore.api.dto.Value loadValue(java.lang.Class, java.lang.String)".

3301 Neutral 209 - kernel-1.0.0- .../ReverseProxyConfigurationServiceImpl
SNAPSHOT.jar .java 54

Specifics : The path refers to predefined path which is set by the trusted user. its not been taken by user
input


input


Specifics : This refers to configuration file which is set by a trusted admin.









3043 Likely 211 - migration-1.0.0- com/.../command/RunTask.java 52
SNAPSHOT.jar


3039 Likely 211 - migration-1.0.0- com/.../command/RunTask.java 52
SNAPSHOT.jar


4828 Likely 212 - recorder-sdk-2.0.8- com/.../jxcapture/s.class.java 1
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar



3089 Likely 215 - screencapture-api- .../ScreenFileOperations.java 30
1.0.0-SNAPSHOT-
SNAPSHOT.jar
custom cleansing function "void isValidFileName(java.lang.String)".

3136 Likely 222 - bot-command- com/.../SetupHelper.java 31
browser-2.3.0-
SNAPSHOT.jar

Specifics : It loads configuration from application internal file, which is set by trusted admin.


3211 Likely 223 - node-manager-1.0- com/.../util/SetupHelper.java 35
SNAPSHOT.jar



SNAPSHOT.jar

Specifics : The path refers to system configuration location and does not take any user input.

SNAPSHOT.jar


Specifics : The path refers to system configuration location and does not take any user input.

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar

Specifics : The path refers to system configuration location and does not take any user input

SNAPSHOT.jar

Specifics : Path is pre configured

SNAPSHOT.jar


Specifics : Path is constructed from a constant


SNAPSHOT.jar

2932 Likely 229 - bot-tester-1.0- .../TesterConfiguration.java 29
SNAPSHOT.jar

Specifics : It loads files from properties location and internal application files which is a trusted source.


SNAPSHOT.jar



SNAPSHOT.jar


SNAPSHOT.jar



SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

SNAPSHOT.jar

7802 Neutral 230 - boot-bot-insight- .../TlsHostCommitSubscriber.java 90
1.0.0-SNAPSHOT-
all.jar

Specifics : The path is fetched from system properties and not fetched from any user inputs.

1.0.0-SNAPSHOT-
all.jar


1.0.0-SNAPSHOT-


all.jar


1.0.0-SNAPSHOT-
all.jar


1.0.0-SNAPSHOT-
all.jar


7805 Neutral 231 - boot-bot-insight- .../TlsHostStagingCreationSubscriber.java
1.0.0-SNAPSHOT- 83
all.jar


7803 Neutral 231 - boot-bot-insight- .../TlsHostStagingCreationSubscriber.java
1.0.0-SNAPSHOT- 98
all.jar



7809 Neutral 232 - boot-bot-insight- .../TlsHostUpdateServerCertificate.java
1.0.0-SNAPSHOT- 67
all.jar


7800 Neutral 232 - boot-bot-insight- .../TlsHostUpdateServerCertificate.java
1.0.0-SNAPSHOT- 80
all.jar


7812 Neutral 233 - boot-bot-insight- .../TlsHostUpdateSubscriber.java 67
1.0.0-SNAPSHOT-
all.jar


7804 Neutral 233 - boot-bot-insight- .../TlsHostUpdateSubscriber.java 82
1.0.0-SNAPSHOT-
all.jar


7813 Neutral 234 - boot-bot-insight- com/.../authn/util/TomlUtil.java 44
1.0.0-SNAPSHOT-
all.jar

Specifics : The path is set by the system and does not take any user input.


Remaining Risk : None or little

1.0.0-SNAPSHOT-
all.jar


1.0.0-SNAPSHOT-
all.jar


1.0.0-SNAPSHOT-
all.jar


1.0.0-SNAPSHOT-
all.jar


2897 Likely 238 - bot-command- .../TTermDependencyResolver.java 26
terminalemulator-
3.7.0-SNAPSHOT.jar



4921 Likely 239 - bot-command- com/.../TTermJNIConstants.java 20
terminalemulator-
3.7.0-SNAPSHOT.jar


4922 Likely 239 - bot-command- com/.../TTermJNIConstants.java 20
terminalemulator-
3.7.0-SNAPSHOT.jar


2809 Neutral 241 - kernel-1.0.0- .../UpdatePackageJsonOfExistingPackag
SNAPSHOT.jar es.java 64

8246 Likely 245 - file-folder-sdk-2.0.0- com/.../sdk/archive/Util.java 68
SNAPSHOT.jar

Specifics : This method is invoked by internal method and this method did not exposed to client

8251 Likely 245 - file-folder-sdk-2.0.0- com/.../sdk/archive/Util.java 68
SNAPSHOT.jar

Specifics : This method is invoked by internal method and this method did not exposed to client



3095 Likely - 17 bot-trigger-file-folder- void !ctor(java.lang.ClassLoader,
1.1.0-SNAPSHOT.jar java.lang.String, java.lang.String) 72%

6445 Neutral 248 - kernel-1.0.0- .../WlmFileUploadServiceImpl.java 193
SNAPSHOT.jar

Specifics : The path is generated by the system and does not take any user input.

6448 Neutral 248 - kernel-1.0.0- .../WlmFileUploadServiceImpl.java 193
SNAPSHOT.jar


6425 Neutral 249 - kernel-1.0.0- com/.../wlm/WLMPackageHelper.java 35
SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar



SNAPSHOT.jar


6322 Neutral 250 - wlm-1.0.0- .../WorkOrderExecutorImpl.java 202
SNAPSHOT.jar


4817 Likely 251 - browser-api-1.0.0- com/.../jniwrapper/x.class.java 1
SNAPSHOT-
SNAPSHOT.jar/bot-
command-email-
3.3.0-SNAPSHOT.jar

3270 Likely 252 - bot-command- com/.../com/jniwrapper/x.java 1
msexcel-5.4.0-
SNAPSHOT.jar

2959 Likely 256 - bot-command- com/.../com/jniwrapper/y.java 1
keystroke-2.7.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper)

6441 Neutral 257 - kernel-1.0.0- com/.../impl/ZipPackagerImpl.java 80
SNAPSHOT.jar


Specifics : The path constructed by the system not user provided

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar



3303 Neutral 258 - boot-bot-insight- com/.../ZipUnpackagerImpl.java 90
1.0.0-SNAPSHOT-
all.jar

input

3306 Likely 258 - boot-bot-insight- com/.../ZipUnpackagerImpl.java 104
1.0.0-SNAPSHOT-
all.jar

input

1.0.0-SNAPSHOT-
all.jar

input

1.0.0-SNAPSHOT-
all.jar

Specifics : Path refers to the predefined path which is set by the trusted user of the application. Its not
been taken by the user input



6702 Likely 259 - bot-command- com/.../util/ZipUtils.java 27
recorder-2.0.11-
SNAPSHOT.jar

Specifics : Zip File are part of recorder package. Extracting inside package files. There is no user input
provided to create the file name.
Remaining Risk : No risk
Improper Restriction of XML External Entity Reference (CWE ID 611)(13 flaws)

3321 Neutral 18 - kernel-1.0.0- com/.../model/AtmxBot.java 113
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): External entity resolution is disabled.

3207 Neutral 64 - node-manager-1.0- .../CredentialProviderDocumentImpl.java
SNAPSHOT.jar 90

Specifics : we write the file during login and delete it after login is complete
Verification : Manual code analysis

8735 Neutral 152 - aae-bot-scanner-ui- com/.../sdk/LookupXml.java 52
5.1.0-SNAPSHOT-
all.jar

Specifics : The Node passed here comes from DomXmlOperations which has disabled the external entity
resolution



2890 Neutral 173 - bot-command-xml- com/.../node/NodeToXmlString.java 43
2.2.0-SNAPSHOT.jar

resolution.

3134 Neutral 224 - bot-command-soap- com/.../SoapMessageUtil.java 49
3.2.0-SNAPSHOT.jar

Specifics : We have proper validation for XXE in place. Veracode tool is not able to identify from other
method.

2782 Neutral - 8 bot-command-email- void <clinit>(void) 41%
3.3.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): XMLs are created by program. They are not taken
from external entity

3106 Neutral - 7 bot-trigger-file-folder- void <clinit>(void) 42%
1.1.0-SNAPSHOT.jar

3070 Neutral 253 - aae-bot-scanner-ui- com/.../sdk/XmlTransformation.java 53
5.1.0-SNAPSHOT-
all.jar

Specifics : Strict control over input xml and xslt is maintained.

5.1.0-SNAPSHOT-


all.jar

resolution

5.1.0-SNAPSHOT-
all.jar

resolution

742 Neutral 255 - activemq-5.15.13.1- com/.../util/XmlUtils.java 73
SNAPSHOT.jar

Specifics : no control
Remaining Risk : no control
Verification : no control
Potential False Positive (Automation Anywhere): these are internally generated xml.

3077 Neutral 254 - aae-bot-scanner-ui- com/.../sdk/utils/XmlUtils.java 538
5.1.0-SNAPSHOT-
all.jar

Specifics : Strict control over input xml and xslt is maintained

3071 Neutral 254 - aae-bot-scanner-ui- com/.../sdk/utils/XmlUtils.java 891
5.1.0-SNAPSHOT-
all.jar



Specifics : Strict control over input xml and xslt is maintained.
Credentials Management(68 flaws)
Unprotected Storage of Credentials (CWE ID 256)(2 flaws)

2806 Neutral 41 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/kern
el-1.0.0-
SNAPSHOT.jar

Specifics : User credentials are encrypted
Verification : db password stored in file is also encrypted

2791 Neutral 76 - boot-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The password is protected with WinDPAPIs
Verification : Code review with security team
Use of Hard-coded Password (CWE ID 259)(66 flaws)

4406 Likely 40 - certmgr-1.0.0- com/.../certmgr/CertManager.java 1
SNAPSHOT.jar


Specifics : This is a keystore password , mainly used to open certificate keystore and not for business
application

2876 Likely 40 - certmgr-1.0.0- com/.../certmgr/CertManager.java 1
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): These fields are required to edit the keystore. The
default java password is 'changeit'. This is hardcoded here, but only for functional purposes. It is *not*
used for security purposes as PEM keys cannot be secured by this method.

2877 Likely 40 - audit-1.0.0- com/.../certmgr/CertManager.java 119
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Technique : M3 : Lock down your environment
Specifics : The installer saves the private TLS key on the file-system unencrypted in PEM format so that it
can be accessed by Traefik on startup. The java store with the aakeypass password contains the same
information. As the data has to be stored unencrypted to support startup, using a hardcoded password for
java has the equivalent level of protection. This code is not supposed to be protecting the key data
Remaining Risk : Little, assuming that the customer will lock down their environment and limit access to
only trusted admins in order to protect key material.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar




SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : This is a keystore password which is provided in the command line. This uses hard-coded only
when not provided in the command line. This mainly used to open certificate keystore and not for
business.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

business.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : This is a keystore password,. This mainly used to open certificate keystore and not for


business.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): These fields are required to edit the keystore. The
default java password is 'changeit'. This is hardcoded here, but only for functional purposes. It is *not*
used for security purposes as PEM keys cannot be secured by this method.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar



SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The mentioned field does not contain any hard
coded passwords

SNAPSHOT.jar
coded passwords

2796 Likely 57 - credentialvault-1.0.0- com/.../Constants.java 1
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): This is a key and not a password. This just
identifies the password policy settings

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
identifies the key name in the database

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-


SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

2802 Likely 56 - aggregator-1.0.0- com/.../constants/Constants.java 1
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Potential False Positive (Automation Anywhere): These are keys used in database, there is no
hardcoded password. Also these are properties/configuration settings for password management

6795 Likely 58 - kernel-1.0.0- com/.../common/Constants.java 1
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no hard-coded password at the mentioned
source.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): This is a variable used in code and not a real
password

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : A string name "password" is causing the issue however we are not using hard coding of
password.
Verification : manual code review

2948 Likely 60 - organizations-1.0.0- .../ControlRoomIntegrationServiceImpl.jav
SNAPSHOT.jar a1
Potential False Positive (Automation Anywhere): There is no hard-coded password in the mentioned
source code path

SNAPSHOT.jar a1
source code path

SNAPSHOT.jar a1
source code path



SNAPSHOT.jar a1
source code path

SNAPSHOT.jar

Specifics : Its a common password used for all the Java installations, everyone knows this password

SNAPSHOT.jar

Specifics : Its a common password used for all the Java installations, everyone knows this password

2971 Likely 91 - boot-1.0.0- .../EmailTemplateParamKeys.java 1
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): There is no hard coded password in the mentioned
location of class file

4881 Likely 92 - aae-bot-scanner-ui- com/.../EmailUtil.java 1
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : There is no hardcoded password in the code. This is fieldName.
Remaining Risk : Nothing.
Verification : Manually validated

4880 Likely 92 - aae-bot-scanner-ui- com/.../EmailUtil.java 1
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar


Specifics : There is no hardcoded password in the code. This is fieldName.
Remaining Risk : Nothing.
Verification : Manually validated

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): Third party lib issue

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
source.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

application

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): This is a property name and not a real password

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

application



SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

application

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : This updates the default password to user provided password and performed during
installation only.

SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : In order to support TLS, the password is used to access the trust store.

4266 Likely 98 - aae-bot-scanner-ui- com/.../sdk/utils/ExcelUtils.java 34
5.1.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): The name of the xml node is password. The actual
password is not present here.

5.1.0-SNAPSHOT-
all.jar



5.1.0-SNAPSHOT-
all.jar

5.1.0-SNAPSHOT-
all.jar

3068 Likely 145 - aae-bot-scanner-ui- .../sdk/LegacyBotConstants.java 1
5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): There is no password value in this field, this is just
variable
name

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
variable
name

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
variable
name

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar


variable
name

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar
variable
name

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : The password is needed to extract the atmx and cannot be provided by the user. Also the
action does not provide any api through which the password can be accessed. Its encrypted and is used
by our own classes.
Remaining Risk : little to none.
Verification : manual.

5.1.0-
SNAPSHOT.jar/aae-
SNAPSHOT-all.jar

Specifics : The password is needed to extract the atmx and cannot be provided by the user. Also the
action does not provide any api through which the password can be accessed. Its encrypted and is used
by our own classes.
Verification : manual

4521 Likely 170 - JS files within cr- /myProfileSettings.js 18
frontend.zip
Potential False Positive (Automation Anywhere): There is no hardcoded password at this source.

frontend.zip


frontend.zip

frontend.zip

6794 Likely 183 - kernel-1.0.0- .../PasswordSettingsAuditDetailHelper.jav
SNAPSHOT.jar a1
source.

7655 Likely 218 - activemq-5.15.13.1- .../SecurityGlobalConstants.java 1
SNAPSHOT.jar

Specifics : password has been declared and its never used. Hence, code has been removed

7654 Likely 218 - activemq-5.15.13.1- .../SecurityGlobalConstants.java 1
SNAPSHOT.jar

Specifics : password has been declared and its never used. Hence, code has been removed

3151 Likely 240 - usermanagement- com/.../UMV1ResourcesUrls.java 1
1.0.0-SNAPSHOT.jar
coded passwords

1.0.0-SNAPSHOT.jar
coded passwords


1.0.0-SNAPSHOT.jar
coded passwords

3288 Likely 242 - boot-bot-insight- .../UserAuditDetailsTransformer.java 1
1.0.0-SNAPSHOT-
all.jar
coded passwords
Cryptographic Issues(33 flaws)
Cleartext Storage of Sensitive Information in Memory (CWE ID 316)(6 flaws)

6907 Neutral 40 - audit-1.0.0- com/.../certmgr/CertManager.java 197
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

business.

6283 Neutral 83 - boot-bot-insight- .../DistributedCacheFactory.java 113
1.0.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): False positive

6782 Neutral 184 - boot-bot-insight- .../PasswordSettingsServiceGrpc.java 41
1.0.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): There is no sensitive information storage in this


routine.

1.0.0-SNAPSHOT-
all.jar
routine.

1.0.0-SNAPSHOT-
all.jar
routine.

1.0.0-SNAPSHOT-
all.jar
routine.
Inadequate Encryption Strength (CWE ID 326)(3 flaws)

8666 V.Likely 38 - audit-1.0.0- com/.../certmgr/CertGenerator.java 50
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): It is a RSA 2048 bits key.

8659 V.Likely 113 - activemq-5.15.13.1- com/.../FipsRsaCryptoImpl.java 51
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This is a RSA 2048 bits key size.

8763 V.Likely 159 - kernel-1.0.0- .../MigrationCodeGenerationServiceImpl.j
SNAPSHOT.jar ava 128
Potential False Positive (Automation Anywhere): The key used is RSA 2048 bits.

Insufficient Entropy (CWE ID 331)(11 flaws)

3423 Unlikely 10 - bot-command- com/.../util/AISenseUtils.java 98
recorder-2.0.11-
SNAPSHOT.jar

Specifics : AISense is not enabled in discovery bot code , so that piece of code is not executed.
Verification : Manual code review with Security team

6206 Unlikely 12 - kernel-1.0.0- .../AmazonS3StagingServiceImpl.java
SNAPSHOT.jar 309

Specifics : The random string is not used for security purpose.

5157 Unlikely 36 - bot-command- com/.../jetty/CallbackServer.java 68
legacytask-1.5.0-
SNAPSHOT.jar

Specifics : Random function is used to get the random port from the available range which is not
sensitive. Duplicate Issue- Flaw Id 400, Sandbox name command scan1

8705 Unlikely 47 - bot-compiler-1.0.0- com/.../impl/CommandCodeBlock.java
SNAPSHOT.jar 107

Specifics : The routine generates a random string which is not used for security purpose.

SNAPSHOT.jar 135




SNAPSHOT.jar 171


8851 Unlikely 106 - ignite-server-2.8.1.1- com/.../FileServiceV2Impl.java 1329
SNAPSHOT.jar

Specifics : This routine creates a random string which is not used for any security purpose.

3401 Unlikely 186 - bot-compiler-1.0.0- com/.../helper/PathUtils.java 31
SNAPSHOT.jar/bot-
compiler.jar

Specifics : This random string generator is not used for security puposes.

3251 Unlikely 195 - bot-command-string- com/.../commands/RandomString.java 60
3.2.0-SNAPSHOT.jar
Accept the risk (Automation Anywhere):

Specifics : Random function is used to generate the random string which is not a critical information. This
random string is getting generated at run time.

6260 Unlikely 217 - activemq-5.15.13.1- .../SecureRandomGenerator.java 25
SNAPSHOT.jar


Specifics : The random string is not used for any security purpose.

3480 Unlikely 248 - kernel-1.0.0- .../WlmFileUploadServiceImpl.java 202
SNAPSHOT.jar

Specifics : This random string generator is not used for security puposes.
Use of Hard-coded Cryptographic Key (CWE ID 321)(6 flaws)

3027 Likely 65 - migration-1.0.0- com/.../encryption/CryptoAES.java 25
SNAPSHOT.jar

Specifics : This is used to get the legacy data only and not being used in system functionalities

3009 Likely 65 - migration-1.0.0- com/.../encryption/CryptoAES.java 25
SNAPSHOT.jar


3076 Likely 66 - aae-bot-scanner-ui- com/.../encryption/CryptoAES.java 29
5.1.0-SNAPSHOT-
all.jar



Specifics : The encryption key need to be saved on the local file system. The attacker needs to have
direct access to machine's file system.So risk is very less.

3080 Likely 66 - aae-bot-scanner-ui- com/.../encryption/CryptoAES.java 30
5.1.0-SNAPSHOT-
all.jar


3322 Likely 67 - kernel-1.0.0- com/.../encryption/CryptoDES.java 26
SNAPSHOT.jar


3060 Likely 68 - aae-bot-scanner-ui- com/.../encryption/CryptoDES.java 27
5.1.0-SNAPSHOT-
all.jar

Use of RSA Algorithm without OAEP (CWE ID 780)(1 flaw)

3323 Neutral 225 - kernel-1.0.0- .../SourceDecryptionServiceImpl.java 89
SNAPSHOT.jar


Specifics : Implemented by design. Part of the migration tool from 10.x which doesn't use OAEP. Not
used in any 11.x operations.
Verification : Design review
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(6 flaws)

3320 Likely 67 - kernel-1.0.0- com/.../encryption/CryptoDES.java 25
SNAPSHOT.jar


8660 Likely 90 - activemq-5.15.13.1- com/.../impl/ECCryptoImpl.java 76
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This routine does not use hash but AES encryption.

SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This routine uses GCMParameterSpec and 128 bits
key size.

SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This routine uses GCMParameterSpec and 128 bits
key size.

8683 Likely - 20 bot-trigger-file-folder- java.math.BigInteger c() 2%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external libraries.

8663 Likely - 29 bot-command- java.math.BigInteger d() 15%


recorder-2.0.11-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external libraries.
Time and State(2 flaws)
Insecure Temporary File (CWE ID 377)(2 flaws)

2758 Neutral - 1 bot-command-email- java.lang.String a() 52%
3.3.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): JDK11 is used to create temporary files. ALso all
temporary files are created with internal constants and no user specified inputs

3097 Neutral - 17 bot-trigger-file-folder- java.lang.String b(void) 54%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This flaw does not refer to any internal source code.
Approve Mitigation (Automation Anywhere): Approved. Refereeing External Library.
Cross-Site Scripting (XSS)(2 flaws)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID
80)(2 flaws)

3115 Likely 29 - botstore-1.0.0- .../BotStoreAdapterImpl.java 590
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False Positive (same as Flaw ID: 46790)

4269 Likely 37 - bot-command- com/.../jetty/CallbackServlet.java 30
legacytask-1.5.0-
SNAPSHOT.jar


Specifics : There is no user input involved so no chance for XSS. Duplicate Issue- Flaw Id 399 (Sandbox:
command scan1)

CRLF Injection(32 flaws)
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

(CWE ID 113)(5 flaws)

3912 Likely 114 - boot-bot-insight- .../spring/FirewalledResponse.java 30
1.0.0-SNAPSHOT-
all.jar
Potential False Positive (Automation Anywhere): CRLF are being validated and request is rejected if
CRLF found.

3001 Neutral 193 - wlm-1.0.0- .../QueueExportServiceImpl.java 299
SNAPSHOT.jar

Specifics : The header values are fetched by system internal routines and it is a trusted source

3465 Neutral 206 - serverrepository- .../RepositoryResourceV1.java 292
1.0.0-SNAPSHOT.jar

Specifics : The input is trusted and validated by a validation routine.

2973 Neutral 206 - serverrepository- .../RepositoryResourceV1.java 294
1.0.0-SNAPSHOT.jar


Specifics : The input is trusted and validated by a validation routine.

2819 Likely 247 - boot-1.0.0- .../WebSocketHeaderWriterFilter.java 45
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The header value being set is a static string, and does not include untrusted data.
Improper Output Neutralization for Logs (CWE ID 117)(27 flaws)

3107 Likely - 7 bot-trigger-file-folder- boolean a(java.lang.String) 92%
1.1.0-SNAPSHOT.jar

2783 Likely - 8 bot-command-email- boolean b(java.lang.String) 92%
3.3.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Log outputs are sanitized.

1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar

2751 Likely - 1 bot-command-email- java.io.File a(java.net.URL,
Potential False Positive (Automation Anywhere): Logging errors are sanitized before showing to end


user. The errors are mapped to standard user understandable strings


2753 Likely - 1 bot-command-email- java.io.File a(java.net.URL,

2762 Likely - 1 bot-command-email- java.io.File c() 25%
3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar

2742 Likely - 24 bot-command- java.util.List a(jxdesktop.OS) 98%
recorder-2.0.11-
SNAPSHOT.jar

2740 Likely - 24 bot-command- java.util.List b(void) 19%
recorder-2.0.11-
SNAPSHOT.jar



recorder-2.0.11-
SNAPSHOT.jar

recorder-2.0.11-
SNAPSHOT.jar

recorder-2.0.11-
SNAPSHOT.jar

2739 Likely - 24 recorder-sdk-2.0.8- java.util.List b(void) 91%
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar
user. The errors are mapped to standard user understandable strings. Reported in external lib

2774 Likely - 24 recorder-sdk-2.0.8- java.util.List b(void) 91%
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar

2775 Likely - 21 bot-command- VideoCapture create(video.VideoFormat)
recorder-2.0.11- 65%
SNAPSHOT.jar





2786 Likely - 1 bot-command-email- void b() 18%
3.3.0-SNAPSHOT.jar

3284 Likely - 1 bot-command- void b() 38%
keystroke-2.7.0-
SNAPSHOT.jar

2760 Likely - 1 bot-command-email- void b() 89%
3.3.0-SNAPSHOT.jar

3102 Likely - 17 bot-trigger-file-folder- void b(java.lang.String) 91%
1.1.0-SNAPSHOT.jar

2759 Likely - 1 bot-command-email- void loadLibrary(java.lang.String) 91%
3.3.0-SNAPSHOT.jar
Encapsulation(10 flaws)

Deserialization of Untrusted Data (CWE ID 502)(10 flaws)

3276 Neutral - 12 bot-command- boolean a(java.lang.String []) 76%
keystroke-2.7.0-
SNAPSHOT.jar

7270 Neutral 42 - node-manager-1.0- .../CheckpointDataAccessServiceImpl.jav
SNAPSHOT.jar a 138

Specifics : The data is read from the encrypted database which was earlier written by the application itself

3245 Neutral 42 - node-manager-1.0- .../CheckpointDataAccessServiceImpl.jav
SNAPSHOT.jar a 165

Specifics : This is the data written by the application and read by the application and stored in system
folder to which only admins have access to and the data fie is encrypted while writing to disk.
Verification : Mitigated By Design

3325 Neutral 214 - kernel-1.0.0- .../model/ScheduleAutomation.java 585
SNAPSHOT.jar

Specifics : Input is coming from database which is a trusted source. Also the input saved by the trusted
system users.

2781 Neutral - 10 bot-command-email- void a(java.net.Socket) 60%
3.3.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): 3rd party library.

2780 Neutral - 10 bot-command-email- void F() 74%
3.3.0-SNAPSHOT.jar


2776 Neutral - 15 bot-command-email- void run() 16%
3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar

3.3.0-SNAPSHOT.jar
Insufficient Input Validation(11 flaws)
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
90)(3 flaws)

3153 Neutral 2 - usermanagement- .../ActiveDirectoryServiceImpl.java 931
1.0.0-SNAPSHOT.jar

Specifics : Input parameters validated before query injection
Remaining Risk : very little or None

7677 Neutral 2 - usermanagement- .../ActiveDirectoryServiceImpl.java 1028
1.0.0-SNAPSHOT.jar

Specifics : Input parameters validated before query injection



3144 Neutral 7 - usermanagement- com/.../impl/AdSecurityGroup.java 623
1.0.0-SNAPSHOT.jar

Specifics : Input parameters fetch from configurable properties on CR nodes and it will be changed by
trusted users only
URL Redirection to Untrusted Site ('Open Redirect') (CWE ID 601)(1 flaw)

6154 Likely 12 - organizations-1.0.0- .../AmazonS3StagingServiceImpl.java
SNAPSHOT.jar 363

Specifics : The URL is set by trusted admin.
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID

470)(7 flaws)

2881 Likely 23 - bot-engine-1.0- com/.../BotClassLoader.java 91
SNAPSHOT.jar/bot-
classloader.jar

Specifics : Only specific classes which are white listed will be loaded.



3013 Likely 84 - aggregator-1.0.0- .../DurableMessagePublisher.java 68
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The class name used is white listed. It does not come from any user input.

3092 Likely - 18 bot-trigger-file-folder- FileWatcher create(java.io.File) 59%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (teamdev)

recorder-2.0.11-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Reported from within JDK source.

4807 Likely 176 - recorder-sdk-2.0.8- com/.../jxdesktop/OS.class.java 1
SNAPSHOT.jar/bot-
command-recorder-
2.0.11-
SNAPSHOT.jar


2749 Likely 177 - bot-command- com/.../teamdev/jxdesktop/OS.java 1
recorder-2.0.11-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no external input specified by the user.

3277 Likely - 12 bot-command- void c(java.lang.String []) 39%
keystroke-2.7.0-
SNAPSHOT.jar

Server Configuration(1 flaw)
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE ID 757)(1

flaw)

8668 Neutral 143 - boot-bot-insight- .../KubernetesDiscoveryAgent.java 65
1.0.0-SNAPSHOT-
all.jar

Specifics : This is used to discover internal system's services. There is no business data transfer over
this.
Code Injection(1 flaw)
XML Injection (aka Blind XPath Injection) (CWE ID 91)(1 flaw)

3266 Likely 254 - bot-migration-sdk- com/.../sdk/utils/XmlUtils.java 855
1.1.0-SNAPSHOT.jar

Specifics : The paths are set by trusted admins

Appendix C: Referenced Source Files

Id Filename Path
1 AAFileDaoImplV2.java com/automationanywhere/serverrepository/core/dao/impl/
2 ActiveDirectoryServiceImpl.java com/automationanywhere/um/service/impl/
3 AddUsersToGroupPathBuilder com/automationanywhere/botcommand/activedirectory/operations/adduserstogrou
OperationDesktopOperationBut p/
ton.java
4 AddUsersTreeChangeOperatio com/automationanywhere/botcommand/activedirectory/operations/adduserstogrou
nDesktopOperationButton.java p/
5 AddUsersTreeOperationDeskto com/automationanywhere/botcommand/activedirectory/operations/adduserstogrou
pOperationTree.java p/
6 AddUserTableOperationDeskto com/automationanywhere/botcommand/activedirectory/operations/adduserstogrou
pOperationTable.java p/
7 AdSecurityGroup.java com/automationanywhere/um/service/impl/
8 AESEncrypter.java com/automationanywhere/botcommand/gsuite/service/
9 AISenseExecutionContext.java com/automationanywhere/recorder/adapter/secondary/technologyAdapter/aisense
/
10 AISenseUtils.java com/automationanywhere/recorder/util/
11 al.class.java com/teamdev/jxcapture/com/teamdev/jxcapture/
12 AmazonS3StagingServiceImpl.j com/automationanywhere/organizations/service/impl/
ava
13 Analyze.java com/automationanywhere/botmigration/analysis/
14 ApacheDataUploader.java service/
15 ar.class.java com/jniwrapper/com/jniwrapper/
16 ar.java com/jniwrapper/com/jniwrapper/
17 as.java com/jniwrapper/com/jniwrapper/
18 AtmxBot.java com/automationanywhere/migration/dependencyscanner/model/
19 AttributeCodeGeneratorImpl.jav com/automationanywhere/compiler/code/attribute/impl/
a
20 AuthenticationServiceImpl.java com/automationanywhere/botcommand/gsuite/service/impl/
21 BiBlmExportAPIImpl.java com/automationanywhere/botinsight/service/impl/
22 BotAnalysis.java com/automationanywhere/botscanner/ui/
23 BotClassLoader.java com/automationanywhere/classloader/
24 BotDependencyResource.java com/automationanywhere/serverrepository/resource/
25 BotInsightBLMService.java com/automationanywhere/botinsight/service/impl/
26 BotInsightDashboardMigration com/automationanywhere/migration/botinsight/service/
Service.java
27 BotInsightUtils.java com/automationanywhere/botinsight/utils/
28 BotService.java com/automationanywhere/toolchain/
29 BotStoreAdapterImpl.java com/automationanywhere/botstore/service/impl/
30 BotStoreSubscriber.java com/automationanywhere/botstore/messaging/
31 BrowserWindow.java com/automationanywhere/botcommand/forms/fxml/
32 bu.class.java com/jniwrapper/com/jniwrapper/
33 bu.java com/jniwrapper/com/jniwrapper/

Id Filename Path
34 bv.java com/jniwrapper/com/jniwrapper/
35 CacheUtils.java com/automationanywhere/botmigration/sdk/utils/
36 CallbackServer.java com/automationanywhere/botcommand/legacytask/jetty/
37 CallbackServlet.java com/automationanywhere/botcommand/legacytask/jetty/
38 CertGenerator.java com/automationanywhere/certmgr/
39 CertificateAuthFileServiceImpl.j com/automationanywhere/authn/service/impl/
ava
40 CertManager.java com/automationanywhere/certmgr/
41 ChangeLogProperties.java com/automationanywhere/db/cmdline/
42 CheckpointDataAccessServiceI com/automationanywhere/nodemanager/service/impl/
mpl.java
43 ChronicleQueueAsyncImpl.java com/automationanywhere/asynchronous/messaging/
44 CleanerImpl.java com/automationanywhere/botengine/service/impl/
45 Collector.java com/automationanywhere/log/services/
46 CollectorState.java com/automationanywhere/log/services/
47 CommandCodeBlock.java com/automationanywhere/compiler/code/block/impl/
48 CommandGenerator.java com/automationanywhere/recorder/service/
49 CompositeFileDependency.jav com/automationanywhere/migration/dependencyscanner/model/dependency/
a
50 CompositeX509ExtendedTrust com/automationanywhere/core/security/
Manager.java
51 CompressedArchive.java com/automationanywhere/migration/dependencyscanner/helper/
52 Configuration.java com/automationanywhere/externalfunction/
53 Configuration.java com/automationanywhere/log/services/
54 Configuration.java com/automationanywhere/nodemanager/
55 ConsoleUtils.java com/automationanywhere/crutils/utils/
56 Constants.java com/automationanywhere/common/constants/
57 Constants.java com/automationanywhere/configuration/
58 Constants.java com/automationanywhere/settings/common/
59 ContextHelper.java com/automationanywhere/botengine/utils/
60 ControlRoomIntegrationService com/automationanywhere/organizations/service/impl/
Impl.java
61 cQ.java com/jniwrapper/win32/jexcel/com/jniwrapper/win32/jexcel/
62 CRConfigurationServiceImpl.ja com/automationanywhere/settings/service/impl/
va
63 CredentialAttributeValueDaoIm com/automationanywhere/credentialvault/dao/impl/
pl.java
64 CredentialProviderDocumentIm com/automationanywhere/nodemanager/service/impl/
pl.java
65 CryptoAES.java com/automationanywhere/migration/dependencyscanner/encryption/
66 CryptoAES.java com/automationanywhere/botmigration/sdk/encryption/
67 CryptoDES.java com/automationanywhere/migration/dependencyscanner/encryption/
68 CryptoDES.java com/automationanywhere/botmigration/sdk/encryption/

Id Filename Path
69 CsvFileConnection.java com/automationanywhere/wlm/workorder/data/connection/impl/
70 CSVStore.java com/automationanywhere/botcommand/browser/findbrokelinks/store/
71 CyberarkConnectionConfig.jav com/automationanywhere/keyvaultintegration/cyberark/
a
72 DatabaseConnectionService.ja com/automationanywhere/botcommand/database/executor/services/
va
73 DBConfigProperties.java com/automationanywhere/common/db/
74 DbConnectionHelper.java com/automationanywhere/installutils/common/
75 DbConnectionHelper.java com/automationanywhere/crutils/db/
76 DefaultTenantInitializer.java com/automationanywhere/common/security/context/
77 DependencyDaoImpl.java com/automationanywhere/serverrepository/core/dao/dependency/impl/
78 DependencyResolverImpl.java com/automationanywhere/terminalemulator/dependency/sdk/
79 DeviceUpgradeHandler.java com/automationanywhere/nodemanager/service/impl/message/handlers/
80 dg.class.java com/jniwrapper/win32/com/jniwrapper/win32/
81 dg.java com/jniwrapper/win32/com/jniwrapper/win32/
82 DiagnosticServiceImpl.java com/automationanywhere/nodemanager/service/impl/
83 DistributedCacheFactory.java com/automationanywhere/distributedcache/
84 DurableMessagePublisher.java com/automationanywhere/durablemessaging/
85 DurableMessageTransactional com/automationanywhere/durablemessaging/
Publisher.java
86 DurableMessagingBase.java com/automationanywhere/durablemessaging/
87 e.class.java com/jniwrapper/win32/com/jniwrapper/win32/
88 e.java com/jniwrapper/win32/com/jniwrapper/win32/
89 eC.java com/jniwrapper/win32/jexcel/com/jniwrapper/win32/jexcel/
90 ECCryptoImpl.java com/automationanywhere/core/security/impl/
91 EmailTemplateParamKeys.java com/automationanywhere/email/constants/
92 EmailUtil.java com/automationanywhere/botmigration/sdk/preprocessor/
93 Engine.java com/abbyy/FREngine/
94 ESInstallerUtil.java com/automationanywhere/elasticsearch/util/
95 ESRestClient.java com/automationanywhere/es_client/
96 ev.class.java com/teamdev/jxcapture/com/teamdev/jxcapture/
97 ev.java com/teamdev/jxcapture/com/teamdev/jxcapture/
98 ExcelUtils.java com/automationanywhere/botmigration/sdk/utils/
99 ExternalConfig.java com/automationanywhere/ignite/
100 ExternalEnvironmentImpl.java com/automationanywhere/externalfunction/
101 FileAttributePathHelper.java com/automationanywhere/toolchain/runtime/attribute/
102 FileDependencyServiceImpl.jav com/automationanywhere/migration/serverrepository/legacy/service/impl/
a
103 FileReader.java com/automationanywhere/botcommand/csv/utils/
104 FileServiceImpl.java com/automationanywhere/botcommand/sdk/file/
105 FileServiceImpl.java com/automationanywhere/compiler/service/impl/
106 FileServiceV2Impl.java com/automationanywhere/serverrepository/core/service/impl/

Id Filename Path
107 FileSystemStoreImpl.java com/automationanywhere/serverrepository/core/service/storage/impl/filesystem/

108 FileUtil.java com/automationanywhere/botcommand/file/folder/sdk/
109 FileUtils.java com/automationanywhere/common/util/
110 FileUtils.java com/automationanywhere/keyvaultintegration/utils/
111 FileUtils.java com/automationanywhere/commandsdk/command/helper/
112 FileUtils.java com/automationanywhere/botmigration/sdk/utils/
113 FipsRsaCryptoImpl.java com/automationanywhere/core/security/impl/
114 FirewalledResponse.java com/automationanywhere/authn/spring/
115 FolderAttributesDaoImpl.java com/automationanywhere/serverrepository/core/dao/impl/
116 GdprReportDirectoryService.ja com/automationanywhere/gdpr/helper/
va
117 GdprReportServiceImpl.java com/automationanywhere/gdpr/service/impl/
118 GdprReportZip.java com/automationanywhere/gdpr/helper/reportstatus/
119 GlobalCacheServiceImpl.java com/automationanywhere/nodemanager/service/impl/
120 HQLHelper.java com/automationanywhere/common/util/jpa/
121 HttpUtil.java com/automationanywhere/botcommand/wlm/util/
122 IfWebControlExists.java com/automationanywhere/botcommand/legacyautomation/conditions/
123 IfWebControlNotExists.java com/automationanywhere/botcommand/legacyautomation/conditions/
124 IgniteClusterServiceImpl.java com/automationanywhere/settings/service/impl/
125 IgniteFactory.java com/automationanywhere/ignite/
126 IgniteUtil.java com/automationanywhere/ignite/
127 ImageButtonProcessor.java com/automationanywhere/recorder/adapter/secondary/technologyAdapter/aisense
/processor/
128 ImageProcessor.java com/automationanywhere/botmigration/service/imageprocessor/
129 ImageUtils.java com/automationanywhere/recorder/adapter/secondary/technologyAdapter/aisense
/utils/
130 ImportLegacyDashboardTask.j com/automationanywhere/botinsight/service/impl/migrate/
ava
131 ImportServiceImpl.java com/automationanywhere/blm/service/impl/
132 InputValidator.java com/automationanywhere/botmigration/service/
133 IQBotClientServiceImpl.java com/automationanywhere/botcommand/iqbot/client/impl/
134 IRExecutorImpl.java com/automationanywhere/botcommand/imagerecognition/irsdk/Impl/
135 JarPathUtil.java com/automationanywhere/authn/util/
136 JarResourceExtractor.java com/automationanywhere/botcommand/legacyautomation/apicommunicator/
137 JarUtil.java com/automationanywhere/botengine/utils/
138 JarUtils.java com/automationanywhere/common/util/
139 JsonDataUploader.java com/automationanywhere/migration/audit/service/impl/
140 JTTerm.java com/turbosoft/tterm/
141 JwtValidationService.java com/automationanywhere/token/service/
142 KeyStoreImpl.java com/automationanywhere/core/security/impl/
143 KubernetesDiscoveryAgent.jav com/automationanywhere/durablemessaging/activemq/
a

Id Filename Path
144 LauncherConfiguration.java com/automationanywhere/botlauncher/

145 LegacyBotConstants.java com/automationanywhere/botmigration/sdk/
146 LibraryLoader.java com/automationanywhere/botcommand/file/folder/sdk/archive/zip/chilkat/
147 LocallyBufferedFileOutputStrea com/automationanywhere/common/util/
m.java
148 LogDeleteAndArchiveTask.java com/automationanywhere/log/services/
149 LoginService.java com/automationanywhere/nodemanager/service/
150 LogManagementServiceImpl.ja com/automationanywhere/logmanagement/service/impl/
va
151 LogUtils.java com/automationanywhere/recorder/adapter/secondary/technologyAdapter/aisense
/utils/
152 LookupXml.java com/automationanywhere/botmigration/sdk/
153 MailServiceImpl.java com/automationanywhere/email/service/impl/
154 Main.java com/automationanywhere/botscanner/ui/
155 ManageWebControl.java com/automationanywhere/botcommand/legacyautomation/commands/
156 ManualDependencyDaoImpl.ja com/automationanywhere/serverrepository/core/dao/dependency/impl/
va
157 MetaBotAnalyzer.java com/automationanywhere/botmigration/analysis/metabot/
158 MigratedDataReconciliationSer com/automationanywhere/migration/common/service/
vice.java
159 MigrationCodeGenerationServi com/automationanywhere/organizations/service/impl/
ceImpl.java
160 MonitorUtils.java com/automationanywhere/monitor/utils/
161 MoveComputerPathBuilderOpe com/automationanywhere/botcommand/activedirectory/operations/movecomputer/
rationDesktopOperationButton.j
ava
162 MoveComputerPathSelectGrou com/automationanywhere/botcommand/activedirectory/operations/movecomputer/
pBuilderOperationDesktopOper
ationButton.java
163 MoveComputerTreeChangeOp com/automationanywhere/botcommand/activedirectory/operations/movecomputer/
erationDesktopOperationButton
.java
164 MoveComputerTreeOperationD com/automationanywhere/botcommand/activedirectory/operations/movecomputer/
esktopOperationTree.java
165 MoveOrgUnitPathBuilderOpera com/automationanywhere/botcommand/activedirectory/operations/moveOU/
tionDesktopOperationButton.ja
va
166 MoveOrgUnitPathSelectGroup com/automationanywhere/botcommand/activedirectory/operations/moveOU/
BuilderOperationDesktopOpera
tionButton.java
167 MoveOrgUnitTreeChangeOper com/automationanywhere/botcommand/activedirectory/operations/moveOU/
ationDesktopOperationButton.j
ava
168 MoveOrgUnitTreeOperationDe com/automationanywhere/botcommand/activedirectory/operations/moveOU/
sktopOperationTree.java
169 MultiPartFileUploadServiceImpl com/automationanywhere/common/service/impl/
.java
170 myProfileSettings.js /
171 NativeUtils.java com/automationanywhere/botcommand/ftp/utility/

Id Filename Path
172 NodeMessagingServiceImpl.jav com/automationanywhere/nodemanager/service/impl/
a
173 NodeToXmlString.java com/automationanywhere/botcommand/xml/api/node/
174 OABAdapter.java com/automationanywhere/recorder/adapter/secondary/technologyAdapter/oab/
175 OcrResult.java com/automationanywhere/recorder/service/aisense/
176 OS.class.java com/teamdev/jxdesktop/com/teamdev/jxdesktop/
177 OS.java com/teamdev/jxdesktop/com/teamdev/jxdesktop/
178 PackageDaoMTImpl.java com/automationanywhere/packages/dao/impl/
179 PackageDownloadServiceImpl.j com/automationanywhere/devices/service/impl/
ava
180 PackageServiceImpl.java com/automationanywhere/packages/service/impl/
181 PackagingServiceImpl.java com/automationanywhere/packaging/service/impl/
182 PackagingUtil.java com/automationanywhere/packaging/common/
183 PasswordSettingsAuditDetailH com/automationanywhere/settings/integration/
elper.java
184 PasswordSettingsServiceGrpc.j com/automationanywhere/settings/api/
ava
185 PathBuilderOperationDesktopO com/automationanywhere/botcommand/activedirectory/operations/parentpath/
perationButton.java
186 PathUtils.java com/automationanywhere/compiler/helper/
187 PdfRowBuilder.java com/automationanywhere/botcommand/pdf/executor/extracttext/structured/
188 PermissionDaoImpl.java com/automationanywhere/auth/dao/impl/
189 PropertiesValue.java com/automationanywhere/botcommand/data/impl/
190 q.class.java com/jniwrapper/win32/com/jniwrapper/win32/
191 q.java com/jniwrapper/win32/com/jniwrapper/win32/
192 QueryTypeProvider.java com/automationanywhere/botcommand/database/executor/common/
193 QueueExportServiceImpl.java com/automationanywhere/wlm/service/impl/
194 QueueImportServiceImpl.java com/automationanywhere/wlm/service/impl/
195 RandomString.java com/automationanywhere/botcommand/string/commands/
196 RDPLoginServiceImpl.java com/automationanywhere/nodemanager/service/impl/
197 RecordValue.java com/automationanywhere/botcommand/data/impl/
198 ReferenceDependenciesScann com/automationanywhere/migration/dependencyscanner/scanner/
er.java
199 RemoveUsersFromGroupPath com/automationanywhere/botcommand/activedirectory/operations/removeusersfro
BuilderOperationDesktopOpera mgroup/
tionButton.java
200 RemoveUsersFromGroupTree com/automationanywhere/botcommand/activedirectory/operations/removeusersfro
ChangeOperationDesktopOper mgroup/
ationButton.java
201 RemoveUsersFromGroupTree com/automationanywhere/botcommand/activedirectory/operations/removeusersfro
OperationDesktopOperationTre mgroup/
e.java
202 RemoveUserTableOperationDe com/automationanywhere/botcommand/activedirectory/operations/removeusersfro
sktopOperationTable.java mgroup/
203 RepoPath.java com/automationanywhere/common/repository/
204 RepositoryCompleteMigrationS com/automationanywhere/migration/serverrepository/service/impl/

Id Filename Path
erviceImpl.java
205 RepositoryDeleteFolderAuditAd com/automationanywhere/serverrepository/audit/impl/
apterImpl.java
206 RepositoryResourceV1.java com/automationanywhere/serverrepository/resource/
207 RepositoryTenantMigration.jav com/automationanywhere/db/changesets/custom/repository/
a
208 ResourceUtil.java com/automationanywhere/toolchain/runtime/util/
209 ReverseProxyConfigurationSer com/automationanywhere/settings/service/impl/
viceImpl.java
210 RoleDaoImpl.java com/automationanywhere/auth/dao/impl/
211 RunTask.java com/automationanywhere/migration/dependencyscanner/scanner/command/
212 s.class.java com/teamdev/jxcapture/com/teamdev/jxcapture/
213 ScannerRunningWindowContro com/automationanywhere/botscanner/ui/
ller.java
214 ScheduleAutomation.java com/automationanywhere/scheduler/model/
215 ScreenFileOperations.java com/automationanywhere/botcommand/sdk/screencapture/
216 ScriptUtil.java com/automationanywhere/compiler/helper/
217 SecureRandomGenerator.java com/automationanywhere/core/security/
218 SecurityGlobalConstants.java com/automationanywhere/core/security/
219 SelectUserGroupPathBuilderO com/automationanywhere/botcommand/activedirectory/operations/selectusergroup
perationDesktopOperationButto /
n.java
220 SelectUserGroupTreeChangeO com/automationanywhere/botcommand/activedirectory/operations/selectusergroup
perationDesktopOperationButto /
n.java
221 SelectUserGroupTreeOperatio com/automationanywhere/botcommand/activedirectory/operations/selectusergroup
nDesktopOperationTree.java /
222 SetupHelper.java com/automationanywhere/externalfunction/
223 SetupHelper.java com/automationanywhere/nodemanager/util/
224 SoapMessageUtil.java com/automationanywhere/botcommand/soap/parser/
225 SourceDecryptionServiceImpl.j com/automationanywhere/migration/source/service/impl/
ava
226 StandardInputOutputMessenge com/automationanywhere/synchronous/messenger/
r.java
227 StreamingSheetWriter.java org/apache/poi/xssf/streaming/
228 Summary.java com/automationanywhere/botmigration/analysis/
229 TesterConfiguration.java com/automationanywhere/bot/tester/
230 TlsHostCommitSubscriber.java com/automationanywhere/authn/messaging/
231 TlsHostStagingCreationSubscri com/automationanywhere/authn/messaging/
ber.java
232 TlsHostUpdateServerCertificate com/automationanywhere/authn/messaging/
.java
233 TlsHostUpdateSubscriber.java com/automationanywhere/authn/messaging/
234 TomlUtil.java com/automationanywhere/authn/util/
235 TreeChangeOperationDesktop com/automationanywhere/botcommand/activedirectory/operations/parentpath/
OperationButton.java

Id Filename Path
236 TreeOperationDesktopOperatio com/automationanywhere/botcommand/activedirectory/operations/parentpath/
nTree.java
237 TriggerUtil.java com/automationanywhere/triggerlistener/util/
238 TTermDependencyResolver.jav com/automationanywhere/terminalemulator/dependency/tTerm/
a
239 TTermJNIConstants.java com/automationanywhere/botcommand/terminalemulator/constants/
240 UMV1ResourcesUrls.java com/automationanywhere/um/constants/
241 UpdatePackageJsonOfExisting com/automationanywhere/db/changesets/custom/packages/
Packages.java
242 UserAuditDetailsTransformer.ja com/automationanywhere/um/audit/attributes/
va
243 UserDaoImpl.java com/automationanywhere/um/dao/impl/
244 UserDetailsDaoImpl.java com/automationanywhere/um/dao/impl/
245 Util.java com/automationanywhere/botcommand/file/folder/sdk/archive/
246 Utils.java com/automationanywhere/botcommand/gsuite/utils/
247 WebSocketHeaderWriterFilter.j com/automationanywhere/realtimeservice/filter/
ava
248 WlmFileUploadServiceImpl.jav com/automationanywhere/wlm/service/impl/
a
249 WLMPackageHelper.java com/automationanywhere/wlm/
250 WorkOrderExecutorImpl.java com/automationanywhere/wlm/workorder/executor/impl/
251 x.class.java com/jniwrapper/com/jniwrapper/
252 x.java com/jniwrapper/com/jniwrapper/
253 XmlTransformation.java com/automationanywhere/botmigration/sdk/
254 XmlUtils.java com/automationanywhere/botmigration/sdk/utils/
255 XmlUtils.java com/automationanywhere/core/security/util/
256 y.java com/jniwrapper/com/jniwrapper/
257 ZipPackagerImpl.java com/automationanywhere/packaging/service/impl/
258 ZipUnpackagerImpl.java com/automationanywhere/packaging/service/impl/
259 ZipUtils.java com/automationanywhere/recorder/util/

Appendix D: Referenced Classpaths

Id Path
1 com.jniwrapper.DefaultLibraryLoader
2 com.jniwrapper.JNIWrapperInfo
3 com.jniwrapper.ae
4 com.jniwrapper.af
5 com.jniwrapper.b
6 com.jniwrapper.bl
7 com.jniwrapper.i
8 com.jniwrapper.l
9 com.jniwrapper.win32.ae
10 com.jniwrapper.win32.automation.OfficeContainer
11 com.jniwrapper.win32.cm
12 com.jniwrapper.win32.com.DispatchComServerFactory
13 com.jniwrapper.win32.dc
14 com.jniwrapper.win32.di
15 com.jniwrapper.win32.o
16 com.jniwrapper.win32.s
17 com.jniwrapper.x
18 com.teamdev.filewatch.FileWatcher
19 com.teamdev.filewatch.linux.j
20 com.teamdev.filewatch.m
21 com.teamdev.jxcapture.VideoCapture
22 com.teamdev.jxcapture.ar
23 com.teamdev.jxcapture.ar$b
24 com.teamdev.jxcapture.ba
25 com.teamdev.jxcapture.video.linux.a
26 com.teamdev.jxcapture.video.win.AVICapture
27 com.teamdev.jxdesktop.a
28 com.teamdev.jxdesktop.a$b
29 com.teamdev.jxdesktop.b

Appendix E: Dynamic Flaw Inventory

Rescan Status Number of Flaws
All 0
New 0
Open and Reopened 0
Cannot Reproduce 0
Fixed 0

Veracode RPA+BI DetailedReport A2019 6 Mar 2021 Patch Build 8122

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Veracode RPA+BI DetailedReport A2019 6 Mar 2021 Patch Build 8122

Uploaded by

Copyright:

Available Formats

Veracode Detailed Report

Application Security Report

Inside This Report

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Veracode Detailed Report Mitigated Veracode Level: VL5

Scans Included in Report

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Longer Timeframe (6 - 12 months)

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 2 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Application Trend Data

Scope of Static Scan

Engine Version: 20210219202837

The following modules were included in the application scan:

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 3 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 4 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 5 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 6 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 7 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 8 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 9 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 10 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 11 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 12 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

File Differences Between Scans

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 13 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Flaw Types by Severity and Category

Cryptographic Issues 0* (-9)

Directory Traversal 0* (-18)

API Abuse 7 (+2)

Code Quality 34 (+1)

Information Leakage 11 (-1)

Time and State 7

Code Quality 53 (+3)

Total 114* (-22)

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 14 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Policy Status: Not Assessed

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 15 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

© 2021 Veracode, Inc. Automation Anywhere and Veracode Confidential