DetailedReport Automation Anywhere Enterprise 2 Jul 2020 Veracode

Veracode Detailed Report
Application Security Report

As of 2 Jul 2020
Prepared for: Automation Anywhere
Prepared on: July 3, 2020
Application: Automation Anywhere Enterprise
Sandbox: A2019
Industry: Software & Internet
Business Criticality: BC5 (Very High)
Required Analysis: Static, Manual Penetration Test
Type(s) of Analysis Conducted: Static
Scope of Static Scan: 241 of 374 Modules Analyzed
Inside This Report

Executive Summary 1
Summary of Flaws by Severity 1
Action Items 1
Mitigation Proposal Review 18
Flaw Types by Category 19
Policy Summary 20
Findings & Recommendations 22
Methodology
While Mitigation Proposal reviews are based on industry best practice, Veracode does not guarantee the effectiveness of any mitigations, nor does
Veracode control whether such mitigations will be implemented or followed (if at all) by Customer. Accordingly, Veracode will have no liability in the
event any security vulnerability or breach. Responsibility for coding fixes to the flaws or re-writing mitigations remains with Customer’s or its Third
Party vendors’ developers.
While every precaution has been taken in the preparation of this document, Veracode, Inc. assumes no responsibility for errors, omissions, or for
damages resulting from the use of the information herein. The Veracode platform uses static and/or dynamic analysis techniques to discover
potentially exploitable flaws. Due to the nature of software security testing, the lack of discoverable flaws does not mean the software is 100%
secure.
© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential
65 Network Drive, Burlington, MA 01803 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Veracode Detailed Report prepared for Automation Anywhere – Jul 3, 2020
Veracode Detailed Report Mitigated Veracode Level: VL5

Application Security Report Original Veracode Level: VL1
Rated: Jul 2, 2020
As of 2 Jul 2020
Application: Automation Anywhere Business Criticality: Very High
Enterprise
Target Level: VL5 Adjusted/Published Rating: A*/F
Scans Included in Report

Static Scan Dynamic Scan Manual Penetration Test
132_2020-06-29-13:01:59-cr Not Included in Report Not Included in Report
Score: 97
Completed: 7/2/20
Executive Summary
This report contains a summary of the security flaws identified in the application using manual penetration testing, automated static
and/or automated dynamic security analysis techniques. This is useful for understanding the overall security quality of an individual
application or for comparisons between applications.
Application Business Criticality: BC5 (Very High) Summary of Flaws Found by Severity
Impacts:Operational Risk (High), Financial Loss (High)
An application's business criticality is determined by business
risk factors such as: reputation damage, financial loss,
operational risk, sensitive information disclosure, personal safety,
and legal violations. The Veracode Level and required
assessment techniques are selected based on the policy
assigned to the application.
Analyses Performed vs. Required
Manual Penetration
Dynamic
Static
Test
Any
Performed:
Required:
Action Items:
Veracode recommends the following approaches ranging from the most basic to the strong security measures that a vendor can
undertake to increase the overall security level of the application.
Required Analysis
Your policy requires Manual Penetration Test but it has not been performed. Please submit your application for Manual
Penetration Test and remediate the required detected flaws to conform to your assigned policy.
Your policy requires periodic Static Scan. Your next analysis must be completed by 10/2/20. Please submit your
application for Static Scan by the deadline and remediate the required detected flaws to conform to your assigned policy.
Flaw Severities
65 Network Drive, Burlington, MA 01803 1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Medium severity flaws and above must be fixed for policy compliance.
Longer Timeframe (6 - 12 months)

Certify that software engineers have been trained on application security principles and practices.

Application Trend Data
Scope of Static Scan

The following modules were included in the static scan because the scan submitter selected them as entry points, which are modules that accept external data.
Engine Version: 20200520200321
The following modules were included in the application scan:

Module Name Compiler Operating Environment Engine
Version
aae-bot-scanner-2.4.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
aae-bot-scanner-ui-3.0.1-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
all.jar 0321
aae-bot-scanner-ui-3.0.1-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
activemq-5.15.9.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
adapters-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
adapters-api-1.0.0.jar JAVAC_11 Java J2SE 11 2020052020
0321
aggregator-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
audit-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
audit-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
authn-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
authn-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
Automation.InternetExplorerAddIn.dll MSIL_MSVC14_X86 Win32 2020052020
0321
Automation.InternetExplorerAddIn.dll MSIL_MSVC14_X86 Win32 2020052020
0321


Version
boot-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
boot-bot-insight-1.0.0-SNAPSHOT-all.jar JAVAC_8 Java J2SE 8 2020052020
0321
boot-bot-insight-1.0.0-SNAPSHOT- JAVASCRIPT_5_1 JavaScript 2020052020
all.jar_htmljscode.veracodegen.htmla.jsa 0321
bot-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-aspects.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-asynchronous-messenger-1.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-classloader.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-command-activedirectory-2.0.1- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-analyze-2.2.3- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-annotationsample-1.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-appintegration-1.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-application-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-boolean-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-browser-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-calendar-2.0.0- Android Android 2020052020
SNAPSHOT.jar 0321
bot-command-clipboard-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-comment-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-csvtxt-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-database-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-datetime-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-delay-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-dictionary-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-email-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-error-handler-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-file-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321


Version
bot-command-folder-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-forms-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-forms-1.0.0- JAVASCRIPT_5_1 JavaScript 2020052020
SNAPSHOT.jar_htmljscode.veracodegen. 0321
htmla.jsa
bot-command-ftp-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-if-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-image-recognition-2.0.0- Android Android 2020052020
SNAPSHOT.jar 0321
bot-command-iqbot-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-iqbotadvance-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-javascript-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-javascript-2.0.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-command-keystroke-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-legacyautomation-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-list-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-logtofile-2.1.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-loop-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-messagebox-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-migrate-2.4.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-mouse-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-msexcel-4.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-number-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-ocr-abbyy-2.1.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-ocr-abbyy-2.1.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-command-oexcelonline-2.0.0- Android Android 2020052020
SNAPSHOT.jar 0321
bot-command-onedrive-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321


Version
bot-command-operation-1.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-pdf-2.3.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-ping-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-playsound-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-poi-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-printer-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-prompt-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-python-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-recorder-2.0.6- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-recorder-2.0.6- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-command-rest-webservice-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-rundll-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-rundll-2.0.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-command-sap-2.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-sapbapi-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-screen-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-service-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-snmp-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-soap-3.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-step-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-string-3.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-system-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-table-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-task-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-terminalemulator-3.2.0- JAVAC_11 Java J2SE 11 2020052020


Version
SNAPSHOT.jar 0321
bot-command-trigger-loop-0.5.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-vbscript-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-vbscript-2.0.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-command-wait-3.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-window-2.0.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-command-wlm-2.0.1-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-command-xml-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-compiler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-compiler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-compiler-standalone-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
bot-compiler.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-core-api.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-core.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-debugger-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-debugger-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-engine-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-external-function-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-external-function-1.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-insight-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-insight-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-launcher-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-launcher-1.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
bot-lifecycle-management-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
bot-lifecycle-management-api-1.0.0- JAVAC_8 Java J2SE 8 2020052020


Version
SNAPSHOT.jar 0321
bot-migration-cr-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-migration-sdk-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-migration-service-1.1.0- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
bot-recorder-api-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-runtime-1.4.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-synchronous-messenger-1.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
bot-tester-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-trigger-email-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-trigger-file-folder-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-trigger-hotkey-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-trigger-uiobject-1.1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
botcontent-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
botcontent-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
botstore-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
botstore-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
certmgr-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
command-generic-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
common-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
common-db-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
common-trace-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
common-trace-aspect-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
common-utils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
configuration-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
configuration-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
controlroom-jwt-validation-1.0.0- JAVAC_8 Java J2SE 8 2020052020


Version
SNAPSHOT.jar 0321
credentialvault-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
credentialvault-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
crhttpd-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
crutils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
dashboard-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
dashboard-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
deploy-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
deploy-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
devices-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
devices-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
devices-api-deprecated-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
durablemessaging-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
email-notification-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
email-notification-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
error-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
es-client-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
es-client-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
excel-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
expiry-map-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
feature-flag-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
feature-flag-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
file-api-1.0.0-SNAPSHOT-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
file-folder-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
gdpr-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
gdpr-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020


Version
0321
geolocation-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
geolocation-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
globalvalues-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
globalvalues-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
grpc-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
i18n-api-1.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
ignite-2.7.6.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
ignite-server-2.7.6.1-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
ignite-server-2.7.6.1- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
installutils-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
ipc-api-1.0.0-SNAPSHOT-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
ir-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
JS files within bi-hopper-frontend.zip JAVASCRIPT_5_1 JavaScript 2020052020
0321
JS files within common-frontend- JAVASCRIPT_5_1 JavaScript 2020052020
components.zip 0321
JS files within common-frontend-utils.zip JAVASCRIPT_5_1 JavaScript 2020052020
0321
JS files within cr-frontend.zip JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
kernel-1.0.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
license-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
license-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
log-collector-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
log-management-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
logger-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
mapstruct-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321


Version
metrics-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
migration-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
migration-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
monitor-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
monitor-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
mouse-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
network-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
node-manager-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
node-manager-1.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
node-manager-api-1.0.0.jar JAVAC_11 Java J2SE 11 2020052020
0321
ocr-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
office365-auth-sdk-2.0.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
operationsroom-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
operationsroom-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
organizations-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
organizations-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
packages-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
packages-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
packaging-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
process-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
protobuf-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
proxy-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
proxy-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
proxy-shared-1.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
queryfilter-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321


Version
queryfilter-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
realtimeservice-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
repository-consistency-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
requeststatus-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
requeststatus-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
scheduler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
scheduler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
screencapture-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
serverrepository-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
serverrepository-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
session-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
settings-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
settings-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
spcompiler-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
spcompiler-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
string-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
tenants-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
tenants-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
trigger-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
trigger-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
triggerlistener-1.0-SNAPSHOT.jar JAVAC_11 Java J2SE 11 2020052020
0321
triggerlistener-1.0- JAVASCRIPT_5_1 JavaScript 2020052020
htmla.jsa
unittest-utils-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
upgrades-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
upgrades-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321


Version
usermanagement-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
usermanagement-api-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT.jar 0321
websocket-client-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
window-api-1.0.0-SNAPSHOT- JAVAC_11 Java J2SE 11 2020052020
SNAPSHOT.jar 0321
wlm-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
wlm-api-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
File Differences Between Scans

The uploaded modules for this scan do not match the modules you uploaded for the previous scan. This disparity can affect the scan results even if Veracode did
not find flaws in the files with differences. See appendix for more details.
The following modules were not selected for a full scan. Code paths in these modules that are not called from a scanned module are
not included in this report.
Version
activemq-5.15.9.1-SNAPSHOT-default.jar JAVAC_8 Java J2SE 8 2020052020
0321
boot-bot-insight-1.0.0-SNAPSHOT- JAVAC_8 Java J2SE 8 2020052020
default.jar 0321
bot-compiler-standalone-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT-default.jar 0321
bot-launcher-1.0-SNAPSHOT-default.jar JAVAC_11 Java J2SE 11 2020052020
0321
bot-recorder-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-runtime-1.4.0-SNAPSHOT-default.jar JAVAC_8 Java J2SE 8 2020052020
0321
bot-session-manager-1.0-SNAPSHOT.jar Unknown 2020052020
0321
botfarm-api-1.0.0.jar JAVAC_8 Java J2SE 8 2020052020
0321
certmgr-1.0.0-SNAPSHOT-default.jar JAVAC_8 Java J2SE 8 2020052020
0321
concrt140.dll MSVC14_X86_64 Win64 2020052020
0321
concrt140.dll MSVC14_X86_64 Win64 2020052020
0321
controlroom-jwt-validation-1.0.0- JAVAC_8 Java J2SE 8 2020052020
SNAPSHOT-default.jar 0321
crutils-1.0.0-SNAPSHOT-default.jar JAVAC_8 Java J2SE 8 2020052020
0321
ignite-server-2.7.6.1-SNAPSHOT- JAVAC_8 Java J2SE 8 2020052020
default.jar 0321
installutils-1.0.0-SNAPSHOT-default.jar JAVAC_8 Java J2SE 8 2020052020
0321


Version
kernel-1.0.0-SNAPSHOT-default.jar Unknown 2020052020
0321
kernel-1_mapfile_swagger-ui- JAVASCRIPT_5_1 JavaScript 2020052020
bundle.js.map.jsa 0321
kernel-1_mapfile_swagger-ui-standalone- JAVASCRIPT_5_1 JavaScript 2020052020
preset.js.map.jsa 0321
kernel-1_mapfile_swagger-ui.js.map.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_@braintree.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_@kyleshockey.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_autolinker.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_babel-runtime.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_base64-js.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_btoa.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_buffer.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_classnames.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_cookie.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_core-js.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_core-util-is.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_create-react- JAVASCRIPT_5_1 JavaScript 2020052020
class.jsa 0321
kernel-1_nodemodule_cross-fetch.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_css.escape.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_d.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_deep-equal.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_deep-extend.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_dompurify.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_encode-3986.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_es5-ext.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_es6-symbol.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321


Version
kernel-1_nodemodule_event-emitter.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_events.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_fast-json-patch.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_fbjs.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_hoist-non-react- JAVASCRIPT_5_1 JavaScript 2020052020
statics.jsa 0321
kernel-1_nodemodule_ieee754.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_immutable.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_inherits.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_invariant.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_is-promise.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_isarray.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_isomorphic-form- JAVASCRIPT_5_1 JavaScript 2020052020
data.jsa 0321
kernel-1_nodemodule_js-file-download.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_lodash-es.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel- JAVASCRIPT_5_1 JavaScript 2020052020
1_nodemodule_lodash.debounce.jsa 0321
kernel-1_nodemodule_lodash.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_lru-queue.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_memoizee.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_next-tick.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_object-assign.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_process-nextick- JAVASCRIPT_5_1 JavaScript 2020052020
args.jsa 0321
kernel-1_nodemodule_process.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_prop-types.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_punycode.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_qs.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321


Version
kernel-1_nodemodule_querystring- JAVASCRIPT_5_1 JavaScript 2020052020
browser.jsa 0321
kernel-1_nodemodule_querystring-es3.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_querystringify.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_react-debounce- JAVASCRIPT_5_1 JavaScript 2020052020
input.jsa 0321
kernel-1_nodemodule_react-dom.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_react-immutable- JAVASCRIPT_5_1 JavaScript 2020052020
proptypes.jsa 0321
kernel-1_nodemodule_react-immutable- JAVASCRIPT_5_1 JavaScript 2020052020
pure-component.jsa 0321
kernel-1_nodemodule_react-redux.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_react.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_readable-stream.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_redux- JAVASCRIPT_5_1 JavaScript 2020052020
immutable.jsa 0321
kernel-1_nodemodule_redux.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_regenerator- JAVASCRIPT_5_1 JavaScript 2020052020
runtime.jsa 0321
kernel-1_nodemodule_remarkable.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_repeat-string.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_requires-port.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_reselect.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_safe-buffer.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_serialize-error.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_setimmediate.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_stream- JAVASCRIPT_5_1 JavaScript 2020052020
browserify.jsa 0321
kernel-1_nodemodule_string_decoder.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_swagger-client.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_symbol- JAVASCRIPT_5_1 JavaScript 2020052020
observable.jsa 0321
kernel-1_nodemodule_timers- JAVASCRIPT_5_1 JavaScript 2020052020
browserify.jsa 0321


Version
kernel-1_nodemodule_timers-ext.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_url-parse.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_url.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_utf8-bytes.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_utfstring.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_util-deprecate.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_xml-but-prettier.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_xml.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
kernel-1_nodemodule_zenscroll.jsa JAVASCRIPT_5_1 JavaScript 2020052020
0321
libprotobuf-lite.dll MSVC14_X86_64 Win64 2020052020
0321
libprotobuf-lite.dll MSVC14_X86_64 Win64 2020052020
0321
libprotobuf.dll MSVC14_X86_64 Win64 2020052020
0321
libprotobuf.dll MSVC14_X86_64 Win64 2020052020
0321
msvcp140.dll MSVC14_X86_64 Win64 2020052020
0321
msvcp140.dll MSVC14_X86_64 Win64 2020052020
0321
msvcp140_1.dll MSVC14_X86_64 Win64 2020052020
0321
0321
0321
0321
msvcp140_codecvt_ids.dll MSVC14_X86_64 Win64 2020052020
0321
msvcp140_codecvt_ids.dll MSVC14_X86_64 Win64 2020052020
0321
node-manager-1.0-SNAPSHOT-default.jar JAVAC_11 Java J2SE 11 2020052020
0321
packageFile.jar Unknown 2020052020
0321
SAPObjectEventDLL.dll MSVC14_X86_64 Win64 2020052020
0321
SAPObjectEventDLL.dll MSVC14_X86_64 Win64 2020052020
0321


Version
supported-api-docs-1.0.0-SNAPSHOT.jar Unknown 2020052020
0321
tbb.dll MSVC14_X86_64 Win64 2020052020
0321
tbb.dll MSVC14_X86_64 Win64 2020052020
0321
test-1.0.0-SNAPSHOT.jar JAVAC_8 Java J2SE 8 2020052020
0321
test.jar Unknown 2020052020
0321
triggerlistener-1.0-SNAPSHOT-default.jar JAVAC_11 Java J2SE 11 2020052020
0321
UIObjectEventDLL.dll MSVC14_X86_64 Win64 2020052020
0321
UIObjectEventDLL.dll MSVC14_X86_64 Win64 2020052020
0321
vcamp140.dll MSVC14_X86_64 Win64 2020052020
0321
vcamp140.dll MSVC14_X86_64 Win64 2020052020
0321
vccorlib140.dll MSVC14_X86_64 Win64 2020052020
0321
vccorlib140.dll MSVC14_X86_64 Win64 2020052020
0321
vcomp140.dll MSVC14_X86_64 Win64 2020052020
0321
vcomp140.dll MSVC14_X86_64 Win64 2020052020
0321
vcruntime140.dll MSVC14_X86_64 Win64 2020052020
0321
vcruntime140.dll MSVC14_X86_64 Win64 2020052020
0321
vcruntime140_1.dll MSVC14_X86_64 Win64 2020052020
0321
vcruntime140_1.dll MSVC14_X86_64 Win64 2020052020
0321
Mitigation Proposal Review

Below is a summary of mitigations labeled as conforms or deviates to risk tolerance guidelines.
Mitigation Proposal Review Status Total

Conforms
The total number of mitigations reviewed by Veracode that adhere to the risk tolerance guidelines you 0
established.
Deviates
The total number of mitigations reviewed by Veracode that either do not provide enough information, or do not 1
adhere to the risk tolerance guidelines you established.

Mitigation Proposal Review Status Total

Total Reviewed Mitigations
The total number of mitigations reviewed by Veracode. This may not add up to the total number of all proposed 1
or accepted mitigations.
Flaw Types by Severity and Category

Static Scan
Security Quality Score =
97
from prior scan
Very High 0*
High 0*
Medium 0*
Low 28* (-3)
API Abuse 6 (-1)
Code Quality 13
Cryptographic Issues 1 (+1)
Information Leakage 6* (-3)
Time and State 2*
Very Low 0
Informational 40* (-2)
Code Quality 40* (-2)
Total 68* (-5)

Policy Evaluation
Policy Name: Veracode Recommended Very High
Revision: 1
Policy Status: Not Assessed
Description
Veracode provides default policies to make it easier for organizations to begin measuring their applications against policies. Veracode
Recommended Policies are available for customers as an option when they are ready to move beyond the initial bar set by the
Veracode Transitional Policies. The policies are based on the Veracode Level definitions.
Rules
Rule type Requirement Findings Status
Minimum Veracode Level VL5 VL5* Passed
(VL5) Min Analysis Score 90 97* Passed
(VL5) Max Severity Medium Flaws found: 0* Passed
* - Reflects violated rules that have mitigated flaws

Unsupported Frameworks
This report may have incomplete results based on the following unsupported frameworks identified during the static scan:
* Prototype
* Jython
* Apache Tapestry
* Jaxen
* Google GSON
The lack of support for all frameworks in use by this application and/or its supporting libraries may prevent the static discovery of some
flaws in the application, however, it does not invalidate the flaws that were found.

Findings & Recommendations
Detailed Flaws by Severity
Very High (0 flaws*) Fix Required by Policy.

No flaws of this type were found
High (0 flaws*) Fix Required by Policy.

Medium (0 flaws*) Fix Required by Policy.

Low (28 flaws*)

API Abuse(6 flaws)
Description
An API is a contract between a caller and a callee. Incorrect usage of certain API functions can result in exploitable security
vulnerabilities.
The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a
program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in
a secure fashion. Providing too few arguments to a varargs function such as printf() also violates the API contract and will
cause the missing parameters to be populated with unexpected data from the stack.
Another common mishap is when the caller makes false assumptions about the callee's behavior. One example of this is
when a caller expects a DNS-related function to return trustworthy information that can be used for authentication purposes.
This is a bad assumption because DNS responses can be easily spoofed.
Recommendations
When calling API functions, be sure to fully understand and adhere to the specifications to avoid introducing security
vulnerabilities. Do not make assumptions about trustworthiness of the data returned from API calls or use the data in a
context that was unintended by that API.
Associated Flaws by CWE ID:
J2EE Bad Practices: Direct Management of Connections (CWE ID 245)(6 flaws)
Description
The J2EE application directly manages connections rather than using the container's resource management facilities to
obtain connections as specified in the J2EE standard. Every major web application container provides pooled
database connection management as part of its resource management framework. Duplicating this functionality in an
application is difficult and error prone, which is part of the reason it is forbidden under the J2EE standard.
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
Recommendations
Request the connection from the container rather than attempting to access it directly.

Instances found via Static Scan

Flaw Id Module # Class # Module Location Fix By
49212 19 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/ker
nel-1.0.0-
SNAPSHOT.jar
29753 48 - bot-command- .../DatabaseConnectionService.java 86
database-2.0.0-
SNAPSHOT.jar
29754 48 - bot-command- .../DatabaseConnectionService.java 106
database-2.0.0-
SNAPSHOT.jar
18652 51 - installutils-1.0.0- .../common/DbConnectionHelper.java 28
SNAPSHOT.jar
48653 50 - crutils-1.0.0- .../db/DbConnectionHelper.java 38
SNAPSHOT.jar
49187 52 - common-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar
Code Quality(13 flaws)
Description
Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may
include but are not limited to:
* Neglecting to remove debug code or dead code
* Improper resource management, such as using a pointer after it has been freed
* Using the incorrect operator to compare objects
* Failing to follow an API or framework specification
* Using a language feature or API in an unintended manner
While code quality flaws are generally less severe than other categories and usually are not directly exploitable, they may
serve as indicators that developers are not following practices that increase the reliability and security of an application. For
an attacker, code quality issues may provide an opportunity to stress the application in unexpected ways.
Recommendations
The wide variance of code quality issues makes it impractical to generalize how these issues should be addressed. Refer to
individual categories for specific recommendations.
Use of Wrong Operator in String Comparison (CWE ID 597)(13 flaws)
Description
Using '==' to compare two strings for equality or '!=' for inequality actually compares the object references rather than
their values. It is unlikely that this reflects the intended application logic.
Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.

Recommendations
Use the equals() method to compare strings, not the '==' or '!=' operator

47108 81 - bot-command- .../IfWebControlExists.java 398
legacyautomation-
2.0.0-
SNAPSHOT.jar
50545 81 - bot-command- .../IfWebControlExists.java 467
legacyautomation-
2.0.0-
SNAPSHOT.jar
47109 82 - bot-command- .../IfWebControlNotExists.java 389
legacyautomation-
2.0.0-
SNAPSHOT.jar
50547 82 - bot-command- .../IfWebControlNotExists.java 455
legacyautomation-
2.0.0-
SNAPSHOT.jar
36617 88 - ir-sdk-2.0.0- com/.../Impl/IRExecutorImpl.java 72
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
SNAPSHOT.jar
46843 102 - bot-command- com/.../ManageWebControl.java 1119
legacyautomation-
2.0.0-
SNAPSHOT.jar
36620 114 - operationsroom- .../OperationsRoomCacheImpl.java 58
1.0.0-
SNAPSHOT.jar
40735 121 - bot-compiler.jar/bot- com/.../impl/PropertiesValue.java 35
compiler-
standalone-1.0.0-
SNAPSHOT.jar
50763 126 - bot-compiler.jar/bot- com/.../data/impl/RecordValue.java 116
compiler-
standalone-1.0.0-
SNAPSHOT.jar
40852 138 - scheduler-1.0.0- .../model/ScheduleAutomation.java 274
SNAPSHOT.jar
Cryptographic Issues(1 flaw)
Description

Applications commonly use cryptography to implement authentication mechanisms and to ensure the confidentiality and
integrity of sensitive data, both in transit and at rest. The proper and accurate implementation of cryptography is extremely
critical to its efficacy. Configuration or coding mistakes as well as incorrect assumptions may negate a large degree of the
protection it affords, leaving the crypto implementation vulnerable to attack.
Common cryptographic mistakes include, but are not limited to, selecting weak keys or weak cipher modes, unintentionally
exposing sensitive cryptographic data, using predictable entropy sources, and mismanaging or hard-coding keys.
Developers often make the dangerous assumption that they can improve security by designing their own cryptographic
algorithm; however, one of the basic tenets of cryptography is that any cipher whose effectiveness is reliant on the secrecy of
the algorithm is fundamentally flawed.
Recommendations
Select the appropriate type of cryptography for the intended purpose. Avoid proprietary encryption algorithms as they typically
rely on "security through obscurity" rather than sound mathematics. Select key sizes appropriate for the data being protected;
for high assurance applications, 256-bit symmetric keys and 2048-bit asymmetric keys are sufficient. Follow best practices for
key storage, and ensure that plaintext data and key material are not inadvertently exposed.
Improper Verification of Cryptographic Signature (CWE ID 347)(1 flaw)
Description
A digital signature is a type of asymmetric cryptography used to electronically simulate a handwritten signature. A
message fingerprint is encrypted using the signer's private key and decrypted by the recipient using the senders public
key. The recipient calculates the fingerprint of the original message and compares it against the decrypted fingerprint
to confirm that the message is authentic and has not been tampered with in transmission. An application must properly
execute the signature comparison in order to derive the intended benefits of the digital signature scheme.
Recommendations
Be sure that the calculated message fingerprint is compared against the decrypted fingerprint. Most cryptographic
APIs provide a method call to perform this step automatically when provided the algorithm to follow.

50905 93 - session-1.0.0- .../JwtValidationService.java 77
SNAPSHOT.jar/boo
t-bot-insight-1.0.0-
SNAPSHOT-all.jar
Information Leakage(6 flaws*)
Description
An information leak is the intentional or unintentional disclosure of information that is either regarded as sensitive within the
product's own functionality or provides information about the product or its environment that could be useful in an attack.
Information leakage issues are commonly overlooked because they cannot be used to directly exploit the application.
However, information leaks should be viewed as building blocks that an attacker uses to carry out other, more complicated
attacks.

There are many different types of problems that involve information leaks, with severities that can range widely depending on
the type of information leaked and the context of the information with respect to the application. Common sources of
information leakage include, but are not limited to:
* Source code disclosure
* Browsable directories
* Log files or backup files in web-accessible directories
* Unfiltered backend error messages
* Exception stack traces
* Server version information
* Transmission of uninitialized memory containing sensitive data
Recommendations
Configure applications and servers to return generic error messages and to suppress stack traces from being displayed to end
users. Ensure that errors generated by the application do not provide insight into specific backend issues.
Remove all backup files, binary archives, alternate versions of files, and test files from web-accessible directories of production
servers. The only files that should be present in the application's web document root are files required by the application.
Ensure that deployment procedures include the removal of these file types by an administrator. Keep web and application
servers fully patched to minimize exposure to publicly-disclosed information leakage vulnerabilities.
Exposure of Sensitive Information Through Sent Data (CWE ID 201)(6 flaws*)
Description
Sensitive information may be exposed as a result of outbound network connections made by the application.
Recommendations
Ensure that the transfer of sensitive data is intended and that it does not violate application security policy or user
expectations.

47569 14 - kernel-1.0.0- .../BotStoreAdapterImpl.java 535
SNAPSHOT.jar
45358 91 - kernel-1.0.0- com/.../common/util/JarUtils.java 41
SNAPSHOT.jar
48459 - 3 bot-command- java.io.InputStream a() 33%
email-2.0.0-
SNAPSHOT.jar
46428 - 4 bot-command- java.io.InputStream a() 33%
recorder-2.0.6-
SNAPSHOT.jar
29772 95 - spcompiler-1.0.0- .../KubernetesDiscoveryAgent.java 77
SNAPSHOT.jar
35086 124 - ignite-server- .../QueueExportServiceImpl.java 299
2.7.6.1-
SNAPSHOT.jar

Time and State(2 flaws*)
Description
Time and State flaws are related to unexpected interactions between threads, processes, time, and information. These
interactions happen through shared state: semaphores, variables, the filesystem, and basically anything that can store
information. Vulnerabilities occur when there is a discrepancy between the programmer's assumption of how a program
executes and what happens in reality.
State issues result from improper management or invalid assumptions about system state, such as assuming mutable objects
are immutable. Though these conditions are less commonly exploited by attackers, state issues can lead to unpredictable or
undefined application behavior.
Recommendations
Limit the interleaving of operations on resources from multiple processes. Use locking mechanisms to protect resources
effectively. Follow best practices with respect to mutable objects and internal references. Pay close attention to
asynchronous actions in processes and make copious use of sanity checks in systems that may be subject to synchronization
errors.
J2EE Bad Practices: Use of System.exit() (CWE ID 382)(2 flaws*)
Description
A web applications should not attempt to shut down its container. A call to System.exit() is probably part of leftover
debug code or code imported from a non-J2EE application. Non-web applications may contain a main() method that
calls System.exit(), but generally should not call it from other locations in the code.
Effort to Fix: 1 - Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Recommendations
Ensure that System.exit() is never called by web applications.

48654 31 - crutils-1.0.0- com/.../utils/ConsoleUtils.java 31
SNAPSHOT.jar
20697 83 - common-1.0.0- com/.../ignite/IgniteFactory.java 167
SNAPSHOT.jar/boo
t-bot-insight-1.0.0-
SNAPSHOT-all.jar

Very Low (0 flaws)

Info (40 flaws*)

Code Quality(40 flaws*)
Description
Code quality issues stem from failure to follow good coding practices and can lead to unpredictable behavior. These may
include but are not limited to:
* Neglecting to remove debug code or dead code
* Improper resource management, such as using a pointer after it has been freed
* Using the incorrect operator to compare objects
* Failing to follow an API or framework specification
* Using a language feature or API in an unintended manner
While code quality flaws are generally less severe than other categories and usually are not directly exploitable, they may
serve as indicators that developers are not following practices that increase the reliability and security of an application. For
an attacker, code quality issues may provide an opportunity to stress the application in unexpected ways.
Recommendations
The wide variance of code quality issues makes it impractical to generalize how these issues should be addressed. Refer to
individual categories for specific recommendations.
Improper Resource Shutdown or Release (CWE ID 404)(40 flaws*)
Description
The application fails to release (or incorrectly releases) a system resource before it is made available for re-use. This
condition often occurs with resources such as database connections or file handles. Most unreleased resource issues
result in general software reliability problems, but if an attacker can intentionally trigger a resource leak, it may be
possible to launch a denial of service attack by depleting the resource pool.
Recommendations
When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as
accounting for all potential paths of expiration or invalidation. Ensure that all code paths properly release resources.

45331 5 - bot-command- .../ApacheDataUploader.java 56
analyze-2.2.3-
SNAPSHOT.jar
47549 6 - bot-command- com/.../com/jniwrapper/ar.java 1
email-2.0.0-
SNAPSHOT.jar
47556 7 - bot-command-sap- com/.../com/jniwrapper/as.java 1
2.1.0-
SNAPSHOT.jar
43539 12 - bot-insight-1.0.0- com/.../utils/BotInsightUtils.java 52
SNAPSHOT.jar


46352 15 - bot-command- com/.../fxml/BrowserWindow.java 206
forms-1.0.0-
SNAPSHOT.jar
49210 19 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/ker
nel-1.0.0-
SNAPSHOT.jar
48460 25 - bot-command- com/.../CommandGenerator.java 79
recorder-2.0.6-
SNAPSHOT.jar
50544 47 - bot-command- com/.../store/CSVStore.java 70
browser-2.0.0-
SNAPSHOT.jar
49188 52 - common-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar
47547 57 - bot-command-sap- com/.../jniwrapper/win32/dg.java 1
2.1.0-
SNAPSHOT.jar
47560 61 - bot-command- com/.../win32/jexcel/eC.java 1
msexcel-4.0.0-
SNAPSHOT.jar
45041 65 - es-client-1.0.0- com/.../ESRestClient.java 161
SNAPSHOT.jar
47551 66 - bot-command- com/.../teamdev/jxcapture/ev.java 1
recorder-2.0.6-
SNAPSHOT.jar
25896 71 - bot-command- com/.../csv/utils/FileReader.java 53
csvtxt-2.0.0-
SNAPSHOT.jar
43358 73 - bot-command- com/.../file/FileServiceImpl.java 496
printer-2.0.0-
SNAPSHOT.jar
48283 80 - bot-command-wlm- com/.../wlm/util/HttpUtil.java 106
2.0.1-
SNAPSHOT.jar
50546 89 - bot-command- .../JarResourceExtractor.java 47
legacyautomation-
2.0.0-
SNAPSHOT.jar
47552 - 25 bot-command- java.util.List a() 18%
recorder-2.0.6-
SNAPSHOT.jar
47555 - 21 bot-command- java.util.List a() 23%
recorder-2.0.6-
SNAPSHOT.jar
47548 - 3 bot-command- java.util.List b() 9%
email-2.0.0-
SNAPSHOT.jar
35061 - 4 bot-command-sap- java.util.List b() 9%
2.1.0-
SNAPSHOT.jar
46378 107 - monitor-1.0.0- com/.../utils/MonitorUtils.java 40
SNAPSHOT.jar
46854 112 - bot-command- com/.../oab/OABAdapter.java 91
recorder-2.0.6-
SNAPSHOT.jar


49830 119 - bot-command-pdf- com/.../PdfRowBuilder.java 93
2.3.0-
SNAPSHOT.jar
44704 120 - usermanagement- com/.../PermissionDaoImpl.java 354
1.0.0-
SNAPSHOT.jar
47566 120 - usermanagement- com/.../PermissionDaoImpl.java 356
1.0.0-
SNAPSHOT.jar
45377 123 - bot-command- com/.../QueryTypeProvider.java 44
database-2.0.0-
SNAPSHOT.jar
47522 123 - bot-command- com/.../QueryTypeProvider.java 50
database-2.0.0-
SNAPSHOT.jar
11299 125 - ignite-server- com/.../impl/RDPServiceImpl.java 72
2.7.6.1-
SNAPSHOT.jar
47561 125 - ignite-server- com/.../impl/RDPServiceImpl.java 81
2.7.6.1-
SNAPSHOT.jar
41309 132 - bot-command- com/.../ResourceReader.java 20
terminalemulator-
3.2.0-
SNAPSHOT.jar
47564 135 - usermanagement- com/.../dao/impl/RoleDaoImpl.java 296
1.0.0-
SNAPSHOT.jar
47562 135 - usermanagement- com/.../dao/impl/RoleDaoImpl.java 298
1.0.0-
SNAPSHOT.jar
29707 140 - bot-compiler.jar com/.../helper/ScriptUtil.java 183
26070 148 - bot-synchronous- .../StandardInputOutputMessenger.java
messenger-1.0- 40
SNAPSHOT.jar
46376 151 - triggerlistener-1.0- com/.../util/TriggerUtil.java 49
SNAPSHOT.jar
47565 157 - usermanagement- com/.../dao/impl/UserDaoImpl.java 348
1.0.0-
SNAPSHOT.jar
47563 157 - usermanagement- com/.../dao/impl/UserDaoImpl.java 350
1.0.0-
SNAPSHOT.jar
47554 - 23 bot-command- void !ctor(EncodingParameters) 10%
recorder-2.0.6-
SNAPSHOT.jar
47553 - 24 bot-command- void <clinit>(void) 37%
recorder-2.0.6-
SNAPSHOT.jar

About Veracode's Methodology

The Veracode platform uses static and dynamic analysis (for web applications) to identify software security flaws in your applications.
Using both static and dynamic analysis helps reduce false negatives and detect a broader range of security flaws. Veracode static
analysis models the application into an intermediate representation, which is then analyzed for security flaws using a set of automated
security tests. Dynamic analysis uses an automated penetration testing technique to detect security flaws at runtime. Once the automated
process is complete, a security technician verifies the output to ensure the lowest false positive rates in the industry. The end result
is an accurate list of security flaws for the classes of automated scans applied to the application.
Veracode Rating System Using Multiple Analysis Techniques

Higher assurance applications require more comprehensive analysis to accurately score their security quality. Because each analysis
technique (automated static, automated dynamic, manual penetration testing or manual review) has differing false negative (FN) rates
for different types of security flaws, any single analysis technique or even combination of techniques is bound to produce a certain level
of false negatives. Some false negatives are acceptable for lower business critical applications, so a less expensive analysis using only
one or two analysis techniques is acceptable. At higher business criticality the FN rate should be close to zero, so multiple analysis
techniques are recommended.
Application Security Policies

The Veracode platform allows an organization to define and enforce a uniform application security policy across all applications in its
portfolio. The elements of an application security policy include the target Veracode Level for the application; types of flaws that should
not be in the application (which may be defined by flaw severity, flaw category, CWE, or a common standard including OWASP,
CWE/SANS Top 25, or PCI); minimum Veracode security score; required scan types and frequencies; and grace period within which
any policy-relevant flaws should be fixed.
Policy constraints
Policies have three main constraints that can be applied: rules, required scans, and remediation grace periods.
Evaluating applications against a policy

When an application is evaluated against a policy, it can receive one of four assessments:
Not assessed The application has not yet had a scan published
Passed The application has passed all the aspects of the policy, including rules, required scans, and grace period.
Did not pass The application has not completed all required scans; has not achieved the target Veracode Level; or has one or
more policy relevant flaws that have exceeded the grace period to fix.
Conditional pass The application has one or more policy relevant flaws that have not yet exceeded the grace period to fix.
Understand Veracode Levels

The Veracode Level (VL) achieved by an application is determined by type of testing performed on the application, and the severity and
types of flaws detected. A minimum security score (defined below) is also required for each level.
There are five Veracode Levels denoted as VL1, VL2, VL3, VL4, and VL5. VL1 is the lowest level and is achieved by demonstrating
that security testing, automated static or dynamic, is utilized during the SDLC. VL5 is the highest level and is achieved by performing
automated and manual testing and removing all significant flaws. The Veracode Levels VL2, VL3, and VL4 form a continuum of
increasing software assurance between VL1 and VL5.
For IT staff operating applications, Veracode Levels can be used to set application security policies. For deployment scenarios of
different business criticality, differing VLs should be made requirements. For example, the policy for applications that handle credit card
transactions, and therefore have PCI compliance requirements, should be VL5. A medium business criticality internal application could
have a policy requiring VL3.
Software developers can decide which VL they want to achieve based on the requirements of their customers. Developers of software
that is mission critical to most of their customers will want to achieve VL5. Developers of general purpose business software may want

to achieve VL3 or VL4. Once the software has achieved a Veracode Level it can be communicated to customers through a Veracode
Report or through the Veracode Directory on the Veracode web site.
Criteria for achieving Veracode Levels

The following table defines the details to achieve each Veracode Level. The criteria for all columns: Flaw Severities Not
Allowed, Flaw Categories not Allowed, Testing Required, and Minimum Score.
*Dynamic is only an option for web applications.
Veracode Level Flaw Severities Not Allowed Testing Required* Minimum Score
VL5 V.High, High, Medium Static AND Manual 90
VL4 V.High, High, Medium Static 80
VL3 V.High, High Static 70
VL2 V.High Static OR Dynamic OR Manual 60
VL1 Static OR Dynamic OR Manual
When multiple testing techniques are used it is likely that not all testing will be performed on the exact same build. If that is the
case the latest test results from a particular technique will be used to calculate the current Veracode Level. After 6 months test
results will be deemed out of date and will no longer be used to calculate the current Veracode Level.
Business Criticality
The foundation of the Veracode rating system is the concept that more critical applications require higher security quality scores to be
acceptable risks. Less business critical applications can tolerate lower security quality. The business criticality is dictated by the typical
deployed environment and the value of data used by the application. Factors that determine business criticality are: reputation damage,
financial loss, operational risk, sensitive information disclosure, personal safety, and legal violations.
US. Govt. OMB Memorandum M-04-04; NIST FIPS Pub. 199
Business Criticality Description
Very High Mission critical for business/safety of life and limb on the line
High Exploitation causes serious brand damage and financial loss with long term business impact
Medium Applications connected to the internet that process financial or private customer information
Low Typically internal applications with non-critical business impact
Very Low Applications with no material business impact
Business Criticality Definitions

Very High (BC5) This is typically an application where the safety of life or limb is dependent on the system; it is mission critical
the application maintain 100% availability for the long term viability of the project or business. Examples are control software
for industrial, transportation or medical equipment or critical business systems such as financial trading systems.
High (BC4) This is typically an important multi-user business application reachable from the internet and is critical that the
application maintain high availability to accomplish its mission. Exploitation of high criticality applications cause serious brand
damage and business/financial loss and could lead to long term business impact.
Medium (BC3) This is typically a multi-user application connected to the internet or any system that processes financial or
private customer information. Exploitation of medium criticality applications typically result in material business impact resulting

in some financial loss, brand damage or business liability. An example is a financial services company's internal 401K
management system.
Low (BC2) This is typically an internal only application that requires low levels of application security such as authentication to
protect access to non-critical business information and prevent IT disruptions. Exploitation of low criticality applications may
lead to minor levels of inconvenience, distress or IT disruption. An example internal system is a conference room reservation
or business card order system.
Very Low (BC1) Applications that have no material business impact should its confidentiality, data integrity and availability be
affected. Code security analysis is not required for applications at this business criticality, and security spending should be
directed to other higher criticality applications.
Scoring Methodology
The Veracode scoring system, Security Quality Score, is built on the foundation of two industry standards, the Common Weakness
Enumeration (CWE) and Common Vulnerability Scoring System (CVSS). CWE provides the dictionary of security flaws and CVSS
provides the foundation for computing severity, based on the potential Confidentiality, Integrity and Availability impact of a flaw if
exploited.
The Security Quality Score is a single score from 0 to 100, where 0 is the most insecure application and 100 is an application with no
detectable security flaws. The score calculation includes non-linear factors so that, for instance, a single Severity 5 flaw is weighted
more heavily than five Severity 1 flaws, and so that each additional flaw at a given severity contributes progressively less to the score.
Veracode assigns a severity level to each flaw type based on three foundational application security requirements — Confidentiality,
Integrity and Availability. Each of the severity levels reflects the potential business impact if a security breach occurs across one or
more of these security dimensions.
Confidentiality Impact
According to CVSS, this metric measures the impact on confidentiality if a exploit should occur using the vulnerability on the
target system. At the weakness level, the scope of the Confidentiality in this model is within an application and is measured at
three levels of impact -None, Partial and Complete.
Integrity Impact
This metric measures the potential impact on integrity of the application being analyzed. Integrity refers to the trustworthiness
and guaranteed veracity of information within the application. Integrity measures are meant to protect data from unauthorized
modification. When the integrity of a system is sound, it is fully proof from unauthorized modification of its contents.
Availability Impact
This metric measures the potential impact on availability if a successful exploit of the vulnerability is carried out on a target
application. Availability refers to the accessibility of information resources. Almost exclusive to this domain are denial-of-
service vulnerabilities. Attacks that compromise authentication and authorization for application access, application memory,
and administrative privileges are examples of impact on the availability of an application.
Security Quality Score Calculation

The overall Security Quality Score is computed by aggregating impact levels of all weaknesses within an application and representing
the score on a 100 point scale. This score does not predict vulnerability potential as much as it enumerates the security weaknesses
and their impact levels within the application code.
The Raw Score formula puts weights on each flaw based on its impact level. These weights are exponential and determined by
empirical analysis by Veracode's application security experts with validation from industry experts. The score is normalized to a scale of
0 to 100, where a score of 100 is an application with 0 detected flaws using the analysis technique for the application's business
criticality.
Understand Severity, Exploitability, and Remediation Effort

Severity and exploitability are two different measures of the seriousness of a flaw. Severity is defined in terms of the potential impact to
confidentiality, integrity, and availability of the application as defined in the CVSS, and exploitability is defined in terms of the likelihood

or ease with which a flaw can be exploited. A high severity flaw with a high likelihood of being exploited by an attacker is potentially
more dangerous than a high severity flaw with a low likelihood of being exploited.
Remediation effort, also called Complexity of Fix, is a measure of the likely effort required to fix a flaw. Together with severity, the
remediation effort is used to give Fix First guidance to the developer.
Veracode Flaw Severities

Veracode flaw severities are defined as follows:
Severity Description
The offending line or lines of code is a very serious weakness and is an easy target for an
Very High
attacker. The code should be modified immediately to avoid potential attacks.
The offending line or lines of code have significant weakness, and the code should be
High
modified immediately to avoid potential attacks.
A weakness of average severity. These should be fixed in high assurance software. A fix for
Medium this weakness should be considered after fixing the very high and high for medium
assurance software.
This is a low priority weakness that will have a small impact on the security of the software.
Low Fixing should be consideration for high assurance software. Medium and low assurance
software can ignore these flaws.
Minor problems that some high assurance software may want to be aware of. These flaws
Very Low
can be safely ignored in medium and low assurance software.
Issues that have no impact on the security quality of the application but which may be of
Informational
interest to the reviewer.
Informational findings
Informational severity findings are items observed in the analysis of the application that have no impact on the security quality
of the application but may be interesting to the reviewer for other reasons. These findings may include code quality issues, API
usage, and other factors.
Informational severity findings have no impact on the security quality score of the application and are not included in the
summary tables of flaws for the application.
Exploitability
Each flaw instance in a static scan may receive an exploitability rating. The rating is an indication of the intrinsic likelihood that the flaw
may be exploited by an attacker. Veracode recommends that the exploitability rating be used to prioritize flaw remediation within a
particular group of flaws with the same severity and difficulty of fix classification.
The possible exploitability ratings include:
Exploitability Description
V. Unlikely Very unlikely to be exploited
Unlikely Unlikely to be exploited

Exploitability Description
Neutral Neither likely nor unlikely to be exploited.
Likely Likely to be exploited
V. Likely Very likely to be exploited
Note: All reported flaws found via dynamic scans are assumed to be exploitable, because the dynamic scan actually executes
the attack in question and verifies that it is valid.
Effort/Complexity of Fix
Each flaw instance receives an effort/complexity of fix rating based on the classification of the flaw. The effort/complexity of fix
rating is given on a scale of 1 to 5, as follows:
Effort/Complexity of Fix Description
5 Complex design error. Requires significant redesign.
4 Simple design error. Requires redesign and up to 5 days to fix.
3 Complex implementation error. Fix is approx. 51-500 lines of code. Up to 5 days to fix.
2 Implementation error. Fix is approx. 6-50 lines of code. 1 day to fix.
1 Trivial implementation error. Fix is up to 5 lines of code. One hour or less to fix.
Flaw Types by Severity Level

The flaw types by severity level table provides a summary of flaws found in the application by Severity and Category. The table puts the
Security Quality Score into context by showing the specific breakout of flaws by severity, used to compute the score as described
above. If multiple analysis techniques are used, the table includes a breakout of all flaws by category and severity for each analysis
type performed.
Flaws by Severity
The flaws by severity chart shows the distribution of flaws by severity. An application can get a mediocre security rating by having a few
high risk flaws or many medium risk flaws.
Flaws in Common Modules

The flaws in common modules listing shows a summary of flaws in shared dependency modules in this application. A shared
dependency is a dependency that is used by more than one analyzed module. Each module is listed with the number of executables
that consume it as a dependency and a summary of the impact on the application's security score of the flaws found in the dependency.
The score impact represents the amount that the application score would increase if all the flaws in the shared dependency module
were fixed. This information can be used to focus remediation efforts on common modules with a higher impact on the application
security score.
Only common modules that were uploaded with debug information are included in the Flaws in Common Modules listing.

Action Items
The Action Items section of the report provides guidance on the steps required to bring the application to a state where it passes its
assigned policy. These steps may include fixing or mitigating flaws or performing additional scans. The section also includes best
practice recommendations to improve the security quality of the application.
Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is an industry standard classification of types of software weaknesses, or flaws, that can
lead to security problems. CWE is widely used to provide a standard taxonomy of software errors. Every flaw in a Veracode report is
classified according to a standard CWE identifier.
More guidance and background about the CWE is available at http://cwe.mitre.org/data/index.html.
About Manual Assessments

The Veracode platform can include the results from a manual assessment (usually a penetration test or code review) as part of a report.
These results differ from the results of automated scans in several important ways, including objectives, attack vectors, and common
attack patterns.
A manual penetration assessment is conducted to observe the application code in a run-time environment and to simulate real-world
attack scenarios. Manual testing is able to identify design flaws, evaluate environmental conditions, compound multiple lower risk flaws
into higher risk vulnerabilities, and determine if identified flaws affect the confidentiality, integrity, or availability of the application.
Objectives
The stated objectives of a manual penetration assessment are:
• Perform testing, using proprietary and/or public tools, to determine whether it is possible for an attacker to:
• Circumvent authentication and authorization mechanisms
• Escalate application user privileges
• Hijack accounts belonging to other users
• Violate access controls placed by the site administrator
• Alter data or data presentation
• Corrupt application and data integrity, functionality and performance
• Circumvent application business logic
• Circumvent application session management
• Break or analyze use of cryptography within user accessible components
• Determine possible extent access or impact to the system by attempting to exploit vulnerabilities
• Score vulnerabilities using the Common Vulnerability Scoring System (CVSS)
• Provide tactical recommendations to address security issues of immediate consequence
Provide strategic recommendations to enhance security by leveraging industry best practices
Attack vectors
In order to achieve the stated objectives, the following tests are performed as part of the manual penetration assessment,
when applicable to the platforms and technologies in use:
• Cross Site Scripting (XSS)

• SQL Injection
• Command Injection
• Cross Site Request Forgery (CSRF)
• Authentication/Authorization Bypass
• Session Management testing, e.g. token analysis, session expiration, and logout effectiveness
• Account Management testing, e.g. password strength, password reset, account lockout, etc.
• Directory Traversal
• Response Splitting
• Stack/Heap Overflows
• Format String Attacks

• Cookie Analysis
• Server Side Includes Injection
• Remote File Inclusion
• LDAP Injection
• XPATH Injection
• Internationalization attacks
• Denial of Service testing at the application layer only
• AJAX Endpoint Analysis
• Web Services Endpoint Analysis
• HTTP Method Analysis
• SSL Certificate and Cipher Strength Analysis
• Forced Browsing
CAPEC Attack Pattern Classification

The following attack pattern classifications are used to group similar application flaws discovered during manual penetration
testing. Attack patterns describe the general methods employed to access and exploit the specific weaknesses that exist
within an application. CAPEC (Common Attack Pattern Enumeration and Classification) is an effort led by Cigital, Inc. and is
sponsored by the United States Department of Homeland Security's National Cyber Security Division.
Abuse of Functionality
Exploitation of business logic errors or misappropriation of programmatic resources. Application functions are developed to
specifications with particular intentions, and these types of attacks serve to undermine those intentions.
Examples:
• Exploiting password recovery mechanisms

• Accessing unpublished or test APIs
• Cache poisoning
Spoofing
Impersonation of entities or trusted resources. A successful attack will present itself to a verifying entity with an acceptable
level of authenticity.
Examples:
• Man in the middle attacks

• Checksum spoofing
• Phishing attacks
Probabilistic Techniques
Using predictive capabilities or exhaustive search techniques in order to derive or manipulate sensitive information. Attacks
capitalize on the availability of computing resources or the lack of entropy within targeted components.
Examples:
• Password brute forcing

• Cryptanalysis
• Manipulation of authentication tokens
Exploitation of Authentication
Circumventing authentication requirements to access protected resources. Design or implementation flaws may allow
authentication checks to be ignored, delegated, or bypassed.
Examples:
• Cross-site request forgery

• Reuse of session identifiers
• Flawed authentication protocol

Resource Depletion
Affecting the availability of application components or resources through symmetric or asymmetric consumption. Unrestricted
access to computationally expensive functions or implementation flaws that affect the stability of the application can be
targeted by an attacker in order to cause denial of service conditions.
Examples:
• Flooding attacks
• Unlimited file upload size
• Memory leaks
Exploitation of Privilege/Trust
Undermining the application's trust model in order to gain access to protected resources or gain additional levels of access as
defined by the application. Applications that implicitly extend trust to resources or entities outside of their direct control are
susceptible to attack.
Examples:
• Insufficient access control lists

• Circumvention of client side protections
• Manipulation of role identification information
Injection
Inserting unexpected inputs to manipulate control flow or alter normal business processing. Applications must contain
sufficient data validation checks in order to sanitize tainted data and prevent malicious, external control over internal
processing.
Examples:
• SQL Injection
• Cross-site scripting
• XML Injection
Data Structure Attacks

Supplying unexpected or excessive data that results in more data being written to a buffer than it is capable of holding.
Successful attacks of this class can result in arbitrary command execution or denial of service conditions.
Examples:
• Buffer overflow
• Integer overflow
• Format string overflow
Data Leakage Attacks

Recovering information exposed by the application that may itself be confidential or may be useful to an attacker in discovering
or exploiting other weaknesses. A successful attack may be conducted passive observation or active interception methods.
This attack pattern often manifests itself in the form of applications that expose sensitive information within error messages.
Examples:
• Sniffing clear-text communication protocols

• Stack traces returned to end users
• Sensitive information in HTML comments
Resource Manipulation
Manipulating application dependencies or accessed resources in order to undermine security controls and gain unauthorized
access to protected resources. Applications may use tainted data when constructing paths to local resources or when
constructing processing environments.

Examples:
• Carriage Return Line Feed log file injection

• File retrieval via path manipulation
• User specification of configuration files
Time and State Attacks

Undermining state condition assumptions made by the application or capitalizing on time delays between security checks and
performed operations. An application that does not enforce a required processing sequence or does not handle concurrency
adequately will be susceptible to these attack patterns.
Examples:
• Bypassing intermediate form processing steps

• Time-of-check and time-of-use race conditions
• Deadlock triggering to cause a denial of service
Terms of Use
Use and distribution of this report are governed by the agreement between Veracode and its customer. In particular, this report and the
results in the report cannot be used publicly in connection with Veracode’s name without written permission.

Appendix A: Changes from Last Scan

Latest Scan Prior Scan
Static Scan
Scan Name: 132_2020-06-29-13:01:59-cr Scan Name: 119_2020-06-20-13:32:06-cr
Completed: 7/2/20 Completed: 6/20/20
Score: 97 Score: 97
Changes in scope of scan (static)

New Modules
Version
all.jar 0321
0321
SNAPSHOT.jar 0321
SNAPSHOT.jar 0321
0321
Removed modules
Version
all.jar 0321
0321
SNAPSHOT.jar 0321
SNAPSHOT.jar 0321
0321
Flaws not detected in current scan

The following is a list of all flaws found in the prior scan of this application that were not detected in the current scan.
Low (4 flaws)
API Abuse(1 flaw)
J2EE Bad Practices: Direct Management of Connections (CWE ID 245)(1 flaw)

30878 28 - node-manager-1.0- com/.../Configuration.java 475
SNAPSHOT.jar

Information Leakage(3 flaws)
Exposure of Sensitive Information Through Sent Data (CWE ID 201)(3 flaws)

49459 116 - packages-1.0.0- .../impl/PackageServiceImpl.java 1343
SNAPSHOT.jar
49458 149 - kernel-1.0.0- org/.../io/TeeOutputStream.java 40
SNAPSHOT.jar
49457 149 - kernel-1.0.0- org/.../io/TeeOutputStream.java 41
SNAPSHOT.jar
Info (2 flaws)
Improper Resource Shutdown or Release (CWE ID 404)(2 flaws)

50767 56 - node-manager-1.0- .../DeviceUpgradeHandler.java 151
SNAPSHOT.jar
49235 - 3 bot-command- java.util.List b() 9%
msexcel-4.0.0-
SNAPSHOT.jar

Appendix B: Approved Mitigated Flaws (by Automation Anywhere)

NOTE: Except in circumstances where the Customer has purchased Veracode’s Mitigation Proposal Review Solution, Veracode does
not review the mitigation strategy described below and is not responsible for its contents or the accuracy of any statements provided.
Very High (6 flaws) Fix Required by Policy: Flaw no longer impacts results..
Flaw continues to impact results.
Untrusted Search Path(6 flaws)
Process Control (CWE ID 114)(6 flaws)

Flaw Id Exploitability Module # Class # Module Location
25905 Neutral 63 - bot-command-ocr- com/.../abbyy/FREngine/Engine.java 238
abbyy-2.1.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (jniwrapper).
Approve Mitigation (Automation Anywhere): Approved.

25913 Neutral 92 - bot-command- com/.../tterm/JTTerm.java 1018
terminalemulator-
3.2.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (turbosoft).

31859 Neutral 98 - bot-command-folder- com/.../chilkat/LibraryLoader.java 85
2.1.0-SNAPSHOT.jar
Mitigate by Design (Automation Anywhere):

Technique : M1 : Establish and maintain control over all of your inputs
Specifics : It loads library from a temp location. The temp location is created by the same method and
hence the location is a trusted location.
Remaining Risk : Little to none
Verification : Code review

31854 Neutral 109 - bot-command-ftp- com/.../utility/NativeUtils.java 108
2.0.0-SNAPSHOT.jar

Specifics : It loads library from a temp location. The temp location is created by the same method and
hence the location is a trusted location.

43335 Neutral - 17 bot-trigger-file-folder- void b(java.lang.String) 96%
1.1.0-SNAPSHOT.jar

Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper).
Potential False Positive (Automation Anywhere): Since the library is complaint with cross platform ,
need load native library and initialize the watching process in native system.
Approve Mitigation (Automation Anywhere): Approved

27250 Neutral - 1 bot-command-sap- void loadLibrary(java.lang.String) 96%
2.1.0-SNAPSHOT.jar
High (25 flaws) Fix Required by Policy: Flaw no longer impacts results..
SQL Injection(25 flaws)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE
ID 89)(9 flaws)

50564 Neutral 1 - serverrepository- com/.../impl/AAFileDaoImplV2.java 252
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The DBMS IN clause is being split into multiple
statements as DBMS limit maximum elements into a single IN clause. This is not an SQL Injection.

50571 Neutral 53 - serverrepository- com/.../DependencyDaoImpl.java 148
1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

50561 Neutral 103 - serverrepository- .../ManualDependencyDaoImpl.java 129
1.0.0-SNAPSHOT.jar


1.0.0-SNAPSHOT.jar

48320 Likely 146 - migration-1.0.0- .../SourceRoleServiceImpl.java 66
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This SQL is not dynamically generated with user
inputs. It splits IN clause as DBMS has a maximum limit on a single IN clause.

48319 Likely 146 - migration-1.0.0- .../SourceRoleServiceImpl.java 77
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This SQL is not dynamically generated with user
inputs. It splits IN clause as DBMS has a maximum limit on a single IN clause.

46611 Neutral 147 - migration-1.0.0- .../SourceUserServiceImpl.java 47
SNAPSHOT.jar

Specifics : Parameterized statements here throws error in case large number of records found in IN
clause. The input parameter is generated via internal function and not accepted as input from end user. It
calls QueryUtils.appendMultipleInClauses method. (Refer 11.3.4.2 flaw id - 21392, 21393)
Remaining Risk : Little to None

46550 Neutral 158 - usermanagement- .../impl/UserDetailsDaoImpl.java 110
1.0.0-SNAPSHOT.jar

calls QueryUtils.appendMultipleInClauses method. (Refer 11.3.4.2 flaw id - 21392, 21393)

SQL Injection: Hibernate (CWE ID 564)(16 flaws)

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

46552 Likely 40 - credentialvault-1.0.0- .../CredentialAttributeValueDaoImpl.java
SNAPSHOT.jar 117

clause. The input parameter is generated via internal function and not accepted as input from end user.
(Refer 11.3.4.2 flaw id - 21392)

1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar



41257 Neutral 79 - license-1.0.0- com/.../util/jpa/HQLHelper.java 158
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): The user inputs are passed are provided via
parameters. The query contruction here includes a constant which is the column name. No user inputs
are concatenated.
Approve Mitigation (Automation Anywhere): Approved. The issues are already mitigated and
approved previously (Old Flaw ID: 35058-> New Flaw ID 41256, Old Flaw ID: 35059 -> New Flaw ID:
41258, Old Flaw ID: 35060 -> New Flaw ID: 41257 )
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
are concatenated.
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
are concatenated.
1.0.0-SNAPSHOT.jar

1.0.0-SNAPSHOT.jar

46563 Likely 106 - migration-1.0.0- .../MigrationEntityDaoImpl.java 58


SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The single IN clause is split into multiple IN clause
here as DBMS has max limit on it. The external inputs are not being concatenate with the query hence
there is no SQL injection here.

49213 Likely 106 - migration-1.0.0- .../MigrationEntityDaoImpl.java 155
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This splits single IN clause into multiple IN clauses
to over come DBMS limitation and does not dynamically generate query from any user input.

46547 Neutral 120 - usermanagement- com/.../PermissionDaoImpl.java 131
1.0.0-SNAPSHOT.jar

calls QueryUtils.appendMultipleInClauses method. (Refer 11.3.4.2 flaw id - 21392)

46548 Neutral 158 - usermanagement- .../impl/UserDetailsDaoImpl.java 106
1.0.0-SNAPSHOT.jar

clause. The input parameter is generated via internal function and not accepted as input from end user.
(Refer 11.3.4.2 flaw id - 21392)
Medium (313 flaws) Fix Required by Policy: Flaw no longer impacts results..
Directory Traversal(204 flaws)

External Control of File Name or Path (CWE ID 73)(204 flaws)

43813 Likely 4 - aae-bot-scanner-ui- com/.../analysis/Analyze.java 82
3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The file being used internal and trusted.

45365 Likely 4 - aae-bot-scanner- com/.../analysis/Analyze.java 110
2.4.0-SNAPSHOT.jar

2.4.0-SNAPSHOT.jar

2.4.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Technique : M1 : Establish and maintain control
over all of your inputs
Specifics : All inputs are validated.
Remaining Risk : None
Justification:The file being used internal and trusted.

2.4.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Technique : M1 : Establish and maintain control
over all of your inputs
Specifics : All inputs are validated.
Justification:The file being used internal and trusted.

48313 Likely 8 - migration-1.0.0- com/.../model/AtmxBot.java 90
SNAPSHOT.jar

Specifics : The paths used are set by trusted admin and validated.



SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar




49231 Likely 9 - aae-bot-scanner-ui- com/.../ui/BotAnalysis.java 91
3.0.1-SNAPSHOT.jar

Specifics : Paths generated by logic based on user inputs
Remaining Risk : Little or none

49234 Likely 9 - aae-bot-scanner-ui- com/.../ui/BotAnalysis.java 100
3.0.1-SNAPSHOT.jar

Remaining Risk : little or none
Verification : code review

29398 V.Likely 11 - migration-1.0.0- .../BotInsightDashboardMigrationService.j
SNAPSHOT.jar ava 100

Specifics : This reads details from the properties file which is set during installation by a trusted admin.

49829 Neutral 13 - serverrepository- com/.../toolchain/BotService.java 208
1.0.0-
SNAPSHOT.jar/bot-
compiler-standalone-
1.0.0-SNAPSHOT.jar
Mitigated by Custom Cleansing Function (Veracode): This flaw was proposed as a mitigation by the
custom cleansing function "botcore.api.dto.CommandMetrics
getCommandMetrics(botcore.api.dto.GetCommandMetricsRequest)".

26406 Likely 16 - bot-command- com/.../com/jniwrapper/bu.java 1
msexcel-4.0.0-
SNAPSHOT.jar

35063 Likely 17 - bot-command-sap- com/.../com/jniwrapper/bv.java 1
2.1.0-SNAPSHOT.jar

Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper)

47850 Likely 21 - bot-asynchronous- .../ChronicleQueueAsyncImpl.java 75
messenger-1.0-
SNAPSHOT.jar

Specifics : This is a validated path.

messenger-1.0-
SNAPSHOT.jar


messenger-1.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Duplicate record

messenger-1.0-
SNAPSHOT.jar

Specifics : This is used for internal system communication and does not take input from non-trusted
sources.

messenger-1.0-
SNAPSHOT.jar

messenger-1.0-
SNAPSHOT.jar


sources.

messenger-1.0-
SNAPSHOT.jar

messenger-1.0-
SNAPSHOT.jar

sources.

messenger-1.0-
SNAPSHOT.jar

messenger-1.0-
SNAPSHOT.jar

sources.

messenger-1.0-
SNAPSHOT.jar



sources.

messenger-1.0-
SNAPSHOT.jar

sources.

40516 Likely 21 - bot-launcher-1.0- .../ChronicleQueueAsyncImpl.java 234
SNAPSHOT.jar

Specifics : All The value of the path coming from trusted location.
Verification : The non-trusted path will not be accepted by application

38536 Likely 21 - bot-launcher-1.0- .../ChronicleQueueAsyncImpl.java 236
SNAPSHOT.jar


45374 Likely 22 - bot-engine-1.0- com/.../impl/CleanerImpl.java 170
SNAPSHOT.jar

Specifics : The path refers to the configuration location which is set by a trusted user.

SNAPSHOT.jar


Specifics : The path refers to the configuration location which is set by a trusted user.

SNAPSHOT.jar

Specifics : It gets list from internal metadata which is a trusted source.

37861 Likely 22 - bot-tester-1.0- com/.../impl/CleanerImpl.java 179
SNAPSHOT.jar/bot-
engine-1.0-
SNAPSHOT.jar
custom cleansing function "botengine.dataobject.BotContext loadBotContext(java.lang.String)".

40214 Likely 23 - log-collector-1.0- com/.../services/Collector.java 48
SNAPSHOT.jar


29700 Likely 24 - log-collector-1.0- com/.../CollectorState.java 18
SNAPSHOT.jar

Specifics : It reads specific internal file and does not take input from un-trusted sources.

SNAPSHOT.jar




SNAPSHOT.jar


48315 Likely 26 - migration-1.0.0- .../CompositeFileDependency.java 32
SNAPSHOT.jar


48324 Likely 26 - migration-1.0.0- .../CompositeFileDependency.java 39
SNAPSHOT.jar


47132 Likely 27 - migration-1.0.0- com/.../CompressedArchive.java 31
SNAPSHOT.jar

Specifics : The path is validated and set by a trusted user.

47122 Likely 27 - migration-1.0.0- com/.../CompressedArchive.java 31
SNAPSHOT.jar



Specifics : The path is validated and set by a trusted user.

21434 Likely 29 - bot-external-function- com/.../Configuration.java 39
1.0-SNAPSHOT.jar

Specifics : It reads property files from internal properties folder and does not accept input from un trusted
sources.

29697 Likely 30 - log-collector-1.0- com/.../Configuration.java 46
SNAPSHOT.jar

Specifics : It reads property files from internal properties folder and does not accept input from un trusted
sources.

29676 Likely 34 - bot-engine-1.0- com/.../utils/ContextHelper.java 44
SNAPSHOT.jar
custom cleansing function "void addToClasspath(java.lang.String, java.lang.ClassLoader)".

29673 Likely 34 - bot-engine-1.0- com/.../utils/ContextHelper.java 87
SNAPSHOT.jar
custom cleansing function "void copyJarResourcesToDirectory(java.util.jar.JarFile, java.lang.String,
java.lang.String)".

47541 Likely 37 - migration-1.0.0- .../CoreMigrationServiceImpl.java 589
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This is a path validation routine.

47542 Likely 37 - migration-1.0.0- .../CoreMigrationServiceImpl.java 589
SNAPSHOT.jar


44721 Likely 38 - bot-command- com/.../win32/jexcel/cQ.java 1
msexcel-4.0.0-
SNAPSHOT.jar

Specifics : This is appearing through jniwrapper, a third party API teamdev which we are using for excel
commands
Verification : verification through code

42909 Neutral 39 - boot-bot-insight- .../CRConfigurationServiceImpl.java 595
1.0.0-SNAPSHOT-
all.jar

Specifics : The path is set by a trusted admin during the initial configuration.

29403 V.Likely 39 - boot-bot-insight- .../CRConfigurationServiceImpl.java 780
1.0.0-SNAPSHOT-
all.jar

Specifics : This checks the access to the given path during validation process. The path is set by trusted
admin.
Approve Mitigation (Automation Anywhere): Approved. The repoPath is set by the first admin during
the installation time and by the trusted admin during the edit of the repoPath so both the cases it is
trusted.
50919 Neutral 39 - boot-bot-insight- .../CRConfigurationServiceImpl.java 803
1.0.0-SNAPSHOT-
all.jar

9906 Neutral 46 - wlm-1.0.0- com/.../CsvFileConnection.java 30
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no untrusted user input in 'filePath', it is set
internally.


19761 Likely 49 - common-db-1.0.0- .../db/DBConfigProperties.java 51
SNAPSHOT.jar

Specifics : Here we try to load the database properties onetime i.e. at app start-up time from file system
or classpath. The file is not a user input. It is in control room node machine itself inside the config folder
and the path is specified from command prompt. Hence there is no risk of it being passed by a malicious
user or system.
This mitigation deviates from the risk tolerance guidelines (Veracode): The provided mitigation
statements do not meet the risk tolerance guidelines for the following reasons:
* Defer to Internal Security for final risk acceptance.
* Are compensating controls enough to protect these from being modified by anyone outside of an Admin
given permissions?
* Basic Risk Tolerance Guidelines would state: "Mitigations must be independent of Enterprise Controls
(e.g. cannot rely on “clean”/ “trusted” data from the Enterprise or other Enterprise-based controls
(network, operating system, and etc.))"
* External Control of Filename means that the 'Filename' is not part of the code. It doesn't mean external
to the company.
48935 Likely 49 - common-db-1.0.0- .../db/DBConfigProperties.java 62
SNAPSHOT.jar

Specifics : All the inputs are not user supplied

Specifics : The repository path is supplied by trusted user

41313 Likely 54 - bot-command- .../DependencyResolverImpl.java 46
terminalemulator-
3.2.0-SNAPSHOT.jar




terminalemulator-
3.2.0-SNAPSHOT.jar


terminalemulator-
3.2.0-SNAPSHOT.jar


47131 Likely 55 - migration-1.0.0- com/.../helper/DependencyUtil.java 64
SNAPSHOT.jar

Specifics : This is a validated path and set by a trusted user.

SNAPSHOT.jar


SNAPSHOT.jar




SNAPSHOT.jar


29711 Likely 59 - durablemessaging- com/.../DurableMessaging.java 92
1.0.0-SNAPSHOT.jar

Specifics : It reads property files from internal properties folder and does not accept input from un-trusted
sources.

26399 Likely 60 - bot-command-sap- com/.../jniwrapper/win32/e.java 1
2.1.0-SNAPSHOT.jar

25910 Likely 63 - bot-command-ocr- com/.../abbyy/FREngine/Engine.java 276
abbyy-2.1.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (abby).

abbyy-2.1.0-
SNAPSHOT.jar

abbyy-2.1.0-
SNAPSHOT.jar

abbyy-2.1.0-
SNAPSHOT.jar


abbyy-2.1.0-
SNAPSHOT.jar

abbyy-2.1.0-
SNAPSHOT.jar

18646 Likely 65 - es-client-1.0.0- com/.../ESRestClient.java 142
SNAPSHOT.jar

Specifics : System property can only be altered by trusted administrator.
Verification : Design review

SNAPSHOT.jar


SNAPSHOT.jar


14901 Likely 67 - ignite-2.7.6.1- com/.../ignite/ExternalConfig.java 105
SNAPSHOT.jar
Mitigate by Design (Automation Anywhere): Promoted from Sandbox -

Specifics : The input 'propDir' is not controlled externally. It is set by a trusted admin.


Approve Mitigation (Automation Anywhere): Promoted from Sandbox - Approved
given permissions?
to the company.
29689 Likely 68 - bot-tester-1.0- .../ExternalEnvironmentImpl.java 68
SNAPSHOT.jar/bot-
command-javascript-
2.0.0-SNAPSHOT.jar

Specifics : It gets the environment path from the bot context, which is a trusted source.

29694 Likely 68 - bot-tester-1.0- .../ExternalEnvironmentImpl.java 68
SNAPSHOT.jar/bot-
command-javascript-
2.0.0-SNAPSHOT.jar

Specifics : It gets the environment path from the bot context, which is a trusted source.

49831 Neutral 69 - bot-compiler.jar/bot- .../FileAttributePathHelper.java 52
1.0.0-SNAPSHOT.jar

Specifics : The path is set by a trusted admin of the system.


1.0.0-SNAPSHOT.jar


1.0.0-SNAPSHOT.jar


48317 Likely 70 - migration-1.0.0- .../FileDependencyServiceImpl.java 70
SNAPSHOT.jar


31845 Likely 73 - ir-sdk-2.0.0- com/.../file/FileServiceImpl.java 51
SNAPSHOT.jar/bot-
command-
application-2.0.0-
SNAPSHOT.jar
custom cleansing function "void isValidFileName(java.lang.String)".

43535 Likely 73 - bot-command- com/.../file/FileServiceImpl.java 408
printer-2.0.0-
SNAPSHOT.jar

Specifics : There is no user interaction. It is to create unique temporary file in temp location.
Verification : Review by code


printer-2.0.0-
SNAPSHOT.jar

Specifics : There is no user interaction. It is to create unique temporary file in temp location.

printer-2.0.0-
SNAPSHOT.jar

Specifics : It gets the length of the file provided by the trusted user while creating bot.
Approve Mitigation (Automation Anywhere): Approved. The file is going to created in the temporary
directory.
printer-2.0.0-
SNAPSHOT.jar

Specifics : The input directory is trusted application directory and this is to get the file name from trusted
source.

printer-2.0.0-
SNAPSHOT.jar

Specifics : The input directory is trusted application directory and this is to get the file name from trusted
source.

47119 Neutral 74 - serverrepository- com/.../FileServiceV2Impl.java 383
1.0.0-SNAPSHOT.jar


Specifics : The path used here is a validated path.

1.0.0-SNAPSHOT.jar

Specifics : The path is set by a trusted admin.

1.0.0-SNAPSHOT.jar

Specifics : The path used is set by a trusted admin.

50557 Likely 77 - command-generic- com/.../helper/FileUtils.java 35
1.0.0-SNAPSHOT-
SNAPSHOT.jar

Specifics : The value of file path is generated from application, not from user input.
Verification : Code Review

46751 Likely 76 - bot-migration- com/.../sdk/utils/FileUtils.java 53
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : As the data is accepted from the application and not entered by the user
Remaining Risk : Little/None

46753 Likely 76 - bot-migration- com/.../sdk/utils/FileUtils.java 53


service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : As the data is accepeted by the application and not entered by the user

45305 Likely 75 - packaging-1.0.0- com/.../common/util/FileUtils.java 198
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : This path refers to system configuration location which is set by trusted admin.

19815 Likely 75 - packaging-1.0.0- com/.../common/util/FileUtils.java 209
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The input fileName' is not controlled externally. It is set by a trusted admin.
given permissions?
to the company.
16572 Neutral 75 - packaging-1.0.0- com/.../common/util/FileUtils.java 230
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


Specifics : The input fileName' is not controlled externally. It is set by a trusted admin.

given permissions?
to the company.
46834 Likely 84 - ignite-2.7.6.1- com/.../ignite/IgniteUtil.java 162
SNAPSHOT.jar

Specifics : The path refers to the configuration folder which is set by trusted admin during the initial setup.

46833 Likely 84 - ignite-2.7.6.1- com/.../ignite/IgniteUtil.java 166
SNAPSHOT.jar

Specifics : The path refers to the configuration folder which is set by trusted admin during the initial setup.

50574 Neutral 85 - bot-insight-1.0.0- .../ImportLegacyDashboardServiceImpl.ja
SNAPSHOT.jar va 88

Specifics : Path refers to predefined path which is set by the trusted user of the application. Its not been
taken by the user input



50585 Neutral 85 - bot-insight-1.0.0- .../ImportLegacyDashboardServiceImpl.ja
SNAPSHOT.jar va 118

Specifics : Path refers to predefined path which is set by the trusted user of the application. Its not been
taken by the user input

46460 Likely 86 - bot-migration- com/.../InputValidator.java 12
service-1.1.0-
SNAPSHOT.jar

Specifics : There is no use provided path has been used.

42864 Neutral 87 - bot-command-iqbot- .../IQBotClientServiceImpl.java 94
2.0.0-SNAPSHOT.jar

Specifics : All the input data from trusted user and the input doesn't gets propagated to the system.

43336 Likely - 19 bot-trigger-file-folder- j f(void) 75%
1.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (teamdev).

49208 Likely 90 - bot-engine-1.0- com/.../utils/JarUtil.java 22
SNAPSHOT.jar

Specifics : The path is validated and set by a trusted admin.


45355 Likely 91 - common-utils-1.0.0- com/.../common/util/JarUtils.java 75
SNAPSHOT.jar
custom cleansing function "void copyJarContentToDir(java.lang.String, java.nio.file.Path,
java.lang.String)".

SNAPSHOT.jar

Specifics : The input is from application package which is a trusted source.

SNAPSHOT.jar

Specifics : The input is from application package which is a trusted source.

27204 Likely - 16 bot-command-sap- java.io.File a(java.io.File) 34%
2.1.0-SNAPSHOT.jar

27207 Likely - 5 bot-command-sap- java.io.File a(java.io.File) 34%
2.1.0-SNAPSHOT.jar

43343 Likely - 17 bot-trigger-file-folder- java.io.File a(java.lang.String) 4%
1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar


1.1.0-SNAPSHOT.jar

43349 Likely - 17 bot-trigger-file-folder- java.io.File a(java.net.URL,
1.1.0-SNAPSHOT.jar java.lang.String) 28%


27247 Likely - 1 bot-command-sap- java.io.File c() 3%
2.1.0-SNAPSHOT.jar
Approve Mitigation (Automation Anywhere): Approved. Refereeing External Library.

2.1.0-SNAPSHOT.jar

27266 Likely - 9 bot-command-sap- java.net.URL [] a(java.lang.String) 61%
2.1.0-SNAPSHOT.jar

27265 Likely - 2 bot-command-sap- java.util.Map a(java.lang.String) 40%
2.1.0-SNAPSHOT.jar

27255 Likely - 2 bot-command-sap- java.util.Map a(void) 26%
2.1.0-SNAPSHOT.jar

27257 Likely - 2 bot-command-sap- java.util.Map a(void) 58%
2.1.0-SNAPSHOT.jar

47938 Likely 94 - common-db-1.0.0- com/.../impl/KeyStoreImpl.java 44
SNAPSHOT.jar/activ
emq-5.15.9.1-


SNAPSHOT.jar

Specifics : This code is not having call reference. Refer AAE-42005 (11.3.4.2-46558_46559_46560.docx)
(11.3.4.2 Flaw Id - 46560)

SNAPSHOT.jar/activ
emq-5.15.9.1-
SNAPSHOT.jar

Specifics : This code is not having call reference. Refer AAE-42005 (11.3.4.2-
46558_46559_46560.docx) (11.3.4.2 Flaw Id - 46559)

SNAPSHOT.jar/activ
emq-5.15.9.1-
SNAPSHOT.jar

Specifics : This code is not having call reference. Refer AAE-42005 (11.3.4.2-46558_46559_46560.docx)
(11.3.4.2 flaw id - 46558)

29766 Likely 96 - bot-launcher-1.0- .../LauncherConfiguration.java 70
SNAPSHOT.jar

Specifics : The input is from properties directory which is a trusted source.

SNAPSHOT.jar



Specifics : The input is from properties directory which is a trusted source.

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar

Specifics : The patch is system internal path and does not take from input.

SNAPSHOT.jar


SNAPSHOT.jar




SNAPSHOT.jar


SNAPSHOT.jar
custom cleansing function "java.lang.String getBotDirectory()".

SNAPSHOT.jar

SNAPSHOT.jar

31848 Likely 98 - bot-command-folder- com/.../chilkat/LibraryLoader.java 114
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no File.io at given source code.

31847 Likely 98 - bot-command-folder- com/.../chilkat/LibraryLoader.java 115
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no File.io at given source code.

43353 Likely - 7 bot-trigger-file-folder- long b(java.lang.String) 10%
1.1.0-SNAPSHOT.jar

43354 Likely - 7 bot-trigger-file-folder- long b(java.lang.String) 31%
1.1.0-SNAPSHOT.jar


27246 Likely - 8 bot-command-sap- long c(java.lang.String) 7%
2.1.0-SNAPSHOT.jar

27248 Likely - 8 bot-command-sap- long c(java.lang.String) 22%
2.1.0-SNAPSHOT.jar

43361 Neutral 99 - bot-migration- com/.../sdk/LookupXml.java 51
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : The xml file is for internal processing and not user supplied. No user input required for this
process.

46377 Likely 100 - email-notification- com/.../impl/MailServiceImpl.java 119
1.0.0-SNAPSHOT.jar

Specifics : The path is configuration directory which is set by trusted admin.

49232 Likely 101 - aae-bot-scanner-ui- com/.../botscanner/ui/Main.java 36
3.0.1-SNAPSHOT.jar

Specifics : Only authenticated user can perform the operation.

49233 Likely 101 - aae-bot-scanner-ui- com/.../botscanner/ui/Main.java 42
3.0.1-SNAPSHOT.jar



Specifics : Only authenticated user can perform the operation.
Remaining Risk : Little or None

48310 Likely 104 - migration-1.0.0- com/.../command/MetaBot.java 20
SNAPSHOT.jar


49228 Likely 105 - aae-bot-scanner-ui- com/.../MetaBotAnalyzer.java 121
3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar


3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : As this function accepts data from the application not from the user

3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : This is already mitigated by design with flaw id 49223 in the report of 14 May


3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : This is already mitigated by flaw id 49227 with report of 14 may

3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar


3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : As Data come from the application and not entered by the user

42884 Neutral 108 - spcompiler-1.0.0- .../MultiPartFileUploadServiceImpl.java 31
SNAPSHOT.jar

Specifics : The path received by system routines and does not take input.

31853 Likely 109 - bot-command-ftp- com/.../utility/NativeUtils.java 130
2.0.0-SNAPSHOT.jar


Specifics : The file is created via the internal routine during execution. The path is predefined in the
routine which is application specific.

31855 Likely 109 - bot-command-ftp- com/.../utility/NativeUtils.java 137
2.0.0-SNAPSHOT.jar

Specifics : The file is created via the internal routine during execution. The path is predefined in the
routine which is application specific.

31182 Likely 113 - excel-sdk-2.0.0- .../OpenSpreadsheetValidator.java 40
SNAPSHOT.jar

Specifics : This validates the path of the excel file if that exists or not. This will be provided by authorized
system user.

41254 Likely 117 - packaging-1.0.0- com/.../common/PackagingUtil.java 38
SNAPSHOT.jar


44282 Likely 118 - bot-compiler.jar com/.../helper/PathUtils.java 34

Specifics : Fetches the temp directory path which is set by the system.


26396 Likely 122 - bot-command-sap- com/.../jniwrapper/win32/q.java 1
2.1.0-SNAPSHOT.jar

45399 Neutral 124 - wlm-1.0.0- .../QueueExportServiceImpl.java 296
SNAPSHOT.jar

Specifics : The path refers to system location and does not take any input.

48321 Likely 127 - migration-1.0.0- .../ReferenceDependenciesScanner.java
SNAPSHOT.jar 34


48312 Likely 127 - migration-1.0.0- .../ReferenceDependenciesScanner.java
SNAPSHOT.jar 34


46555 Neutral 128 - serverrepository- com/.../repository/RepoPath.java 36
1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): RepoPath is used to validate the path within the
system.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar


system.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): RepoPath validates the input path and returns a
valid path.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): RepoPath validates the input path and returns a
valid path.
Approve Mitigation (Automation Anywhere): approved

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
system.

1.0.0-
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
system.

46554 Neutral 129 - serverrepository- .../RepositoryDeleteFolderAuditAdapterIm
1.0.0-SNAPSHOT.jar pl.java 92

Specifics : The path is retrieved from system routines which is trusted. This does not being fetched from
user input.

47568 Neutral 131 - kernel-1.0.0- .../RepositoryTenantMigration.java 81
SNAPSHOT.jar


Specifics : This is a validated path and set by trusted user.

31850 Likely 133 - bot-compiler.jar/bot- com/.../util/ResourceUtil.java 32
1.0.0-SNAPSHOT.jar
custom cleansing function "botcore.api.dto.Value loadValue(java.lang.Class, java.lang.String)".

44012 Neutral 134 - boot-bot-insight- .../ReverseProxyConfigurationServiceImpl
1.0.0-SNAPSHOT- .java 54
all.jar

Specifics : This refers to configuration file which is set by a trusted admin.

all.jar


all.jar

Specifics : The path is set by trusted admin of the system.

all.jar




all.jar


48308 Likely 136 - migration-1.0.0- com/.../command/RunTask.java 52
SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar


34154 Likely 137 - bot-command- com/.../SAPConnection.java 80
sapbapi-2.0.0-
SNAPSHOT.jar


Specifics : This creates properties in temp directory. No user input is taken.

44281 Likely 139 - screencapture-api- .../ScreenFileOperations.java 30
1.0.0-SNAPSHOT-
SNAPSHOT.jar
custom cleansing function "void isValidFileName(java.lang.String)".

21435 Likely 142 - bot-external-function- com/.../SetupHelper.java 31
1.0-SNAPSHOT.jar

Specifics : It loads configuration from application internal file, which is set by trusted admin.

47383 Neutral 144 - migration-1.0.0- .../SourceConfigurationIntegrationImpl.jav
SNAPSHOT.jar a 69

Specifics : Path is fetched from DB and it is validated also.

29695 Likely 150 - bot-tester-1.0- .../TesterConfiguration.java 29
SNAPSHOT.jar

Specifics : It loads files from properties location and internal application files which is a trusted source.

SNAPSHOT.jar




SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar


SNAPSHOT.jar

SNAPSHOT.jar


SNAPSHOT.jar


41315 Likely 152 - bot-command- .../TTermDependencyResolver.java 17
terminalemulator-
3.2.0-SNAPSHOT.jar


41314 Likely 153 - bot-command- com/.../TTermJNIConstants.java 19
terminalemulator-
3.2.0-SNAPSHOT.jar


41311 Likely 153 - bot-command- com/.../TTermJNIConstants.java 19
terminalemulator-
3.2.0-SNAPSHOT.jar


36621 Neutral 155 - kernel-1.0.0- .../UpdatePackageJsonOfExistingPackag
SNAPSHOT.jar es.java 64

Specifics : The path is set via trusted admin during initial setup. This is a trusted path.

48323 Likely 159 - migration-1.0.0- .../VCSEnabledMigrationServiceImpl.java
SNAPSHOT.jar 125




29402 V.Likely 159 - migration-1.0.0- .../VCSEnabledMigrationServiceImpl.java
SNAPSHOT.jar 155

Specifics : File path is not coming through any external source. It fetches from DB.
Approve Mitigation (Automation Anywhere): Approved. Similar to Flaw ID - 29400. In

VCSEnabledMigrationServiceImpl.java at 158, “sourceFilePath” is being manipulated. It is coming as
method argument “migrateAllFileVersions”.
This method is being called from method “migrateTargetFile” on line 85. “sourceFilePath” is being
prepared on line 79 using “task.getRelativePath()”
This “task” is being prepared in RepositoryCompleteMigrationServiceImpl.java on line 111 using tenantId
& sourceId.
This “getFile” call is fetching data from database.
43340 Likely - 17 bot-trigger-file-folder- void !ctor(java.lang.ClassLoader,
1.1.0-SNAPSHOT.jar java.lang.String, java.lang.String) 72%

26395 Likely 162 - bot-command- com/.../com/jniwrapper/x.java 1
msexcel-4.0.0-
SNAPSHOT.jar

35062 Likely 166 - bot-command-sap- com/.../com/jniwrapper/y.java 1
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library (jniwrapper)

23408 Neutral 167 - boot-bot-insight- com/.../ZipUnpackagerImpl.java 85
1.0.0-SNAPSHOT-
all.jar

Specifics : The input is not controlled externally. It is set by a trusted admin.

23158 Neutral 167 - bot-insight-1.0.0- com/.../ZipUnpackagerImpl.java 98
SNAPSHOT.jar/boot-
bot-insight-1.0.0-


SNAPSHOT-all.jar

Specifics : The input is not controlled externally. It is set by a trusted admin.

Specifics : See above
Remaining Risk : See above
Verification : See above

46831 Neutral 167 - bot-insight-1.0.0- com/.../ZipUnpackagerImpl.java 269
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The input is not controlled externally. It is set by a trusted admin. (11.3.4, 11.3.4.2 - 25891)

45359 Neutral 167 - boot-bot-insight- com/.../ZipUnpackagerImpl.java 329
1.0.0-SNAPSHOT-
all.jar

Specifics : The path refers to package path which is set by trusted user.

Improper Restriction of XML External Entity Reference (CWE ID 611)(10 flaws)

47141 Neutral 8 - migration-1.0.0- com/.../model/AtmxBot.java 121
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): External entity resolution is disabled.

31186 Neutral 111 - bot-command-xml- com/.../node/NodeToXmlString.java 43
2.0.0-SNAPSHOT.jar

Specifics : The Node passed here comes from DomXmlOperations which has disabled the external entity
resolution.
Approve Mitigation (Automation Anywhere): Approved. As we have done the XXE validation at
'DomXmlOperation' , this issue also is mitigated.
47107 Neutral 143 - bot-command-soap- com/.../SoapMessageUtil.java 37
3.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): Solution suggested is already implemented.

Veracode tool is not able to identify for another method.

27270 Neutral - 8 bot-command-sap- void <clinit>(void) 41%
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This flaw does not refer to any internal source code.

43351 Neutral - 7 bot-trigger-file-folder- void <clinit>(void) 42%
1.1.0-SNAPSHOT.jar

43362 Neutral 163 - bot-migration- com/.../sdk/XmlTransformation.java 46
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

resolution.
Approve Mitigation (Automation Anywhere): Approved. As we have done the XXE validation at


'DomXmlOperation' , this issue also is mitigated.
50915 Neutral 163 - bot-migration- com/.../sdk/XmlTransformation.java 59
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

resolution

49184 Neutral 165 - common-db-1.0.0- com/.../util/XmlUtils.java 73
SNAPSHOT.jar/activ
emq-5.15.9.1-
SNAPSHOT.jar

Specifics : The XML is generated by code internally. There is no user provided xml has been used

43363 Neutral 164 - bot-migration- com/.../sdk/utils/XmlUtils.java 319
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

resolution
Verification : Verification : Code review

46757 Neutral 164 - bot-migration- com/.../sdk/utils/XmlUtils.java 640
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

resolution


Credentials Management(35 flaws)
Unprotected Storage of Credentials (CWE ID 256)(2 flaws)

49211 Neutral 19 - boot-1.0.0- .../ChangeLogProperties.java 167
SNAPSHOT.jar/kern
el-1.0.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The SQL credentials are stored encrypted.

49186 Neutral 52 - common-1.0.0- .../DefaultTenantInitializer.java 80
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): The path shows for the issue is not found in internal
code.
Approve Mitigation (Automation Anywhere): Aproved
Use of Hard-coded Password (CWE ID 259)(33 flaws)

10798 Likely 18 - certmgr-1.0.0- com/.../certmgr/CertManager.java 1
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): These fields are required to edit the keystore. The
default java password is 'changeit'. This is hardcoded here, but only for functional purposes. It is *not*
used for security purposes as PEM keys cannot be secured by this method.
This mitigation conforms to the risk tolerance guidelines (Veracode): Veracode has independently
reviewed the mitigation comments provided and has determined that the mitigation efforts reflected in the
mitigation comments are consistent with the Risk Tolerance Guidelines.
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): These fields are required to edit the keystore. This


is hardcoded here, but only for functional purposes. It is *not* used for security purposes as PEM keys
cannot be secured by this method.

Technique : M3 : Lock down your environment
Specifics : The installer saves the private TLS key on the file-system unencrypted in PEM format so that it
can be accessed by Traefik on startup. The java store with the aakeypass password contains the same
information. As the data has to be stored unencrypted to support startup, using a hardcoded password for
java has the equivalent level of protection. This code is not supposed to be protecting the key data
Remaining Risk : Little, assuming that the customer will lock down their environment and limit access to
only trusted admins in order to protect key material.
SNAPSHOT.jar

SNAPSHOT.jar


SNAPSHOT.jar


SNAPSHOT.jar




SNAPSHOT.jar
Potential False Positive (Automation Anywhere): These fields are required to edit the keystore. The
default java password is 'changeit'. This is hardcoded here, but only for functional purposes. It is *not*
used for security purposes as PEM keys cannot be secured by this method.

SNAPSHOT.jar


10436 Likely 32 - es-client-1.0.0- com/.../constants/Constants.java 1
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar
Potential False Positive (Automation Anywhere): False positive, this is not a hardcoded password
10141 Likely 33 - configuration-api- com/.../Constants.java 1
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False Positive - This field does not contain any
hardcoded passwords

Approve Mitigation (Automation Anywhere): Configuration module review
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False positive. This is not a password, it is the
name of a name/value pair (application constant, hence the name of the class).
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False Positive - The field

'KEY_PASSWORD_POLICY_REQUIRE_SPECIALS' does not contain any hardcoded passwords
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no hard coded password here.

1.0.0-SNAPSHOT.jar
hardcoded passwords
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no hard coded password at this source
location.

1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False positive, this file contains Constants for key-


value pairs. It does not contain any hard-coded passwords.
1.0.0-SNAPSHOT.jar
hardcoded passwords

1.0.0-SNAPSHOT.jar
1.0.0-SNAPSHOT.jar
hardcoded passwords
50586 Likely 36 - organizations-1.0.0- .../ControlRoomIntegrationServiceImpl.jav
SNAPSHOT.jar a1
Potential False Positive (Automation Anywhere): There is no hard-coded password in the mentioned
source code.

SNAPSHOT.jar a1
source code.

SNAPSHOT.jar a1
source code.


SNAPSHOT.jar a1
source code.

16860 Likely 62 - email-notification-api- .../EmailTemplateParamKeys.java 1
1.0.0-SNAPSHOT.jar
44914 Likely 97 - bot-migration- .../sdk/LegacyBotConstants.java 1
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This are not hard coded password. it is just variable
constant.

service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : It is only field name. It is not actual password.
Remaining Risk : none
Verification : Review by code

service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar
constant.

service-1.1.0-
SNAPSHOT.jar/aae-


bot-scanner-2.4.0-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This is not actual password. This is just variable
name

service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar
constant.

9466 Likely 154 - usermanagement- com/.../UMV1ResourcesUrls.java 1
1.0.0-SNAPSHOT.jar
hardcoded passwords
Approve Mitigation (Automation Anywhere): User management module review
1.0.0-SNAPSHOT.jar
hardcoded passwords
Approve Mitigation (Automation Anywhere): User management module review
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): There is no hard coded password in this routine.

10332 Likely 156 - usermanagement- .../UserAuditDetailsTransformer.java 1
1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False positive, this is a constant, it does not contain
sensitive data

Cryptographic Issues(10 flaws)
Insufficient Entropy (CWE ID 331)(1 flaw)

40853 Unlikely 64 - bot-insight-1.0.0- .../EsBotDataIndexManagerImpl.java 80
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): It is not used for security
Approve Mitigation (Automation Anywhere): Approved. This is only used for log purpose.
Use of Hard-coded Cryptographic Key (CWE ID 321)(6 flaws)

47138 Likely 43 - migration-1.0.0- com/.../encryption/CryptoAES.java 25
SNAPSHOT.jar

Specifics : This is used to get the legacy data only and not being used in system functionalities.

47140 Likely 43 - migration-1.0.0- com/.../encryption/CryptoAES.java 25
SNAPSHOT.jar


45177 Likely 42 - bot-migration- com/.../encryption/CryptoAES.java 29
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : The encryption key need to be saved on the local file system. The attacker needs to have


direct access to machine's file system.So risk is very less.

45178 Likely 42 - bot-migration- com/.../encryption/CryptoAES.java 30
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar


47142 Likely 45 - migration-1.0.0- com/.../encryption/CryptoDES.java 26
SNAPSHOT.jar

Specifics : This is used for legacy data only and not being used in any system functionalities.

45176 Likely 44 - bot-migration- com/.../encryption/CryptoDES.java 27
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Use of RSA Algorithm without OAEP (CWE ID 780)(1 flaw)


14713 Neutral 145 - migration-1.0.0- .../SourceDecryptionServiceImpl.java 89
SNAPSHOT.jar

Specifics : Implemented by design. Part of the migration tool from 10.x which doesn't use OAEP. Not
used in any 11.x operations.

Specifics : This cryptography is part of a migration feature for older versions. It is not used in the current
features.
* In 2018, statement was made that this functionality was in the code for migration purposes.
* RSA without OAEP weakens RSA.
* Does it still need to exist in the application?
* Defer to internal security to accept risk.
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(2 flaws)

47139 Likely 45 - migration-1.0.0- com/.../encryption/CryptoDES.java 25
SNAPSHOT.jar


45184 Likely 44 - aae-bot-scanner-ui- com/.../encryption/CryptoDES.java 28
3.0.1-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar


Time and State(2 flaws)
Insecure Temporary File (CWE ID 377)(2 flaws)

27273 Neutral - 1 bot-command-sap- java.lang.String a() 52%
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This flaw does not refer to any internal source code.

43342 Neutral - 17 bot-trigger-file-folder- java.lang.String b(void) 54%
1.1.0-SNAPSHOT.jar
Cross-Site Scripting (XSS)(1 flaw)
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID
80)(1 flaw)

46790 Likely 14 - botstore-1.0.0- .../BotStoreAdapterImpl.java 535
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): False positive.

CRLF Injection(33 flaws)
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

(CWE ID 113)(3 flaws)

45397 Neutral 124 - wlm-1.0.0- .../QueueExportServiceImpl.java 299
SNAPSHOT.jar

Specifics : The header values are fetched by system internal routines and it is a trusted source.

50569 Neutral 130 - serverrepository- .../RepositoryResourceV1.java 269
1.0.0-SNAPSHOT.jar

Specifics : The input is trusted and validated by a validation routine.

47151 Likely 160 - realtimeservice- .../WebSocketHeaderWriterFilter.java 45
1.0.0-SNAPSHOT.jar

Specifics : Specifics : Escape sequence is appplied and new line character is returned as string literal.
(20318 Sandbox:a2019)
Remaining Risk : Remaining Risk : None
Improper Output Neutralization for Logs (CWE ID 117)(30 flaws)

43352 Likely - 7 bot-trigger-file-folder- boolean a(java.lang.String) 92%


1.1.0-SNAPSHOT.jar

27245 Likely - 8 bot-command-sap- boolean b(java.lang.String) 92%
2.1.0-SNAPSHOT.jar
Approve Mitigation (Automation Anywhere): Approved. Referring External Library.

1.1.0-SNAPSHOT.jar

1.1.0-SNAPSHOT.jar

27269 Likely - 1 bot-command-sap- java.io.File a(java.net.URL,




2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar



2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar

45392 Likely - 22 bot-command- java.util.List a(jxdesktop.OS) 98%
recorder-2.0.6-
SNAPSHOT.jar

33560 Likely - 22 bot-command- java.util.List b(void) 19%
recorder-2.0.6-
SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to external library (Teamdev)
Approve Mitigation (Automation Anywhere): Issue identified in external library

recorder-2.0.6-
SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar



recorder-2.0.6-
SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar

33568 Likely - 20 bot-command- VideoCapture create(video.VideoFormat)
recorder-2.0.6- 65%
SNAPSHOT.jar




27267 Likely - 1 bot-command-sap- void b() 18%
2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar

43347 Likely - 17 bot-trigger-file-folder- void b(java.lang.String) 91%
1.1.0-SNAPSHOT.jar


27274 Likely - 1 bot-command-sap- void loadLibrary(java.lang.String) 91%
2.1.0-SNAPSHOT.jar
Encapsulation(8 flaws)
Deserialization of Untrusted Data (CWE ID 502)(8 flaws)

27253 Neutral - 12 bot-command-sap- boolean a(java.lang.String []) 76%
2.1.0-SNAPSHOT.jar

46575 Neutral 138 - scheduler-1.0.0- .../model/ScheduleAutomation.java 585
SNAPSHOT.jar

Specifics : Input is coming from database which is a trusted source. Also the input saved by the trusted
system users.
Reject Mitigation (Automation Anywhere): Developer identified that their analysis was not done
properly. So Rejecting temporarily.

Specifics : Input is coming from database which is a trusted source. Also the input saved by the trusted
system users.
Remaining Risk : little or none
Verification : code review

27264 Neutral - 10 bot-command-sap- void a(java.net.Socket) 60%
2.1.0-SNAPSHOT.jar


27263 Neutral - 10 bot-command-sap- void F() 74%
2.1.0-SNAPSHOT.jar

27251 Neutral - 15 bot-command-sap- void run() 16%
2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar

2.1.0-SNAPSHOT.jar
Insufficient Input Validation(9 flaws)
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') (CWE ID
90)(3 flaws)

47386 Neutral 2 - usermanagement- .../ActiveDirectoryServiceImpl.java 795
1.0.0-SNAPSHOT.jar

Specifics : Input parameters validated before query injection.(Refer AAE-42405 : 11.3.5.docsx)

47527 Neutral 2 - usermanagement- .../ActiveDirectoryServiceImpl.java 892


1.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): All input is constructed internally within the
application context and never exposed to any public APIs nor client applications, so there is no LDAP
injection flaw.

46603 Neutral 3 - usermanagement- com/.../impl/AdSecurityGroup.java 623
1.0.0-SNAPSHOT.jar

Specifics : Input parameters fetch from configurable properties on CR nodes and it will be changed by
trusted users only Refer AAE-42005 (11.3.4.2-46603.docx)
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID

470)(6 flaws)

40514 Likely 10 - bot-engine-1.0- com/.../BotClassLoader.java 91
SNAPSHOT.jar/bot-
classloader.jar

Specifics : Only specific classes which are white listed will be loaded.
Approve Mitigation (Automation Anywhere): Approved. Previously closed (Old Flaw ID: 29675, New
Flaw ID: 40514)
46366 Likely 58 - migration-1.0.0- .../DurableMessagePublisher.java 66
SNAPSHOT.jar/boot-
bot-insight-1.0.0-
SNAPSHOT-all.jar

Specifics : The class name used is white listed. It does not come from any user input.


43337 Likely - 18 bot-trigger-file-folder- FileWatcher create(java.io.File) 59%
1.1.0-SNAPSHOT.jar

recorder-2.0.6-
SNAPSHOT.jar

33571 Likely 115 - bot-command- com/.../teamdev/jxdesktop/OS.java 1
recorder-2.0.6-
SNAPSHOT.jar

27254 Likely - 12 bot-command-sap- void c(java.lang.String []) 39%
2.1.0-SNAPSHOT.jar
Code Injection(1 flaw)
XML Injection (aka Blind XPath Injection) (CWE ID 91)(1 flaw)

46472 Likely 164 - bot-migration- com/.../sdk/utils/XmlUtils.java 608
service-1.1.0-
SNAPSHOT.jar/aae-
bot-scanner-2.4.0-
SNAPSHOT.jar

Specifics : The Xpath is generated internally by the application and is not created from the outside

Low (5 flaws)
Exposure of Sensitive Information Through Sent Data (CWE ID 201)(3 flaws)

44719 Unlikely - 13 bot-command-email- java.io.InputStream a() 33%
2.0.0-SNAPSHOT.jar

33569 Unlikely - 25 bot-command- java.util.List a() 5%
recorder-2.0.6-
SNAPSHOT.jar

33570 Unlikely - 21 bot-command- java.util.List a() 7%
recorder-2.0.6-
SNAPSHOT.jar
Time and State(2 flaws)
J2EE Bad Practices: Use of System.exit() (CWE ID 382)(2 flaws)

30624 Unlikely - 14 bot-command-email- void c() 69%
2.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library

30626 Unlikely - 12 bot-command-email- void d(void) 91%
2.0.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library

Info (3 flaws)
Improper Resource Shutdown or Release (CWE ID 404)(3 flaws)

16901 Neutral 51 - installutils-1.0.0- .../common/DbConnectionHelper.java 28
SNAPSHOT.jar

Technique : M5 : Use industry-accepted security features instead of inventing your own
Specifics : The connection is created in try-with-resources and will always be closed.

43357 Neutral - 19 bot-trigger-file-folder- java.lang.String g(void) 14%
1.1.0-SNAPSHOT.jar

27272 Neutral - 13 bot-command-sap- java.util.List b() 9%
2.1.0-SNAPSHOT.jar
Potential False Positive (Automation Anywhere): This refers to an external library.

Appendix C: Referenced Source Files

Id Filename Path
1 AAFileDaoImplV2.java com/automationanywhere/serverrepository/core/dao/impl/
2 ActiveDirectoryServiceImpl.java com/automationanywhere/um/service/impl/
3 AdSecurityGroup.java com/automationanywhere/um/service/impl/
4 Analyze.java com/automationanywhere/botmigration/analysis/
5 ApacheDataUploader.java service/
6 ar.java com/jniwrapper/com/jniwrapper/
7 as.java com/jniwrapper/com/jniwrapper/
8 AtmxBot.java com/automationanywhere/migration/dependencyscanner/model/
9 BotAnalysis.java com/automationanywhere/botscanner/ui/
10 BotClassLoader.java com/automationanywhere/classloader/
11 BotInsightDashboardMigration com/automationanywhere/migration/botinsight/service/
Service.java
12 BotInsightUtils.java com/automationanywhere/botinsight/utils/
13 BotService.java com/automationanywhere/toolchain/
14 BotStoreAdapterImpl.java com/automationanywhere/botstore/service/impl/
15 BrowserWindow.java com/automationanywhere/botcommand/forms/fxml/
16 bu.java com/jniwrapper/com/jniwrapper/
17 bv.java com/jniwrapper/com/jniwrapper/
18 CertManager.java com/automationanywhere/certmgr/
19 ChangeLogProperties.java com/automationanywhere/db/cmdline/
20 CheckpointDataAccessServiceI com/automationanywhere/nodemanager/service/impl/
mpl.java
21 ChronicleQueueAsyncImpl.java com/automationanywhere/asynchronous/messaging/
22 CleanerImpl.java com/automationanywhere/botengine/service/impl/
23 Collector.java com/automationanywhere/log/services/
24 CollectorState.java com/automationanywhere/log/services/
25 CommandGenerator.java com/automationanywhere/recorder/controller/
26 CompositeFileDependency.jav com/automationanywhere/migration/dependencyscanner/model/dependency/
a
27 CompressedArchive.java com/automationanywhere/migration/dependencyscanner/helper/
28 Configuration.java com/automationanywhere/nodemanager/
29 Configuration.java com/automationanywhere/externalfunction/
30 Configuration.java com/automationanywhere/log/services/
31 ConsoleUtils.java com/automationanywhere/crutils/utils/
32 Constants.java com/automationanywhere/common/constants/
33 Constants.java com/automationanywhere/configuration/
34 ContextHelper.java com/automationanywhere/botengine/utils/
35 ControlRoomAdapter.java com/automationanywhere/token/bootstrap/
36 ControlRoomIntegrationService com/automationanywhere/organizations/service/impl/
Impl.java

Id Filename Path
37 CoreMigrationServiceImpl.java com/automationanywhere/migration/core/service/impl/
38 cQ.java com/jniwrapper/win32/jexcel/com/jniwrapper/win32/jexcel/
39 CRConfigurationServiceImpl.ja com/automationanywhere/settings/service/impl/
va
40 CredentialAttributeValueDaoIm com/automationanywhere/credentialvault/dao/impl/
pl.java
41 CredentialProviderDocumentIm com/automationanywhere/nodemanager/service/impl/
pl.java
42 CryptoAES.java com/automationanywhere/botmigration/sdk/encryption/
43 CryptoAES.java com/automationanywhere/migration/dependencyscanner/encryption/
44 CryptoDES.java com/automationanywhere/botmigration/sdk/encryption/
45 CryptoDES.java com/automationanywhere/migration/dependencyscanner/encryption/
46 CsvFileConnection.java com/automationanywhere/wlm/workorder/data/connection/impl/
47 CSVStore.java com/automationanywhere/botcommand/browser/findbrokelinks/store/
48 DatabaseConnectionService.ja com/automationanywhere/botcommand/database/executor/services/
va
49 DBConfigProperties.java com/automationanywhere/common/db/
50 DbConnectionHelper.java com/automationanywhere/crutils/db/
51 DbConnectionHelper.java com/automationanywhere/installutils/common/
52 DefaultTenantInitializer.java com/automationanywhere/common/security/context/
53 DependencyDaoImpl.java com/automationanywhere/serverrepository/core/dao/dependency/impl/
54 DependencyResolverImpl.java com/automationanywhere/terminalemulator/dependency/sdk/
55 DependencyUtil.java com/automationanywhere/migration/dependencyscanner/helper/
56 DeviceUpgradeHandler.java com/automationanywhere/nodemanager/service/impl/message/handlers/
57 dg.java com/jniwrapper/win32/com/jniwrapper/win32/
58 DurableMessagePublisher.java com/automationanywhere/durablemessaging/
59 DurableMessaging.java com/automationanywhere/durablemessaging/
60 e.java com/jniwrapper/win32/com/jniwrapper/win32/
61 eC.java com/jniwrapper/win32/jexcel/com/jniwrapper/win32/jexcel/
62 EmailTemplateParamKeys.java com/automationanywhere/email/constants/
63 Engine.java com/abbyy/FREngine/
64 EsBotDataIndexManagerImpl.j com/automationanywhere/botinsight/dao/impl/
ava
65 ESRestClient.java com/automationanywhere/es_client/
66 ev.java com/teamdev/jxcapture/com/teamdev/jxcapture/
67 ExternalConfig.java com/automationanywhere/ignite/
68 ExternalEnvironmentImpl.java com/automationanywhere/externalfunction/
69 FileAttributePathHelper.java com/automationanywhere/toolchain/runtime/attribute/
70 FileDependencyServiceImpl.jav com/automationanywhere/migration/serverrepository/legacy/service/impl/
a
71 FileReader.java com/automationanywhere/botcommand/csv/utils/
72 FileServiceImpl.java com/automationanywhere/compiler/service/impl/

Id Filename Path
73 FileServiceImpl.java com/automationanywhere/botcommand/sdk/file/
74 FileServiceV2Impl.java com/automationanywhere/serverrepository/core/service/impl/
75 FileUtils.java com/automationanywhere/common/util/
76 FileUtils.java com/automationanywhere/botmigration/sdk/utils/
77 FileUtils.java com/automationanywhere/commandsdk/command/helper/
78 GlobalCacheServiceImpl.java com/automationanywhere/nodemanager/service/impl/
79 HQLHelper.java com/automationanywhere/common/util/jpa/
80 HttpUtil.java com/automationanywhere/botcommand/wlm/util/
81 IfWebControlExists.java com/automationanywhere/botcommand/legacyautomation/conditions/
82 IfWebControlNotExists.java com/automationanywhere/botcommand/legacyautomation/conditions/
83 IgniteFactory.java com/automationanywhere/ignite/
84 IgniteUtil.java com/automationanywhere/ignite/
85 ImportLegacyDashboardServic com/automationanywhere/botinsight/service/impl/migrate/
eImpl.java
86 InputValidator.java com/automationanywhere/botmigration/service/
87 IQBotClientServiceImpl.java com/automationanywhere/botcommand/iqbot/client/impl/
88 IRExecutorImpl.java com/automationanywhere/botcommand/imagerecognition/irsdk/Impl/
89 JarResourceExtractor.java com/automationanywhere/botcommand/legacyautomation/apicommunicator/
90 JarUtil.java com/automationanywhere/botengine/utils/
91 JarUtils.java com/automationanywhere/common/util/
92 JTTerm.java com/turbosoft/tterm/
93 JwtValidationService.java com/automationanywhere/token/service/
94 KeyStoreImpl.java com/automationanywhere/core/security/impl/
95 KubernetesDiscoveryAgent.jav com/automationanywhere/durablemessaging/activemq/
a
96 LauncherConfiguration.java com/automationanywhere/botlauncher/
97 LegacyBotConstants.java com/automationanywhere/botmigration/sdk/
98 LibraryLoader.java com/automationanywhere/botcommand/file/folder/sdk/archive/zip/chilkat/
99 LookupXml.java com/automationanywhere/botmigration/sdk/
100 MailServiceImpl.java com/automationanywhere/email/service/impl/
101 Main.java com/automationanywhere/botscanner/ui/
102 ManageWebControl.java com/automationanywhere/botcommand/legacyautomation/commands/
103 ManualDependencyDaoImpl.ja com/automationanywhere/serverrepository/core/dao/dependency/impl/
va
104 MetaBot.java com/automationanywhere/migration/dependencyscanner/scanner/command/
105 MetaBotAnalyzer.java com/automationanywhere/botmigration/analysis/metabot/
106 MigrationEntityDaoImpl.java com/automationanywhere/migration/core/dao/impl/
107 MonitorUtils.java com/automationanywhere/monitor/utils/
108 MultiPartFileUploadServiceImpl com/automationanywhere/common/service/impl/
.java
109 NativeUtils.java com/automationanywhere/botcommand/ftp/utility/
110 NodeMessagingServiceImpl.jav com/automationanywhere/nodemanager/service/impl/

Id Filename Path
a
111 NodeToXmlString.java com/automationanywhere/botcommand/xml/api/node/
112 OABAdapter.java com/automationanywhere/recorder/adapter/service/oab/
113 OpenSpreadsheetValidator.jav com/automationanywhere/botcommand/excel/common/validator/
a
114 OperationsRoomCacheImpl.jav com/automationanywhere/operationsroom/cache/impl/
a
115 OS.java com/teamdev/jxdesktop/com/teamdev/jxdesktop/
116 PackageServiceImpl.java com/automationanywhere/packages/service/impl/
117 PackagingUtil.java com/automationanywhere/packaging/common/
118 PathUtils.java com/automationanywhere/compiler/helper/
119 PdfRowBuilder.java com/automationanywhere/botcommand/pdf/executor/extracttext/structured/
120 PermissionDaoImpl.java com/automationanywhere/auth/dao/impl/
121 PropertiesValue.java com/automationanywhere/botcommand/data/impl/
122 q.java com/jniwrapper/win32/com/jniwrapper/win32/
123 QueryTypeProvider.java com/automationanywhere/botcommand/database/executor/common/
124 QueueExportServiceImpl.java com/automationanywhere/wlm/service/impl/
125 RDPServiceImpl.java com/automationanywhere/deploy/service/impl/
126 RecordValue.java com/automationanywhere/botcommand/data/impl/
127 ReferenceDependenciesScann com/automationanywhere/migration/dependencyscanner/scanner/
er.java
128 RepoPath.java com/automationanywhere/common/repository/
129 RepositoryDeleteFolderAuditAd com/automationanywhere/serverrepository/audit/impl/
apterImpl.java
130 RepositoryResourceV1.java com/automationanywhere/serverrepository/resource/
131 RepositoryTenantMigration.jav com/automationanywhere/db/changesets/custom/repository/
a
132 ResourceReader.java com/automationanywhere/botcommand/terminalemulator/
133 ResourceUtil.java com/automationanywhere/toolchain/runtime/util/
134 ReverseProxyConfigurationSer com/automationanywhere/settings/service/impl/
viceImpl.java
135 RoleDaoImpl.java com/automationanywhere/auth/dao/impl/
136 RunTask.java com/automationanywhere/migration/dependencyscanner/scanner/command/
137 SAPConnection.java com/automationanywhere/botcommand/sapbapi/executor/
138 ScheduleAutomation.java com/automationanywhere/scheduler/model/
139 ScreenFileOperations.java com/automationanywhere/botcommand/sdk/screencapture/
140 ScriptUtil.java com/automationanywhere/compiler/helper/
141 SetupHelper.java com/automationanywhere/nodemanager/util/
142 SetupHelper.java com/automationanywhere/externalfunction/
143 SoapMessageUtil.java com/automationanywhere/botcommand/soap/parser/
144 SourceConfigurationIntegration com/automationanywhere/migration/serverrepository/integration/service/impl/
Impl.java
145 SourceDecryptionServiceImpl.j com/automationanywhere/migration/source/service/impl/

Id Filename Path
ava
146 SourceRoleServiceImpl.java com/automationanywhere/migration/source/service/impl/
147 SourceUserServiceImpl.java com/automationanywhere/migration/source/service/impl/
148 StandardInputOutputMessenge com/automationanywhere/synchronous/messenger/
r.java
149 TeeOutputStream.java org/eclipse/jgit/util/io/
150 TesterConfiguration.java com/automationanywhere/bot/tester/
151 TriggerUtil.java com/automationanywhere/triggerlistener/util/
152 TTermDependencyResolver.jav com/automationanywhere/terminalemulator/dependency/tTerm/
a
153 TTermJNIConstants.java com/automationanywhere/botcommand/terminalemulator/constants/
154 UMV1ResourcesUrls.java com/automationanywhere/um/constants/
155 UpdatePackageJsonOfExisting com/automationanywhere/db/changesets/custom/packages/
Packages.java
156 UserAuditDetailsTransformer.ja com/automationanywhere/um/audit/attributes/
va
157 UserDaoImpl.java com/automationanywhere/um/dao/impl/
158 UserDetailsDaoImpl.java com/automationanywhere/um/dao/impl/
159 VCSEnabledMigrationServiceI com/automationanywhere/migration/serverrepository/service/impl/
mpl.java
160 WebSocketHeaderWriterFilter.j com/automationanywhere/realtimeservice/filter/
ava
161 WindowsAutoLoginServiceImpl. com/automationanywhere/nodemanager/service/impl/
java
162 x.java com/jniwrapper/com/jniwrapper/
163 XmlTransformation.java com/automationanywhere/botmigration/sdk/
164 XmlUtils.java com/automationanywhere/botmigration/sdk/utils/
165 XmlUtils.java com/automationanywhere/core/security/util/
166 y.java com/jniwrapper/com/jniwrapper/
167 ZipUnpackagerImpl.java com/automationanywhere/packaging/service/impl/

Appendix D: Referenced Classpaths

Id Path
1 com.jniwrapper.DefaultLibraryLoader
2 com.jniwrapper.JNIWrapperInfo
3 com.jniwrapper.ae
4 com.jniwrapper.af
5 com.jniwrapper.b
6 com.jniwrapper.bl
7 com.jniwrapper.i
8 com.jniwrapper.l
9 com.jniwrapper.win32.ae
10 com.jniwrapper.win32.automation.OfficeContainer
11 com.jniwrapper.win32.cm
12 com.jniwrapper.win32.com.DispatchComServerFactory
13 com.jniwrapper.win32.dc
14 com.jniwrapper.win32.di
15 com.jniwrapper.win32.o
16 com.jniwrapper.win32.s
17 com.jniwrapper.x
18 com.teamdev.filewatch.FileWatcher
19 com.teamdev.filewatch.linux.j
20 com.teamdev.jxcapture.VideoCapture
21 com.teamdev.jxcapture.ar$b
22 com.teamdev.jxcapture.ba
23 com.teamdev.jxcapture.video.linux.a
24 com.teamdev.jxcapture.video.win.AVICapture
25 com.teamdev.jxdesktop.a$b

Appendix E: Dynamic Flaw Inventory

Rescan Status Number of Flaws
All 0
New 0
Open and Reopened 0
Cannot Reproduce 0
Fixed 0

DetailedReport Automation Anywhere Enterprise 2 Jul 2020 Veracode

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DetailedReport Automation Anywhere Enterprise 2 Jul 2020 Veracode

Uploaded by

Copyright:

Available Formats

Veracode Detailed Report

Application Security Report

Inside This Report

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Veracode Detailed Report Mitigated Veracode Level: VL5

Scans Included in Report

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 1 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Longer Timeframe (6 - 12 months)

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 2 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Application Trend Data

Scope of Static Scan

Engine Version: 20200520200321

The following modules were included in the application scan:

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 3 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 4 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 5 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 6 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 7 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 8 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 9 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 10 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 11 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 12 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

File Differences Between Scans

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 13 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 14 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 15 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 16 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

© 2020 Veracode, Inc. Automation Anywhere and Veracode Confidential

65 Network Drive, Burlington, MA 01803 17 Tel.+1.339.674.2500 Fax.+1.339.674.2502 URL:http://www.veracode.com

Module Name Compiler Operating Environment Engine

Mitigation Proposal Review