wip

[iondrimba]

No description provided.

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by hardcoded-hmac-key.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by detected-private-key.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-jwt-not-revoked.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
The use of a weak cryptographic algorithm (e.g., SHA-1 or MD5) has been identified. These algorithms are considered insecure due to vulnerabilities that make them susceptible to collision attacks, allowing attackers to compromise data integrity or security. Replace SHA-1 or MD5 with secure hashing algorithms, such as: SHA-256 or higher (e.g., SHA-3).

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/semgrep.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L42 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 42] &apos;md5&apos;</a>"]
        end
        %% Intermediate

        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L42 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 42] &apos;md5&apos;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    File0:::invis

    %% Connections

    Source --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by crypto-weak-algorithm.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/semgrep.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L22 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 22] privateKey = &apos;-----BEGIN RSA PRIVATE KEY-----\r\nMIICXAIBAAKBgQDNwqLEe9wgTXCbC7+RPdDbBbeqjdbs4kOPOIGzqLpXvJXlxxW8iMz0EaM4BKUqYsIa+ndv3NAn2RxCd5ubVdJJcX43zO6Ko0TFEZx/65gY3BE0O6syCEmUP4qbSd6exou/F+WTISzbQ5FBVPVmhnYhG/kpwt/cIxK5iUn5hm+4tQIDAQABAoGBAI+8xiPoOrA+KMnG/T4jJsG6TsHQcDHvJi7o1IKC/hnIXha0atTX5AUkRRce95qSfvKFweXdJXSQ0JMGJyfuXgU6dI0TcseFRfewXAa/ssxAC+iUVR6KUMh1PE2wXLitfeI6JLvVtrBYswm2I7CtY0q8n5AGimHWVXJPLfGV7m0BAkEA+fqFt2LXbLtyg6wZyxMA/cnmt5Nt3U2dAu77MzFJvibANUNHE4HPLZxjGNXN+a6m0K6TD4kDdh5HfUYLWWRBYQJBANK3carmulBwqzcDBjsJ0YrIONBpCAsXxk8idXb8jL9aNIg15Wumm2enqqObahDHB5jnGOLmbasizvSVqypfM9UCQCQl8xIqy+YgURXzXCN+kwUgHinrutZms87Jyi+D8Br8NY0+Nlf+zHvXAomD2W5CsEK7C+8SLBr3k/TsnRWHJuECQHFE9RA2OP8WoaLPuGCyFXaxzICThSRZYluVnWkZtxsBhW2W8z1b8PvWUE7kMy7TnkzeJS2LSnaNHoyxi7IaPQUCQCwWU4U+v4lD7uYBw00Ga/xt+7+UqFPlPVdz1yyr4q24Zxaw0LgmuEvgU5dycq8N7JxjTubX0MIRR+G9fmDBBl8=\r\n-----END RSA PRIVATE KEY-----&apos;</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L22 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 22] privateKey</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L55 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 55] privateKey</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by hardcoded-jwt-secret.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by jwt-exposed-data.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected req argument which enters res.cookie, this can lead to session fixation vulnerabilities if an attacker can control the cookie value. This vulnerability can lead to unauthorized access to accounts, and in some esoteric cases, Cross-Site-Scripting (XSS). Users should not be able to influence cookies directly, for session cookies, they should be generated securely using an approved session management library. If the cookie does need to be set by a user, consider using an allow-list based approach to restrict the cookies which can be set.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/semgrep.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L205 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 205] req.cookies</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L205 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 205] token</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/aa2bcea1435688b568091ce7e1bb45c2905fb470/src/app/semgrep.js#L211 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 211] token</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by session-fixation.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by hardcoded-hmac-key.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Having default cookie settings is insecure because they often lack critical security attributes, leaving cookies vulnerable to various attacks like CSRF or XSS. Always configure cookies with security attributes: HttpOnly, Secure, SameSite.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by cookies-default-express.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-jwt-not-revoked.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a ../data/mongodb statement that comes from a req argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/d1.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L42 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 42] { _id: id }</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a ../data/mongodb statement that comes from a req argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/d1.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L25 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 25] { _id: id }</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a ../data/mongodb statement that comes from a req argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/d1.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L18 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 18] { _id: id }</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[semgrep-code-iondrimba]

Semgrep identified a blocking 🔴 issue in your code:
Detected a ../data/mongodb statement that comes from a req argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.

Dataflow graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>src/app/d1.js</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] req.body</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L16 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 16] id</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/iondrimba/pwa-music-player/blob/60ea13c79d9d59c3e53cb816831515d741d680bf/src/app/d1.js#L31 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 31] { _id: id }</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

• /fp <comment> for false positive
• /ar <comment> for acceptable risk
• /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by express-mongo-nosqli.

_{You can view more details about this finding in the Semgrep AppSec Platform.}

[iondrimba]

Semgrep Security Report

Checks Summary

Total Checks: 8

• ❌ ERROR: 1
• ⚠️ WARNING: 7

---

Checks Detail

❌ Show Errors

dockerfile.security.missing-user.missing-user

• File: Dockerfile (Line 15)
• Severity: ❌ ERROR
• Message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.
• Suggested Fix:

  USER non-root
  CMD [ "npm", "start" ]

• Category: security
• Confidence: MEDIUM
• Impact: MEDIUM
• References: OWASP A04:2021 - Insecure Design

⚠️ Show Warnings

html.security.audit.missing-integrity.missing-integrity

• File: public/index.html (Line 53)
• Severity: ⚠️ WARNING
• Message: This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation.
• Category: security
• Confidence: LOW
• Impact: LOW
• References: OWASP A08:2021 - Software and Data Integrity Failures

---

javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key

• File: src/app/semgrep.js (Line 43)
• Severity: ⚠️ WARNING
• Message: Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
• Category: security
• Confidence: LOW
• Impact: LOW
• References: OWASP A07:2021 - Identification and Authentication Failures

---

javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked

• File: src/app/semgrep.js (Line 53)
• Severity: ⚠️ WARNING
• Message: No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.
• Category: security
• Confidence: MEDIUM
• Impact: MEDIUM
• References: OWASP A04:2021 - Insecure Design

---

javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked

• File: src/app/semgrep.js (Line 54)
• Severity: ⚠️ WARNING
• Message: No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.
• Category: security
• Confidence: MEDIUM
• Impact: MEDIUM
• References: OWASP A04:2021 - Insecure Design

---

javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data

• File: src/app/semgrep.js (Line 55)
• Severity: ⚠️ WARNING
• Message: The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
• Category: security
• Confidence: LOW
• Impact: LOW
• References: OWASP A04:2021 - Insecure Design

---

javascript.jsonwebtoken.security.jwt-hardcode.hardcoded-jwt-secret

• File: src/app/semgrep.js (Line 55)
• Severity: ⚠️ WARNING
• Message: A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary.
• Category: security
• Confidence: HIGH
• Impact: MEDIUM
• References: OWASP A07:2021 - Identification and Authentication Failures

---

javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key

• File: src/app/semgrep.js (Line 166)
• Severity: ⚠️ WARNING
• Message: Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
• Category: security
• Confidence: LOW
• Impact: LOW
• References: OWASP A07:2021 - Identification and Authentication Failures

---

Scanned Paths

Show scanned files

.codeclimate.yml
.dockerignore
.editorconfig
.env.example
.github/workflows/build.yml
.github/workflows/codeql-analysis.yml
.github/workflows/deploy.yml
.github/workflows/semgrep.yml
.gitignore
.nvmrc
.vscode/launch.json
Dockerfile
LICENSE
README.md
docker-compose.yml
package-lock.json
package.json
public/.htaccess
public/android-chrome-192x192.png
public/android-chrome-256x256.png
public/android-chrome-512x512.png
public/apple-touch-icon.png
public/browserconfig.xml
public/favicon-16x16.png
public/favicon-32x32.png
public/favicon-48x48.png
public/favicon.ico
public/icon-128x128.png
public/icon-144x144.png
public/icon-152x152.png
public/icon-192x192.png
public/icon-384x384.png
public/icon-512x512.png
public/icon-512x512.psd
public/icon-72x72.png
public/icon-96x96.png
public/index.html
public/manifest.json
public/mstile-150x150.png
public/robots.txt
public/safari-pinned-tab.svg
public/service-worker.js
public/service-worker.js.map
public/workbox-4c782fb9.js
public/workbox-4c782fb9.js.map
public/workbox-9cbc1cc6.js
public/workbox-9cbc1cc6.js.map
semgrep.json
src/app/d1.js
src/app/index.js
src/app/index.spec.js
src/app/semgrep.js
src/app/style.scss
src/app/styles/base.scss
src/app/styles/color.scss
src/app/styles/fonts.scss
src/components/AlbumCover/__snapshots__/index.spec.js.snap
src/components/AlbumCover/index.js
src/components/AlbumCover/index.spec.js
src/components/AlbumCover/style.scss
src/components/IconButton/__snapshots__/index.spec.js.snap
src/components/IconButton/index.js
src/components/IconButton/index.spec.js
src/components/IconButton/style.scss
src/components/ListItem/__snapshots__/index.spec.js.snap
src/components/ListItem/index.js
src/components/ListItem/index.spec.js
src/components/ListItem/style.scss
src/components/Loader/__snapshots__/index.spec.js.snap
src/components/Loader/index.js
src/components/Loader/index.spec.js
src/components/Loader/style.scss
src/components/MediaButton/__snapshots__/index.spec.js.snap
src/components/MediaButton/index.js
src/components/MediaButton/index.spec.js
src/components/MediaButton/style.scss
src/components/Menu/__snapshots__/index.spec.js.snap
src/components/Menu/index.js
src/components/Menu/index.spec.js
src/components/Menu/style.scss
src/components/Page/__snapshots__/index.spec.js.snap
src/components/Page/index.js
src/components/Page/index.spec.js
src/components/Page/style.scss
src/components/ProgressBar/__snapshots__/index.spec.js.snap
src/components/ProgressBar/index.js
src/components/ProgressBar/index.spec.js
src/components/ProgressBar/style.scss
src/data/album-thumbnail.png
src/data/index.js
src/data/mockPlaylistResponse.json
src/data/mockTracks.json
src/helpers/audio/index.js
src/helpers/audio/index.spec.js
src/helpers/audio/mock.js
src/helpers/classList/index.js
src/helpers/percent/index.js
src/helpers/percent/index.spec.js
src/helpers/sleep/index.js
src/helpers/timer/index.js
src/helpers/timer/index.spec.js
src/icons/audio-wave.svg
src/icons/cd.svg
src/icons/close.svg
src/icons/codepen.svg
src/icons/github.svg
src/icons/headphones.svg
src/icons/help-button.svg
src/icons/left-arrow.svg
src/icons/link.svg
src/icons/pause.svg
src/icons/picture.svg
src/icons/play-arrow.svg
src/icons/repeat-arrows.svg
src/icons/soundcloud.svg
src/index.js
src/pages/About/__snapshots__/index.spec.js.snap
src/pages/About/index.js
src/pages/About/index.spec.js
src/pages/About/style.scss
src/pages/Detail/__snapshots__/index.spec.js.snap
src/pages/Detail/index.js
src/pages/Detail/index.spec.js
src/pages/Detail/style.scss
src/pages/Home/index.js
src/pages/Home/style.scss
src/pages/List/__snapshots__/index.spec.js.snap
src/pages/List/index.js
src/pages/List/index.spec.js
src/pages/List/style.scss
src/serviceWorker.js
src/setupTests.js
workbox-config.js