Fortify on Demand

Security Review
Tenant: Bluepal Solutions
Application: Test Bluepal
Release: test
Latest Analysis: 2018/08/05 04:29:32 PM
Latest Assessment Type: Static Assessment
Executive Summary
Tenant: Bluepal Solutions Fortify on Demand Security Rating
Application: Test Bluepal
Release: test
42 issues Status: Failed
Business Criticality: Medium
SDLC Status: Development Static: Dynamic:
Static Analysis Date: 2018/08/05
Monitoring: Network:
Dynamic Analysis Date: ---

Risk Totals by Severity Issue Status

New Existing Reopened

42 0 0

Assignment Status

Most Prevalent Issues by Category Developer Status

Auditor Status

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
2
Issue Breakdown
Issues are divided based on their impact (potential damage) and likelihood (probability of identification
and exploit).
High impact / high likelihood issues represent the highest priority and present the greatest threat.
Low impact / low likelihood issues are the lowest priority and present the smallest threat.
See Appendix for more information.

Rating Category Test Type

Critical Dynamic Code Evaluation: Unsafe Deserialization Static 1
Critical Key Management: Hardcoded Encryption Key Static 6
Critical Spring Boot Misconfiguration: Actuator Endpoint Security Disa… Static 1
High Null Dereference Static 5
High Password Management: Empty Password Static 1
High Password Management: Hardcoded Password Static 7
High Password Management: Password in Configuration File Static 19
High Portability Flaw: Locale Dependent Comparison Static 1
High Spring Boot Misconfiguration: DevTools Enabled Static 1

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
3
Issue Breakdown by OWASP Top 10 2017
PCI Sections 6.3, 6.5 & 6.6
The OWASP Top Ten represents a broad consensus about what the most critical web application
security flaws are. Project members include a variety of security experts from around the world who
have shared their expertise to produce this list.
The PCI compliance standards, particularly sections 6.3, 6.5, and 6.6, reference the OWASP Top Ten
vulnerability categories as the core categories that must be tested for and remediated.

OWASP Category Severity

Critical High Medium Low
A1 - Injection
A2 - Broken Authentication
A3 - Sensitive Data Exposure 6 27
A4 - XML External Entities (XXE)
A5 - Broken Access Control
A6 - Security Misconfiguration 1 1
A7 - Cross-Site Scripting (XSS)
A8 - Insecure Deserialization 1
A9 - Using Components with Known …
Total 8 28

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
4
Issue Breakdown by Analysis Type
Issues are divided based on their impact (potential damage) and likelihood (probability of identification
and exploit).
High impact / high likelihood issues represent the highest priority and present the greatest threat.
Low impact / low likelihood issues are the lowest priority and present the smallest threat.
See Appendix for more information.

Category Static Dynamic Network Monitor…

Dynamic Code Evaluation: Unsafe Deserialization 1 0 0 0
Key Management: Hardcoded Encryption Key 6 0 0 0
Null Dereference 5 0 0 0
Password Management: Empty Password 1 0 0 0
Password Management: Hardcoded Password 7 0 0 0
Password Management: Password in Configuratio… 19 0 0 0
Portability Flaw: Locale Dependent Comparison 1 0 0 0
Spring Boot Misconfiguration: Actuator Endpoint … 1 0 0 0
Spring Boot Misconfiguration: DevTools Enabled 1 0 0 0
Total 42 0 0 0

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
5
Issue Detail
Below is an enumeration of all issues found in the project. The issues are organized by priority and
category and then broken down by the package, namespace, or location in which they occur.
The priority of an issue can be Critical, High, Medium, or Low.
Issues from static analysis reported on at same line number with the same category originate from
different taint sources.

6.1.1 Dynamic Code Evaluation: Unsafe Deserialization Critical

CWE-502
OWASP Top 10: A8
PCI 3.2: 6.5.1 Injection Flaws
Summary
Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code
on the server, abuse application logic, and/or lead to denial of service.
Explanation
Java serialization turns object graphs into byte streams containing the objects themselves and the
necessary metadata to reconstruct them from the byte stream. Developers can create custom code
to aid in the process of deserializing Java objects, where they may even replace the deserialized
objects with different objects, or proxies. The customized deserialization process takes place during
objects reconstruction before the objects are returned to the application and cast into expected
types. By the time developers try to enforce an expected type, code may have already been
executed.
Custom deserialization routines are defined in the serializable classes which need to be present in the
runtime classpath and cannot be injected by the attacker so the exploitability of these attacks
depends on the classes available in the application environment. Unfortunately, common third party
classes or even JDK classes can be abused to exhaust JVM resources, deploy malicious files, or run
arbitrary code.

Certain Spring service exporters use Java serialization behind the scenes at the transport layer. RMI,
JMSInvoker and HTTPInvoker are examples of these services.

Example 1: RMIServiceExporter exposing TestService methods.

<bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.remoting.rmi.RmiServiceExporter">
<property name="serviceName" value="TestService"/>
<property name="service" ref="testService"/>
<property name="serviceInterface" value="example.TestService"/>
<property name="registryPort" value="1199"/>
</bean>

Example 2: JMSInvokerServiceExporter exposing TestService methods.

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
6
 <bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.jms.remoting.JmsInvokerServiceExporter">
<property name="serviceInterface" value="example.TestService"/>
<property name="service" ref="testService"/>
</bean>

Example 3: HTTPInvokerServiceExporter exposing TestService methods.

<bean id="testService" class="example.TestServiceImpl"/>
<bean class="org.springframework.remoting.httpinvoker.HttpInvokerServiceExporter">
<property name="serviceInterface" value="example.TestService"/>
<property name="service" ref="testService"/>
</bean>

Recommendation
If possible, do not deserialize untrusted data without validating the contents of the object stream. In
order to validate classes being deserialized, the look-ahead deserialization pattern should be used.
The object stream will first contain the class description metadata and then the serialized bytes of
their member fields. The Java serialization process allows developers to read the class description and
decide whether to proceed with the deserialization of the object or abort it. In order to do so, it is
necessary to subclass java.io.ObjectInputStream and provide a custom implementation of the
resolveClass(ObjectStreamClass desc) method where class validation and verification should take
place.

While the ideal approach in this situation is to whitelist the expected classes, in some scenarios, this
approach may not be practical. A blacklist approach is better for complex object graph structures.
Keep in mind that although some classes to achieve code execution are publicly known, there may be
others that are unknown or undisclosed, so a whitelist approach will always be the preferred
approach. To avoid denial of service attacks, it is recommended that you override the
resolveObject(Object obj) method in order to count how many objects are being deserialized and
abort the deserialization when a threshold is surpassed.

When deserialization takes place in library, or framework (e.g. when using JMX, RMI, JMS, HTTP
Invokers) the above recommendation is not useful since it is beyond the developer's control. In those
cases, you may want to make sure that these protocols meet the following requirements:

- Not exposed publicly.

- Use authentication.
- Use integrity checks.
- Use encryption.

In addition, Fortify Runtime provides security controls to be enforced every time the application
performs a deserialization from an ObjectInputStream , protecting both application code but also
library and framework code from this type of attack.
References

1. Fortify Application Defender, http://www8.hp.com/us/en/software-solutions/appdefender-

application-self-protection/
2. Java Serialization, Oracle, https://docs.oracle.com/javase/tutorial/jndi/objects/serial.html
3. Look-ahead Java deserialization, IBM, http://www.ibm.com/developerworks/library/se-lookahead
This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
7
 4. Deserialization of untrusted data, OWASP,
https://www.owasp.org/index.php/Deserialization_of_untrusted_data
5. CWE ID 502, Standards Mapping - Common Weakness Enumeration
6. CCI-001764, CCI-001774, CCI-002754, Standards Mapping - DISA Control Correlation
Identifier Version 2
7. SI, Standards Mapping - FIPS200
8. Indirect Access to Sensitive Data, Standards Mapping - General Data Protection Regulation
9. SI-10 Information Input Validation (P1), Standards Mapping - NIST Special Publication 800-53
Revision 4
10. M7 Client Side Injection, Standards Mapping - OWASP Mobile Top 10 Risks 2014
11. A6 Injection Flaws, Standards Mapping - OWASP Top 10 2004
12. A2 Injection Flaws, Standards Mapping - OWASP Top 10 2007
13. A1 Injection, Standards Mapping - OWASP Top 10 2010
14. A1 Injection, Standards Mapping - OWASP Top 10 2013
15. A8 Insecure Deserialization, Standards Mapping - OWASP Top 10 2017
16. Requirement 6.5.6, Standards Mapping - Payment Card Industry Data Security Standard
Version 1.1
17. Requirement 6.3.1.1, Requirement 6.5.2, Standards Mapping - Payment Card Industry Data
Security Standard Version 1.2
18. Requirement 6.5.1, Standards Mapping - Payment Card Industry Data Security Standard
Version 2.0
19. Requirement 6.5.1, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.0
20. Requirement 6.5.1, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.1
21. Requirement 6.5.1, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.2
22. Insecure Interaction - CWE ID 116, Standards Mapping - SANS Top 25 2009
23. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.1
24. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.10
25. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.4
26. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.5
27. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.6
28. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.7
29. APP3510 CAT I, APP3570 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 3.9
30. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.1
31. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.2
32. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.3
33. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.4
34. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.5
35. APSC-DV-001480 CAT II, APSC-DV-001490 CAT II, APSC-DV-002560 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.6

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
8
36. Improper Input Handling (WASC-20), Standards Mapping - Web Application Security
Consortium Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
9
Instances
Dynamic Code Evaluation: Unsafe Deserialization Critical
Package: N/A
Instance Analysis Info Analyzer
Sink: in pom​.xml:37
ID 68030549 - pom​.xml:37 configur…
EnclosingMethod:

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
10
6.1.2 Key Management: Hardcoded Encryption Key Critical
CWE-321
OWASP Top 10: A3
PCI 3.2: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render
authentication credentials unreadable
Summary
Hardcoded encryption keys may compromise system security in a way that cannot be easily remedied.
Explanation
It is never a good idea to hardcode an encryption key because it allows all of the project's developers
to view the encryption key, and makes fixing the problem extremely difficult. Once the code is in
production, the encryption key cannot be changed without patching the software. If the account that
is protected by the encryption key is compromised, the owners of the system will be forced to choose
between security and availability.
In this case the encryption key is located at in AutoSaveRepositoryTest.java at line 39.

Example 1: The following code uses a hardcoded encryption key:

...
private static final String encryptionKey = "lakdsljkalkjlksdfkl";
byte[] keyBytes = encryptionKey.getBytes();
SecretKeySpec key = new SecretKeySpec(keyBytes, "AES");
Cipher encryptCipher = Cipher.getInstance("AES");
encryptCipher.init(Cipher.ENCRYPT_MODE, key);
...

Anyone who has access to the code will have access to the encryption key. Once the application has
shipped, there is no way to change the encryption key unless the program is patched. An employee
with access to this information could use it to break into the system. Even worse, if attackers had
access to the executable for the application, they could extract the encryption key value.
Recommendation
Encryption keys should never be hardcoded and should be obfuscated and managed in an external
source. Storing encryption keys in plaintext anywhere on the system allows anyone with sufficient
permissions to read and potentially misuse the encryption key.
References

1. MSC03-J. Never hard code sensitive information,

https://www.securecoding.cert.org/confluence/display/java/MSC03-
J.+Never+hard+code+sensitive+information
2. CWE ID 321, Standards Mapping - Common Weakness Enumeration
3. CCI-002450, Standards Mapping - DISA Control Correlation Identifier Version 2
4. IA, Standards Mapping - FIPS200
5. Insufficient Data Protection, Standards Mapping - General Data Protection Regulation
6. SC-12 Cryptographic Key Establishment and Management (P1), Standards Mapping - NIST
Special Publication 800-53 Revision 4
7. M6 Broken Cryptography, Standards Mapping - OWASP Mobile Top 10 Risks 2014
8. A8 Insecure Storage, Standards Mapping - OWASP Top 10 2004
This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
11
 9. A8 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2007
10. A7 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2010
11. A6 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2013
12. A3 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2017
13. Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card Industry Data
Security Standard Version 1.1
14. Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 1.2
15. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 2.0
16. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.0
17. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.1
18. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.2
19. Porous Defenses - CWE ID 259, Standards Mapping - SANS Top 25 2009
20. Porous Defenses - CWE ID 798, Standards Mapping - SANS Top 25 2010
21. Porous Defenses - CWE ID 798, Standards Mapping - SANS Top 25 2011
22. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.1
23. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.10
24. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.4
25. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.5
26. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.6
27. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.7
28. APP3210.1 CAT II, APP3350 CAT I, Standards Mapping - Security Technical Implementation
Guide Version 3.9
29. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.1
30. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.2
31. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.3
32. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.4
33. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.5
34. APSC-DV-002010 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.6
35. Information Leakage (WASC-13), Standards Mapping - Web Application Security Consortium
Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
12
Instances
Key Management: Hardcoded Encryption Key Critical
Package: com.het.autosave.repository
Instance Analysis Info Analyzer
ID 68030513 - autosave​/src​/ test​
/java​/com​/ het​/ autosave​ Sink: VariableAccess: key in AutoSaveRepositoryTest​.java:39
structural
/repository​ EnclosingMethod: find
/AutoSaveRepositoryTest​.java:39
ID 68030521 - autosave​/src​/ test​
/java​/com​/ het​/ autosave​ Sink: VariableAccess: key in AutoSaveRepositoryTest​.java:26
structural
/repository​ EnclosingMethod: create
/AutoSaveRepositoryTest​.java:26

Package: N/A
Instance Analysis Info Analyzer
ID 68030536 - ui​/ dependencies​
Sink: Operation in mdbreact​.js:17199
/mdbreact​/dist​/mdbreact​ structural
EnclosingMethod: baseKeys
.js:17199
ID 68030539 - ui​/ dependencies​
Sink: Operation in mdbreact​.js:17205
/mdbreact​/dist​/mdbreact​ structural
EnclosingMethod: baseKeysIn
.js:17205
ID 68030538 - ui​/ dependencies​
Sink: Operation in mdbreact​.js:17147
/staticmdbreact​/mdbreact​ structural
EnclosingMethod: baseKeysIn
.js:17147
ID 68030540 - ui​/ dependencies​
Sink: Operation in mdbreact​.js:17141
/staticmdbreact​/mdbreact​ structural
EnclosingMethod: baseKeys
.js:17141

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
13
6.1.3 Spring Boot Misconfiguration: Actuator Endpoint Security Disabled Critical
OWASP Top 10: A6
PCI 3.2:
Summary
The Spring Boot application uses Actuator endpoints requiring no authentication.
Explanation
Spring Boot applications can be configured to deploy Actuators, which are REST endpoints that allow
users to monitor different aspects of the application. There are different built-in Actuators which may
expose sensitive data and are labeled as "sensitive". By default all sensitive HTTP endpoints are
secured such that only users that have an ACTUATOR role may access them.

This application is either disabling the authentication requirement for sensitive endpoints:

Example 1:

management.security.enabled=false

Or marking sensitive endpoints as non-sensitive:

Example 2:

endpoints.health.sensitive=false

Or a custom Actuator is set as non-sensitive:

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
14
 @Component
public class CustomEndpoint implements Endpoint<List<String>> {

public String getId() {

return "customEndpoint";
}

public boolean isEnabled() {

return true;
}

public boolean isSensitive() {

return false;
}

public List%lt;String> invoke() {

// Custom logic to build the output
...
}
}

Recommendation
All endpoints exposing sensitive information or operations should be protected with the correct levels
of authentication and authorization. It is always a good practice to require authentication even for
internal servers as a security in-depth mechanism. Take into account that even in the case that the
application is deployed internally, behind a firewall, an attacker may still be able to reach it using a
Server-Side Request Forgery vulnerability in a within a separate application.
References

1. Spring Boot Reference Guide, https://docs.spring.io/spring-

boot/docs/current/reference/htmlsingle/
2. Indirect Access to Sensitive Data, Standards Mapping - General Data Protection Regulation
3. M1 Weak Server Side Controls, Standards Mapping - OWASP Mobile Top 10 Risks 2014
4. A6 Security Misconfiguration, Standards Mapping - OWASP Top 10 2010
5. A5 Security Misconfiguration, Standards Mapping - OWASP Top 10 2013
6. A6 Security Misconfiguration, Standards Mapping - OWASP Top 10 2017
7. Application Misconfiguration (WASC-15), Standards Mapping - Web Application Security
Consortium Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
15
Instances
Spring Boot Misconfiguration: Actuator Endpoint Security Disabled Critical
Package: N/A
Instance Analysis Info Analyzer
ID 68030541 - school- Sink: management​.security​.enabled in application-stage​
management​/src​/main​/ resources​ .properties:9 configur…
/application-stage​.properties:9 EnclosingMethod:

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
16
6.2.1 Null Dereference High
CWE-476
OWASP Top 10:
PCI 3.2: 6.5.5 Improper Error Handling
Summary
The method loadPropertiesTest2() in TestConfiguartions.java can crash the program by
dereferencing a null pointer on line 56.The program can potentially dereference a null pointer, thereby
causing a null pointer exception.
Explanation
Null pointer exceptions usually occur when one or more of the programmer's assumptions is violated.
A dereference-after-store error occurs when a program explicitly sets an object to null and
dereferences it later. This error is often the result of a programmer initializing a variable to null
when it is declared.

In this case, the variable can be null when it is dereferenced at line 56, thereby causing a null
pointer exception.

Most null pointer issues result in general software reliability problems, but if attackers can
intentionally trigger a null pointer dereference, they can use the resulting exception to bypass
security logic or to cause the application to reveal debugging information that will be valuable in
planning subsequent attacks.

Example: In the following code, the programmer explicitly sets the variable foo to null . Later, the
programmer dereferences foo before checking the object for a null value.

Foo foo = null;

...
foo.setBar(val);
...
}

Recommendation
Implement careful checks before dereferencing objects that might be null. When possible, abstract
null checks into wrappers around code that manipulates resources to ensure that they are applied in
all cases and to minimize the places where mistakes can occur.
References

1. CWE ID 476, Standards Mapping - Common Weakness Enumeration

2. CCI-001094, Standards Mapping - DISA Control Correlation Identifier Version 2
3. Indirect Access to Sensitive Data, Standards Mapping - General Data Protection Regulation
4. Rule 1.3, Standards Mapping - MISRA C 2012
5. SC-5 Denial of Service Protection (P1), Standards Mapping - NIST Special Publication 800-53
Revision 4
6. A9 Application Denial of Service, Standards Mapping - OWASP Top 10 2004
7. Requirement 6.5.9, Standards Mapping - Payment Card Industry Data Security Standard
Version 1.1
8. Requirement 6.5.5, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.0

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
17
 9. Requirement 6.5.5, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.1
10. Requirement 6.5.5, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.2
11. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.1
12. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.10
13. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.4
14. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.5
15. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.6
16. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.7
17. APP6080 CAT II, Standards Mapping - Security Technical Implementation Guide Version 3.9
18. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.1
19. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.2
20. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.3
21. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.4
22. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.5
23. APSC-DV-002400 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.6
24. Denial of Service, Standards Mapping - Web Application Security Consortium 24 + 2
25. Denial of Service (WASC-10), Standards Mapping - Web Application Security Consortium
Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
18
Instances
Null Dereference High
Package: com.het
Instance Analysis Info Analyzer
ID 68030516 - rules​/src​/ test​/java​
Sink: com​. het​.TestConfiguartions​.loadPropertiesTest2
/com​/ het​/TestConfiguartions​ controlfl…
EnclosingMethod: loadPropertiesTest2
.java:56
ID 68030522 - rules​/src​/ test​/java​
Sink: com​. het​.TestConfiguartions​.loadPropertiesTest1
/com​/ het​/TestConfiguartions​ controlfl…
EnclosingMethod: loadPropertiesTest1
.java:36
Sink: com​. het​.TestFromExcel​
ID 68030534 - rules​/src​/ test​/java​
.testDataFromExcelForAllExceptDTAPandMCV4 controlfl…
/com​/ het​/TestFromExcel​.java:153
EnclosingMethod: testDataFromExcelForAllExceptDTAPandMCV4
Sink: com​. het​.TestFromExcel​
ID 68030553 - rules​/src​/ test​/java​
.testDataFromExcelForAllExceptDTAPandMCV4 controlfl…
/com​/ het​/TestFromExcel​.java:147
EnclosingMethod: testDataFromExcelForAllExceptDTAPandMCV4
ID 68030514 - rules​/src​/ test​/java​ Sink: com​. het​.TestHelper​.getRulesForScenario
controlfl…
/com​/ het​/TestHelper​.java:169 EnclosingMethod: getRulesForScenario

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
19
6.2.2 Password Management: Empty Password High
CWE-259
OWASP Top 10: A3
PCI 3.2: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render
authentication credentials unreadable
Summary
Empty passwords may compromise system security in a way that cannot be easily remedied.
Explanation
It is never a good idea to have an empty password. It also makes fixing the problem extremely
difficult once the code is in production. The password cannot be changed without patching the
software. If the account protected by the empty password is compromised, the owners of the
system will be forced to choose between security and availability.In this case the password was used
to access a resource at in reducer.js at line 32.

Example: The following code has an empty password to connect to an application and retrieve
address book entries:

...
obj = new XMLHttpRequest();
obj.open('GET','/fetchusers.jsp?id='+form.id.value,'true','scott','');
...

This code will run successfully, but anyone can access when they know the username.
Execution

1. Avoid empty passwords in source code and avoid using default passwords. If an empty
password is the default, require that it be changed and remove it from the source code.
2. When identifying null, empty, or hardcoded passwords, default rules only consider fields and
variables that contain the word password . However, the Fortify Custom Rules Editor provides
the Password Management wizard that makes it easy to create rules for detecting password
management issues on custom-named fields and variables.

Recommendation
Passwords should never be empty and should generally be obfuscated and managed in an external
source. Storing passwords in plaintext anywhere on the web site allows anyone with sufficient
permissions to read and potentially misuse the password. For JavaScript calls that require passwords,
it is better to prompt the user for the password at connection time.
References

1. CWE ID 259, Standards Mapping - Common Weakness Enumeration

2. CCI-000196, CCI-001199, CCI-003109, Standards Mapping - DISA Control Correlation
Identifier Version 2
3. IA, Standards Mapping - FIPS200
4. Insufficient Data Protection, Standards Mapping - General Data Protection Regulation
5. SC-28 Protection of Information at Rest (P1), Standards Mapping - NIST Special Publication

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
20
 800-53 Revision 4
6. M2 Insecure Data Storage, Standards Mapping - OWASP Mobile Top 10 Risks 2014
7. A8 Insecure Storage, Standards Mapping - OWASP Top 10 2004
8. A8 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2007
9. A7 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2010
10. A6 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2013
11. A3 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2017
12. Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card Industry Data
Security Standard Version 1.1
13. Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 1.2
14. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 2.0
15. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.0
16. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.1
17. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.2
18. Porous Defenses - CWE ID 259, Standards Mapping - SANS Top 25 2009
19. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.1
20. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.10
21. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.4
22. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.5
23. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.6
24. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.7
25. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.9
26. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.1
27. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.2
28. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.3
29. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.4
30. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.5
31. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003270 CAT II, APSC-DV-003280
CAT I, Standards Mapping - Security Technical Implementation Guide Version 4.6
32. Insufficient Authentication, Standards Mapping - Web Application Security Consortium 24 + 2
33. Insufficient Authentication (WASC-01), Standards Mapping - Web Application Security
Consortium Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
21
Instances
Password Management: Empty Password High
Package: N/A
Instance Analysis Info Analyzer
ID 68030520 - ui​/ app​/containers​ Sink: FieldAccess: password in reducer​.js:32
structural
/Auth​/reducer​.js:32 EnclosingMethod: ~file_function

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
22
6.2.3 Password Management: Hardcoded Password High
CWE-798, CWE-259
OWASP Top 10: A3
PCI 3.2: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render
authentication credentials unreadable
Summary
Hardcoded passwords may compromise system security in a way that cannot be easily remedied.
Explanation
It is never a good idea to hardcode a password. Not only does hardcoding a password allow all of the
project's developers to view the password, it also makes fixing the problem extremely difficult. Once
the code is in production, the password cannot be changed without patching the software. If the
account protected by the password is compromised, the owners of the system will be forced to
choose between security and availability.In this case a hardcoded password was found in the call to in
Constants.java at line 15.

Example 1: The following code uses a hardcoded password to connect to a database:

...
DriverManager.getConnection(url, "scott", "tiger");
...

This code will run successfully, but anyone who has access to it will have access to the password.
Once the program has shipped, there is likely no way to change the database user "scott" with a
password of "tiger" unless the program is patched. An employee with access to this information could
use it to break into the system. Even worse, if attackers have access to the bytecode for the
application they can use the javap -c command to access the disassembled code, which will contain
the values of the passwords used. The result of this operation might look something like the
following for the example above:

javap -c ConnMngr.class

22: ldc #36; //String jdbc:mysql://ixne.com/rxsql

24: ldc #38; //String scott
26: ldc #17; //String tiger

In the mobile world, password management is even trickier, considering a much higher chance of
device loss.
Example 2: The code below uses hardcoded username and password to setup authentication for
viewing protected pages with Android's WebView.

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
23
 ...
webview.setWebViewClient(new WebViewClient() {
public void onReceivedHttpAuthRequest(WebView view,
HttpAuthHandler handler, String host, String realm) {
handler.proceed("guest", "allow");
}
});
...

Similar to Example 1, this code will run successfully, but anyone who has access to it will have access
to the password.
Execution

1. The Fortify Java Annotations FortifyPassword and FortifyNotPassword can be used to indicate
which fields and variables represent passwords.
2. When identifying null, empty, or hardcoded passwords, default rules only consider fields and
variables that contain the word password . However, the Fortify Custom Rules Editor provides
the Password Management wizard that makes it easy to create rules for detecting password
management issues on custom-named fields and variables.

Recommendation
Passwords should never be hardcoded and should generally be obfuscated and managed in an
external source. Storing passwords in plaintext anywhere on the system allows anyone with sufficient
permissions to read and potentially misuse the password. At the very least, passwords should be
hashed before being stored.
Some third-party products claim the ability to manage passwords in a more secure way. For example,
WebSphere Application Server 4.x uses a simple XOR encryption algorithm for obfuscating values,
but be skeptical about such facilities. WebSphere and other application servers offer outdated and
relatively weak encryption mechanisms that are insufficient for security-sensitive environments. For a
secure generic solution, the best option today appears to be a proprietary mechanism that you
create.

For Android, as well as any other platform that uses SQLite database, a good option is SQLCipher --
an extension to SQLite database that provides transparent 256-bit AES encryption of database files.
Thus, credentials can be stored in an encrypted database.

Example 3: The code below demonstrates how to integrate SQLCipher into an Android application
after downloading the necessary binaries, and store credentials into the database file.

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
24
 import net.sqlcipher.database.SQLiteDatabase;
...
SQLiteDatabase.loadLibs(this);
File dbFile = getDatabasePath("credentials.db");
dbFile.mkdirs();
dbFile.delete();
SQLiteDatabase db = SQLiteDatabase.openOrCreateDatabase(dbFile, "credentials", null);
db.execSQL("create table credentials(u, p)");
db.execSQL("insert into credentials(u, p) values(?, ?)", new Object[]{username, passwor
d});
...

Note that references to android.database.sqlite.SQLiteDatabase are substituted with those of

net.sqlcipher.database.SQLiteDatabase .

To enable encryption on the WebView store, WebKit has to be re-compiled with the sqlcipher.so
library.
References

1. SQLCipher., http://sqlcipher.net/
2. MSC03-J. Never hard code sensitive information,
https://www.securecoding.cert.org/confluence/display/java/MSC03-
J.+Never+hard+code+sensitive+information
3. CWE ID 259, CWE ID 798, Standards Mapping - Common Weakness Enumeration
4. CCI-000196, CCI-001199, CCI-002367, CCI-003109, Standards Mapping - DISA Control
Correlation Identifier Version 2
5. IA, Standards Mapping - FIPS200
6. Insufficient Data Protection, Standards Mapping - General Data Protection Regulation
7. SC-28 Protection of Information at Rest (P1), Standards Mapping - NIST Special Publication
800-53 Revision 4
8. M2 Insecure Data Storage, Standards Mapping - OWASP Mobile Top 10 Risks 2014
9. A8 Insecure Storage, Standards Mapping - OWASP Top 10 2004
10. A8 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2007
11. A7 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2010
12. A6 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2013
13. A3 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2017
14. Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card Industry Data
Security Standard Version 1.1
15. Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 1.2
16. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 2.0
17. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.0
18. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.1
19. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.2
20. Porous Defenses - CWE ID 259, Standards Mapping - SANS Top 25 2009
21. Porous Defenses - CWE ID 798, Standards Mapping - SANS Top 25 2010

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
25
22. Porous Defenses - CWE ID 798, Standards Mapping - SANS Top 25 2011
23. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.1
24. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.10
25. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.4
26. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.5
27. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.6
28. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.7
29. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.9
30. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.1
31. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.2
32. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.3
33. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.4
34. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.5
35. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, APSC-DV-003270
CAT II, APSC-DV-003280 CAT I, Standards Mapping - Security Technical Implementation Guide
Version 4.6
36. Insufficient Authentication, Standards Mapping - Web Application Security Consortium 24 + 2
37. Insufficient Authentication (WASC-01), Standards Mapping - Web Application Security
Consortium Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
26
Instances
Password Management: Hardcoded Password
Package: com.het.security.utils
Instance Analysis Info
ID 68030518 - security​/src​/main​
/java​/com​/ het​/security​/utils​
/Constants​.java:15
ID 68030537 - security​/src​/main​
/java​/com​/ het​/security​/utils​
/Constants​.java:7
ID 68030552 - security​/src​/main​
/java​/com​/ het​/security​/utils​
/RestMappingConstants​.java:8
High
Analyzer
Sink: FieldAccess: HEADER_PASSWORD in Constants​.java:15
structural
EnclosingMethod: <static>
Sink: FieldAccess: CREDENTIALS_INCORRECT_PASSWORD in
Constants​.java:7 structural
EnclosingMethod: <static>
Sink: FieldAccess: ACCOUNT_CHANGE_PASSWORD in
RestMappingConstants​.java:8 structural
EnclosingMethod: <static>

Package: N/A
Instance Analysis Info Analyzer
ID 68030515 - ui​/ app​/containers​ Sink: FieldAccess: CHANGE_PASSWORD in constants​.js:13
structural
/Auth​/ constants​.js:13 EnclosingMethod: ~file_function
ID 68030517 - ui​/ app​/containers​ Sink: VariableAccess: CHANGE_PASSWORD in constants​.js:13
structural
/Auth​/ constants​.js:13 EnclosingMethod: ~file_function
Sink: VariableAccess: LOAD_PASSWORD_SUCCESS in constants​
ID 68030535 - ui​/ app​/containers​
.js:14 structural
/Auth​/ constants​.js:14
EnclosingMethod: ~file_function
ID 68030551 - ui​/ app​/containers​ Sink: FieldAccess: LOAD_PASSWORD_SUCCESS in constants​.js:14
structural
/Auth​/ constants​.js:14 EnclosingMethod: ~file_function

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
27
6.2.4 Password Management: Password in Configuration File High
CWE-13, CWE-260, CWE-555
OWASP Top 10: A3
PCI 3.2: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render
authentication credentials unreadable
Summary
Storing a plaintext password in a configuration file may result in a system compromise.
Explanation
Storing a plaintext password in a configuration file allows anyone who can read the file access to the
password-protected resource. Developers sometimes believe that they cannot defend the application
from someone who has access to the configuration, but this attitude makes an attacker's job easier.
Good password management guidelines require that a password never be stored in plaintext.
In this case, a hardcoded password exists in application-dev.properties at line 5.
Execution

1. Fortify Static Code Analyzer searches configuration files for common names used for password
properties. Audit these issues by verifying that the flagged entry is used as a password and
that the password entry contains plaintext.
2. If the entry in the configuration file is a default password, require that it be changed in addition
to requiring that it be obfuscated in the configuration file.

Recommendation
A password should never be stored in plaintext. Instead, the password should be entered by an
administrator when the system starts. If that approach is impractical, a less secure but often
adequate solution is to obfuscate the password and scatter the de-obfuscation material around the
system so that an attacker has to obtain and correctly combine multiple system resources to
decipher the password.
Some third-party products claim the ability to manage passwords in a more secure way. For example,
WebSphere Application Server 4.x uses a simple XOR encryption algorithm for obfuscating values,
but be skeptical about such facilities. WebSphere and other application servers offer outdated and
relatively weak encryption mechanisms that are insufficient for security-sensitive environments. For a
secure solution the only viable option is a proprietary one.
References

1. CWE ID 13, CWE ID 260, CWE ID 555, Standards Mapping - Common Weakness Enumeration
2. CCI-000196, CCI-001199, CCI-002367, Standards Mapping - DISA Control Correlation
Identifier Version 2
3. IA, Standards Mapping - FIPS200
4. Insufficient Data Protection, Standards Mapping - General Data Protection Regulation
5. SC-28 Protection of Information at Rest (P1), Standards Mapping - NIST Special Publication
800-53 Revision 4
6. M2 Insecure Data Storage, Standards Mapping - OWASP Mobile Top 10 Risks 2014
7. A8 Insecure Storage, Standards Mapping - OWASP Top 10 2004
8. A8 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2007
9. A7 Insecure Cryptographic Storage, Standards Mapping - OWASP Top 10 2010
10. A6 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2013
11. A3 Sensitive Data Exposure, Standards Mapping - OWASP Top 10 2017
12. Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card Industry Data
Security Standard Version 1.1

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
28
13. Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 1.2
14. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.4, Standards Mapping - Payment Card
Industry Data Security Standard Version 2.0
15. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.0
16. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.1
17. Requirement 6.3.1, Requirement 6.5.3, Requirement 8.2.1, Standards Mapping - Payment Card
Industry Data Security Standard Version 3.2
18. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.1
19. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.10
20. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.4
21. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.5
22. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.6
23. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.7
24. APP3210.1 CAT II, APP3340 CAT I, APP3350 CAT I, Standards Mapping - Security Technical
Implementation Guide Version 3.9
25. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.1
26. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.2
27. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.3
28. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.4
29. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.5
30. APSC-DV-001740 CAT I, APSC-DV-002330 CAT II, APSC-DV-003110 CAT I, Standards
Mapping - Security Technical Implementation Guide Version 4.6

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
29
Instances
Password Management: Password in Configuration File High
Package: N/A
Instance Analysis Info Analyzer
ID 68030545 - autosave​/src​/main​
Sink: spring​. datasource​.password in application-dev​.properties:5
/resources​/application-dev​ configur…
EnclosingMethod:
.properties:5
ID 68030531 - autosave​/src​/ test​
Sink: spring​. datasource​.password in application​.properties:4
/resources​/application​ configur…
EnclosingMethod:
.properties:4
ID 68030530 - health-alerts​/src​
Sink: spring​. datasource​.password in application​.properties:12
/main​/ resources​/application​ configur…
EnclosingMethod:
.properties:12
ID 68030544 - health-alerts​/src​
Sink: spring​. datasource​.password in application-dev​.properties:21
/main​/ resources​/application-dev​ configur…
EnclosingMethod:
.properties:21
ID 68030529 - health-alerts​/src​
Sink: spring​. datasource​.password in application​.properties:4
/test​/ resources​/application​ configur…
EnclosingMethod:
.properties:4
ID 68030528 - health-
Sink: spring​. datasource​.password in application​.properties:13
management​/src​/main​/ resources​ configur…
EnclosingMethod:
/application​.properties:13
ID 68030543 - health-
Sink: spring​. datasource​.password in application-dev​.properties:5
management​/src​/main​/ resources​ configur…
EnclosingMethod:
/application-dev​.properties:5
ID 68030527 - health-
Sink: spring​. datasource​.password in application​.properties:4
management​/src​/ test​/ resources​ configur…
EnclosingMethod:
/application​.properties:4
ID 68030526 - health-record​/src​
Sink: spring​. datasource​.password in application​.properties:12
/main​/ resources​/application​ configur…
EnclosingMethod:
.properties:12
ID 68030542 - health-record​/src​
Sink: spring​. datasource​.password in application-dev​.properties:21
/main​/ resources​/application-dev​ configur…
EnclosingMethod:
.properties:21
ID 68030525 - health-record​/src​
Sink: spring​. datasource​.password in application​.properties:4
/test​/ resources​/application​ configur…
EnclosingMethod:
.properties:4
ID 68030524 - school-
Sink: spring​. datasource​.password in application​.properties:11
management​/src​/main​/ resources​ configur…
EnclosingMethod:
/application​.properties:11
ID 68030548 - school-
Sink: spring​. datasource​.password in application-dev​.properties:5
management​/src​/main​/ resources​ configur…
EnclosingMethod:
/application-dev​.properties:5
ID 68030550 - school- Sink: spring​.cloud​.config​.password in application-stage​
management​/src​/main​/ resources​ .properties:12 configur…
/application-stage​.properties:12 EnclosingMethod:
ID 68030523 - school-
Sink: spring​. datasource​.password in application​.properties:4
management​/src​/ test​/ resources​ configur…
EnclosingMethod:
/application​.properties:4
ID 68030547 - security​/src​/main​
Sink: spring​. datasource​.password in application-dev​.properties:5
/resources​/application-dev​ configur…
EnclosingMethod:
.properties:5
ID 68030533 - security​/src​/ test​
Sink: spring​. datasource​.password in application​.properties:4
/resources​/application​ configur…
EnclosingMethod:
.properties:4
ID 68030532 - web-services​/src​
Sink: spring​. datasource​.password in application​.properties:9
/main​/ resources​/application​ configur…
EnclosingMethod:
.properties:9

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
30
ID 68030546 - web-services​/src​
Sink: spring​. datasource​.password in application-dev​.properties:6
/main​/ resources​/application-dev​ configur…
EnclosingMethod:
.properties:6

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
31
6.2.5 Portability Flaw: Locale Dependent Comparison High
CWE-474
OWASP Top 10:
PCI 3.2: 6.5.6 High Risk Vulnerabilities
Summary
The call to equals() on line 270 causes portability problems because it has different locales which
may lead to unexpected output. This may also circumvent custom validation routines.Unexpected
portability problems can be found when the locale is not specified.
Explanation
When comparing data that may be locale-dependent, an appropriate locale should be specified.
Example 1: The following example tries to perform validation to determine if user input includes a
<script> tag.

...
public String tagProcessor(String tag){
if (tag.toUpperCase().equals("SCRIPT")){
return null;
}
//does not contain SCRIPT tag, keep processing input
...
}
...

The problem with the above code is that java.lang.String.toUpperCase() when used without a
locale uses the rules of the default locale. Using the Turkish locale "title".toUpperCase() returns
"T\u0130TLE", where "\u0130" is the "LATIN CAPITAL LETTER I WITH DOT ABOVE" character. This
can lead to unexpected results, such as in Example 1 where this will prevent the word "script" from
being caught by this validation, potentially leading to a Cross-Site Scripting vulnerability.
Execution

1. If SCA sees that java.util.Locale.setDefault() is called anywhere in the application, it will

assume that the locale has been set accordingly and these issues will also not appear.

Recommendation
To prevent this from occurring, always make sure to either specify the default locale, or specify the
locale with APIs that accept them such as toUpperCase() .

Example 2: The following specifies the locale manually as an argument to toUpperCase() .

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
32
 import java.util.Locale;
...
public String tagProcessor(String tag){
if (tag.toUpperCase(Locale.ENGLISH).equals("SCRIPT")){
return null;
}
//does not contain SCRIPT tag, keep processing input
...
}
...

Example 3: The following uses the function java.lang.String.equalsIgnoreCase() API to prevent

this issue.

...
public String tagProcessor(String tag){
if (tag.equalsIgnoreCase("SCRIPT")){
return null;
}
//does not contain SCRIPT tag, keep processing input
...
}
...

This prevents the problem because equalsIgnoreCase() changes case similar to

Character.toLowerCase() and Character.toUpperCase() . This involves creating temporary
canonical forms of both strings using information from the UnicodeData file that is part of the
Unicode Character Database maintained by the Unicode Consortium, and even though this may
render them unreadable if they were to be read out, it makes comparison possible without being
dependent upon locale.
References

1. STR02-J. Specify an appropriate locale when comparing locale-dependent data,

https://www.securecoding.cert.org/confluence/display/java/STR02-
J.+Specify+an+appropriate+locale+when+comparing+locale-dependent+data
2. String (JavaDoc),
http://docs.oracle.com/javase/8/docs/api/java/lang/String.html#toUpperCase--
3. CWE ID 474, Standards Mapping - Common Weakness Enumeration
4. CCI-001310, Standards Mapping - DISA Control Correlation Identifier Version 2
5. Requirement 6.5.6, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.0
6. Requirement 6.5.6, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.1
7. Requirement 6.5.6, Standards Mapping - Payment Card Industry Data Security Standard
Version 3.2
8. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.1
This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
33
 9. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.2
10. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.3
11. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.4
12. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.5
13. APSC-DV-002520 CAT II, Standards Mapping - Security Technical Implementation Guide Version
4.6

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
34
Instances
Portability Flaw: Locale Dependent Comparison High
Package: com.het.util
Instance Analysis Info Analyzer
ID 68030554 - rules​/src​/main​
Sink: com​. het​.util​.RuleEngineUtil​.formatRule
/java​/com​/ het​/util​/RuleEngineUtil​ controlfl…
EnclosingMethod: formatRule
.java:270

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
35
6.2.6 Spring Boot Misconfiguration: DevTools Enabled High
OWASP Top 10: A6
PCI 3.2:
Summary
The Spring Boot application is configured in developer mode.
Explanation
The Spring Boot application has DevTools enabled. DevTool includes an additional set of tools that
can make the application development experience a little more pleasant, but that are not
recommended to use on production application. As stated in the official Spring Boot documentation:
"Enabling spring-boot-devtools on a remote application is a security risk. You should never enable
support on a production deployment."
Recommendation
Remove spring-boot-devtoos dependency on production deployments.
References

1. Spring Boot Reference Guide, https://docs.spring.io/spring-

boot/docs/current/reference/htmlsingle/
2. Indirect Access to Sensitive Data, Standards Mapping - General Data Protection Regulation
3. M1 Weak Server Side Controls, Standards Mapping - OWASP Mobile Top 10 Risks 2014
4. A6 Security Misconfiguration, Standards Mapping - OWASP Top 10 2010
5. A5 Security Misconfiguration, Standards Mapping - OWASP Top 10 2013
6. A6 Security Misconfiguration, Standards Mapping - OWASP Top 10 2017
7. Application Misconfiguration (WASC-15), Standards Mapping - Web Application Security
Consortium Version 2.00

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
36
Instances
Spring Boot Misconfiguration: DevTools Enabled High
Package: N/A
Instance Analysis Info Analyzer
Sink: in pom​.xml:47
ID 68030519 - pom​.xml:47 configur…
EnclosingMethod:

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
37
Request and Response
Below is an enumeration of all dynamic issues with their request and response sections.

7.1.1 Dynamic Code Evaluation: Unsafe Deserialization Critical

ID 68030549 - pom.xml
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
38
7.1.2 Key Management: Hardcoded Encryption Key Critical
ID 68030513 - autosave/src/test/java/com/het/autosave/repository/AutoSaveRepositoryTest.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
39
ID 68030521 - autosave/src/test/java/com/het/autosave/repository/AutoSaveRepositoryTest.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
40
ID 68030536 - ui/dependencies/mdbreact/dist/mdbreact.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
41
ID 68030539 - ui/dependencies/mdbreact/dist/mdbreact.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
42
ID 68030538 - ui/dependencies/staticmdbreact/mdbreact.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
43
ID 68030540 - ui/dependencies/staticmdbreact/mdbreact.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
44
7.1.3 Spring Boot Misconfiguration: Actuator Endpoint Security Disabled Critical
ID 68030541 - school-management/src/main/resources/application-stage.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
45
7.2.1 Null Dereference High
ID 68030516 - rules/src/test/java/com/het/TestConfiguartions.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
46
ID 68030522 - rules/src/test/java/com/het/TestConfiguartions.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
47
ID 68030534 - rules/src/test/java/com/het/TestFromExcel.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
48
ID 68030553 - rules/src/test/java/com/het/TestFromExcel.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
49
ID 68030514 - rules/src/test/java/com/het/TestHelper.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
50
7.2.2 Password Management: Empty Password High
ID 68030520 - ui/app/containers/Auth/reducer.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
51
7.2.3 Password Management: Hardcoded Password High
ID 68030518 - security/src/main/java/com/het/security/utils/Constants.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
52
ID 68030537 - security/src/main/java/com/het/security/utils/Constants.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
53
ID 68030552 - security/src/main/java/com/het/security/utils/RestMappingConstants.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
54
ID 68030515 - ui/app/containers/Auth/constants.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
55
ID 68030517 - ui/app/containers/Auth/constants.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
56
ID 68030535 - ui/app/containers/Auth/constants.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
57
ID 68030551 - ui/app/containers/Auth/constants.js
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
58
7.2.4 Password Management: Password in Configuration File High
ID 68030545 - autosave/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
59
ID 68030531 - autosave/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
60
ID 68030530 - health-alerts/src/main/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
61
ID 68030544 - health-alerts/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
62
ID 68030529 - health-alerts/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
63
ID 68030528 - health-management/src/main/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
64
ID 68030543 - health-management/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
65
ID 68030527 - health-management/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
66
ID 68030526 - health-record/src/main/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
67
ID 68030542 - health-record/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
68
ID 68030525 - health-record/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
69
ID 68030524 - school-management/src/main/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
70
ID 68030548 - school-management/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
71
ID 68030550 - school-management/src/main/resources/application-stage.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
72
ID 68030523 - school-management/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
73
ID 68030547 - security/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
74
ID 68030533 - security/src/test/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
75
ID 68030532 - web-services/src/main/resources/application.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
76
ID 68030546 - web-services/src/main/resources/application-dev.properties
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
77
7.2.5 Portability Flaw: Locale Dependent Comparison High
ID 68030554 - rules/src/main/java/com/het/util/RuleEngineUtil.java
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
78
7.2.6 Spring Boot Misconfiguration: DevTools Enabled High
ID 68030519 - pom.xml
Request

Response

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
79
Analysis Traces
Below is an enumeration of all static issues with their stack trace sections.

ID 68030549 - Dynamic Code Evaluation: Unsafe Deserialization Critical

Analysis Trace Source

pom.xml:37 pom.xml:34-40

<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
<version>${spring-version}</version>
</dependency>
<dependency>

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
80
 Analysis Trace Diagram

pom.xml

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
81
ID 68030513 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

AutoSaveRepositoryTest.java:39 - … autosave/src/test/java/com/het/autosave/repository/AutoSaveReposito
AutoSaveRepositoryTest.java:39 - … 42

@Test
public void find() {
String key = "Key1";
AutoSaveModel autoSaveModel = autoSaveRepository.findOne(k
ey);
Assert.assertNotNull(autoSaveModel);
}

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
82
 Analysis Trace Diagram

AutoSaveRepositoryTest.java

VariableAccess: key

Variable: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
83
ID 68030521 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

AutoSaveRepositoryTest.java:26 - … autosave/src/test/java/com/het/autosave/repository/AutoSaveReposito
AutoSaveRepositoryTest.java:26 - … 29

@Test
public void create() {
String key = "Key 123";
AutoSaveModel autoSaveModel = new AutoSaveModel();
autoSaveModel.setKey(key);
autoSaveModel.setData(JSONUtils.getJSON());

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
84
 Analysis Trace Diagram

AutoSaveRepositoryTest.java

VariableAccess: key

Variable: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
85
ID 68030536 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

mdbreact.js:17199 - Operation
mdbreact.js:17199 - VariableAcces…
ui/dependencies/mdbreact/dist/mdbreact.js:17196-17202
* @private
* @param {Object} object The object to query.
* @returns {Array} Returns the array of property names.
*/function baseKeys(object){if(!isPrototype(object)){return na
tiveKeys(object);}var result=[];for(var key in Object(object))
{if(hasOwnProperty.call(object,key)&&key!='constructor'){resul
t.push(key);}}return result;}/**
* The base implementation of `_.keysIn` which doesn't treat sp
arse arrays as dense.
*
* @private

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
86
 Analysis Trace Diagram

mdbreact.js

Operation

VariableAccess: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
87
ID 68030538 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

mdbreact.js:17147 - Operation
mdbreact.js:17147 - VariableAcces…
ui/dependencies/staticmdbreact/mdbreact.js:17144-17150
* @private
* @param {Object} object The object to query.
* @returns {Array} Returns the array of property names.
*/function baseKeysIn(object){if(!isObject(object)){return nat
iveKeysIn(object);}var isProto=isPrototype(object),result=[];f
or(var key in object){if(!(key=='constructor'&&(isProto||!hasO
wnProperty.call(object,key)))){result.push(key);}}return resul
t;}/**
* The base implementation of `_.lt` which doesn't coerce argum
ents.
*
* @private

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
88
 Analysis Trace Diagram

mdbreact.js

Operation

VariableAccess: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
89
ID 68030539 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

mdbreact.js:17205 - Operation
mdbreact.js:17205 - VariableAcces…
ui/dependencies/mdbreact/dist/mdbreact.js:17202-17208
* @private
* @param {Object} object The object to query.
* @returns {Array} Returns the array of property names.
*/function baseKeysIn(object){if(!isObject(object)){return nat
iveKeysIn(object);}var isProto=isPrototype(object),result=[];f
or(var key in object){if(!(key=='constructor'&&(isProto||!hasO
wnProperty.call(object,key)))){result.push(key);}}return resul
t;}/**
* The base implementation of `_.lt` which doesn't coerce argum
ents.
*
* @private

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
90
 Analysis Trace Diagram

mdbreact.js

Operation

VariableAccess: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
91
ID 68030540 - Key Management: Hardcoded Encryption Key Critical

Analysis Trace Source

mdbreact.js:17141 - Operation
mdbreact.js:17141 - VariableAcces…
ui/dependencies/staticmdbreact/mdbreact.js:17138-17144
* @private
* @param {Object} object The object to query.
* @returns {Array} Returns the array of property names.
*/function baseKeys(object){if(!isPrototype(object)){return na
tiveKeys(object);}var result=[];for(var key in Object(object))
{if(hasOwnProperty.call(object,key)&&key!='constructor'){resul
t.push(key);}}return result;}/**
* The base implementation of `_.keysIn` which doesn't treat sp
arse arrays as dense.
*
* @private

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
92
 Analysis Trace Diagram

mdbreact.js

Operation

VariableAccess: key

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
93
ID 68030541 - Spring Boot Misconfiguration: Actuator Endpoint Security Disabled
Critical
Analysis Trace Source
application-stage.properties:9 - m… school-management/src/main/resources/application-
stage.properties:6-12

# N.B. this is the default:

spring.cloud.config.uri=http://config:9422
management.security.enabled=false
spring.application.name=SchoolManagement
spring.cloud.config.fail-fast= true
spring.cloud.config.password= TEST123

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
94
 Analysis Trace Diagram

application-stage.properties

management.security.enabled

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
95
ID 68030514 - Null Dereference
Analysis Trace
TestHelper.java:150 - Assigned null…
TestHelper.java:156 - java.lang.Exc…
TestHelper.java:169 - Dereference…
This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
High
Source
rules/src/test/java/com/het/TestHelper.java:147-153
public static List<Config> getRulesForScenario(String eachScen
arioName) throws Exception {
Configurations configs = new Configurations();
FileInputStream is=null;
List<Config> allConditions = new ArrayList<Config>();
try {
String scenarioPropFile = rulesPath + File.separator
rules/src/test/java/com/het/TestHelper.java:153-159
String scenarioPropFile = rulesPath + File.separator
+ eachScenarioName.substring(0, eachScenarioName.index
Of("Scenario")) + File.separator
+ eachScenarioName + ".properties";
is = new FileInputStream(scenarioPropFile);
configs.load(is);
for (Integer ruleNo : configs.getNumericKeys()) {
rules/src/test/java/com/het/TestHelper.java:166-172
throw new Exception(e);
} finally {
try {
is.close();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
96
 Analysis Trace Diagram

TestHelper.getRulesForScenario TestHelper.java

Assigned null : is

java.lang.Exception thrown

Dereferenced : is

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
97
ID 68030516 - Null Dereference High

Analysis Trace Source

TestConfiguartions.java:46 - Assig… rules/src/test/java/com/het/TestConfiguartions.java:43-49
TestConfiguartions.java:49 - java.l…
}
TestConfiguartions.java:56 - Deref…

public Configurations loadPropertiesTest2() throws Exception {

FileInputStream fis = null;
Configurations configObj = new Configurations();
try {
fis = new FileInputStream(testFile2);

rules/src/test/java/com/het/TestConfiguartions.java:46-52

FileInputStream fis = null;

Configurations configObj = new Configurations();
try {
fis = new FileInputStream(testFile2);
configObj.load(fis);
} catch (Exception e) {
// TODO Auto-generated catch block

rules/src/test/java/com/het/TestConfiguartions.java:53-59

throw new Exception(e);

} finally {
try {
fis.close();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
98
 Analysis Trace Diagram

TestConfiguartions.loadProper… TestConfiguartions.java

Assigned null : fis

java.lang.Exception thrown

Dereferenced : fis

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
99
ID 68030522 - Null Dereference High

Analysis Trace Source

TestConfiguartions.java:26 - Assig…
TestConfiguartions.java:29 - java.l…
TestConfiguartions.java:36 - Deref…
rules/src/test/java/com/het/TestConfiguartions.java:23-29
private final static String testFile2 = "src/test/resources/te
st/test2.properties";

public Configurations loadPropertiesTest1() throws Exception {

FileInputStream fis = null;
Configurations configObj = new Configurations();
try {
fis = new FileInputStream(testFile1);

rules/src/test/java/com/het/TestConfiguartions.java:26-32

FileInputStream fis = null;

Configurations configObj = new Configurations();
try {
fis = new FileInputStream(testFile1);
configObj.load(fis);
} catch (Exception e) {
// TODO Auto-generated catch block

rules/src/test/java/com/het/TestConfiguartions.java:33-39

throw new Exception(e);

} finally {
try {
fis.close();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
100
 Analysis Trace Diagram

TestConfiguartions.loadProper… TestConfiguartions.java

Assigned null : fis

java.lang.Exception thrown

Dereferenced : fis

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
101
ID 68030534 - Null Dereference High

Analysis Trace Source

TestFromExcel.java:63 - Assigned …
TestFromExcel.java:66 - java.lang.…
TestFromExcel.java:153 - Derefere…
rules/src/test/java/com/het/TestFromExcel.java:60-66
*/
@Test
public void testDataFromExcelForAllExceptDTAPandMCV4() throws
Exception {
FileInputStream fis = null;
FileOutputStream fos = null;
try {
fis = new FileInputStream(inputFilePath);

rules/src/test/java/com/het/TestFromExcel.java:63-69

FileInputStream fis = null;

FileOutputStream fos = null;
try {
fis = new FileInputStream(inputFilePath);
fos = new FileOutputStream(outputFilePath);
XSSFWorkbook workbook = new XSSFWorkbook(fis);
sheetLoop: for (int i = 0; i < workbook.getNumberOfSheets()
; i++) {

rules/src/test/java/com/het/TestFromExcel.java:150-156

e.printStackTrace();
}
try {
fis.close();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
102
 Analysis Trace Diagram

TestFromExcel.testDataFromE… TestFromExcel.java

Assigned null : fis

java.lang.Exception thrown

Dereferenced : fis

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
103
ID 68030553 - Null Dereference High

Analysis Trace Source

TestFromExcel.java:64 - Assigned …
TestFromExcel.java:66 - java.lang.…
TestFromExcel.java:147 - Derefere…
rules/src/test/java/com/het/TestFromExcel.java:61-67
@Test
public void testDataFromExcelForAllExceptDTAPandMCV4() throws
Exception {
FileInputStream fis = null;
FileOutputStream fos = null;
try {
fis = new FileInputStream(inputFilePath);
fos = new FileOutputStream(outputFilePath);

rules/src/test/java/com/het/TestFromExcel.java:63-69

FileInputStream fis = null;

FileOutputStream fos = null;
try {
fis = new FileInputStream(inputFilePath);
fos = new FileOutputStream(outputFilePath);
XSSFWorkbook workbook = new XSSFWorkbook(fis);
sheetLoop: for (int i = 0; i < workbook.getNumberOfSheets()
; i++) {

rules/src/test/java/com/het/TestFromExcel.java:144-150

throw new Exception(e);

} finally {
try {
fos.close();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
104
 Analysis Trace Diagram

TestFromExcel.testDataFromE… TestFromExcel.java

Assigned null : fos

java.lang.Exception thrown

Dereferenced : fos

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
105
ID 68030520 - Password Management: Empty Password High

Analysis Trace Source

reducer.js:32 - FieldAccess: passw… ui/app/containers/Auth/reducer.js:29-35
reducer.js:32 - Field: password
const initialState = fromJS({
username: '',
password: '',
shouldRedirect: false,
user: false,
loading: false,

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
106
 Analysis Trace Diagram

reducer.js

FieldAccess: password

Field: password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
107
ID 68030515 - Password Management: Hardcoded Password High

Analysis Trace Source

constants.js:13 - FieldAccess: CHA… ui/app/containers/Auth/constants.js:10-16
- Field: CHANGE_PASSWORD
export const LOGOUT_SUCCESS = 'app/Auth/LOGOUT_SUCCESS';
export const LOGOUT_ERROR = 'app/Auth/LOGOUT_ERROR';
export const CHANGE_USERNAME = 'app/Auth/CHANGE_USERNAME';
export const CHANGE_PASSWORD = 'app/Auth/CHANGE_PASSWORD';
export const LOAD_PASSWORD_SUCCESS = 'app/Auth/LOAD_PASSWORD_S
UCCESS';
export const LOAD_LOGIN_SUCCESS = 'app/Auth/LOAD_LOGIN_SUCCESS
';
export const LOAD_LOGIN_ERROR = 'app/Auth/LOAD_LOGIN_ERROR';

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
108
 Analysis Trace Diagram

constants.js - Field

FieldAccess: CHANGE_PASSW…

Field: CHANGE_PASSWORD

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
109
ID 68030517 - Password Management: Hardcoded Password High

Analysis Trace Source

constants.js:13 - VariableAccess: C… ui/app/containers/Auth/constants.js:10-16
saga.js:10 - Variable: CHANGE_PA…
export const LOGOUT_SUCCESS = 'app/Auth/LOGOUT_SUCCESS';
export const LOGOUT_ERROR = 'app/Auth/LOGOUT_ERROR';
export const CHANGE_USERNAME = 'app/Auth/CHANGE_USERNAME';
export const CHANGE_PASSWORD = 'app/Auth/CHANGE_PASSWORD';
export const LOAD_PASSWORD_SUCCESS = 'app/Auth/LOAD_PASSWORD_S
UCCESS';
export const LOAD_LOGIN_SUCCESS = 'app/Auth/LOAD_LOGIN_SUCCESS
';
export const LOAD_LOGIN_ERROR = 'app/Auth/LOAD_LOGIN_ERROR';

ui/app/containers/Auth/saga.js:7-13

import history from '../../browserHistorySingleton';

import { LOGIN, CHANGE_PASSWORD, IS_AUTHENTICATED, LOGOUT } fr

om './constants';
import {
loginSuccess,
loginError,

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
110
 Analysis Trace Diagram

constants.js saga.js

VariableAccess: CHANGE_PA…

Variable: CHANGE_PASSWORD

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
111
ID 68030518 - Password Management: Hardcoded Password High

Analysis Trace Source

Constants.java:15 - FieldAccess: H… security/src/main/java/com/het/security/utils/Constants.java:12-
Constants.java:15 - Field: HEADER… 18

String ROLE_PREFIX = "ROLE";

String MINUS = "-";
String HEADER_USERNAME = "X-Username";
String HEADER_PASSWORD = "X-Password";
String HEADER_AUTH_TOKEN = "X-AUTH-TOKEN";
String HEADER_AUTH_ERR_CODE = "X-AUTH-ERR-CODE";

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
112
 Analysis Trace Diagram

Constants.java

FieldAccess: HEADER_PASSW…

Field: HEADER_PASSWORD

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
113
ID 68030535 - Password Management: Hardcoded Password High

Analysis Trace Source

constants.js:14 - VariableAccess: L… ui/app/containers/Auth/constants.js:11-17
reducer.js:14 - Variable: LOAD_PAS…
export const LOGOUT_ERROR = 'app/Auth/LOGOUT_ERROR';
export const CHANGE_USERNAME = 'app/Auth/CHANGE_USERNAME';
export const CHANGE_PASSWORD = 'app/Auth/CHANGE_PASSWORD';
export const LOAD_PASSWORD_SUCCESS = 'app/Auth/LOAD_PASSWORD_S
UCCESS';
export const LOAD_LOGIN_SUCCESS = 'app/Auth/LOAD_LOGIN_SUCCESS
';
export const LOAD_LOGIN_ERROR = 'app/Auth/LOAD_LOGIN_ERROR';
export const CLEAR_ERROR = 'app/Auth/CLEAR_ERROR';

ui/app/containers/Auth/reducer.js:11-17

*/
import { fromJS } from 'immutable';

import {
LOGIN,
LOGOUT,
LOGOUT_SUCCESS,

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
114
 Analysis Trace Diagram

constants.js reducer.js

VariableAccess: LOAD_PASS…

Variable: LOAD_PASSWORD_…
ID 68030537 - Password Management: Hardcoded Password High

Analysis Trace Source

Constants.java:7 - FieldAccess: CR… security/src/main/java/com/het/security/utils/Constants.java:4-
Constants.java:7 - Field: CREDENT… 10

//Error constants
String CREDENTIALS_INVALID = "credentials.invalid";
String CREDENTIALS_INCORRECT = "credentials.incorrect";
String CREDENTIALS_INCORRECT_PASSWORD = "credentials.incorrect
.password";
String UNKOWN_ERROR = "unknown.error";

//Generic constants

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
116
 Analysis Trace Diagram

Constants.java

FieldAccess: CREDENTIALS_I…

Field: CREDENTIALS_INCORR…

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
117
ID 68030551 - Password Management: Hardcoded Password High

Analysis Trace Source

constants.js:14 - FieldAccess: LOA… ui/app/containers/Auth/constants.js:11-17
- Field: LOAD_PASSWORD_SUCCESS
export const LOGOUT_ERROR = 'app/Auth/LOGOUT_ERROR';
export const CHANGE_USERNAME = 'app/Auth/CHANGE_USERNAME';
export const CHANGE_PASSWORD = 'app/Auth/CHANGE_PASSWORD';
export const LOAD_PASSWORD_SUCCESS = 'app/Auth/LOAD_PASSWORD_S
UCCESS';
export const LOAD_LOGIN_SUCCESS = 'app/Auth/LOAD_LOGIN_SUCCESS
';
export const LOAD_LOGIN_ERROR = 'app/Auth/LOAD_LOGIN_ERROR';
export const CLEAR_ERROR = 'app/Auth/CLEAR_ERROR';

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
118
 Analysis Trace Diagram

constants.js - Field

FieldAccess: LOAD_PASSWOR…

Field: LOAD_PASSWORD_SU…

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
119
ID 68030552 - Password Management: Hardcoded Password High

Analysis Trace Source

RestMappingConstants.java:8 - Fie… security/src/main/java/com/het/security/utils/RestMappingConstants.ja
RestMappingConstants.java:8 - Fie… 11

String BASE_URI = "/rest";

String ACCOUNT = BASE_URI + "/account";

String ACCOUNT_CHANGE_PASSWORD = "/change/password";
String ACCOUNT_DETAILS = "/details";
String ACCOUNT_ADMIN = "/admin";
String ACCOUNT_TEACHER = "/teacher";

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
120
 Analysis Trace Diagram

RestMappingConstants.java

FieldAccess: ACCOUNT_CHAN…

Field: ACCOUNT_CHANGE_PA…

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
121
ID 68030523 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… school-
management/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=none

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
122
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
123
ID 68030524 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:11 - spring.… school-
management/src/main/resources/application.properties:8-14

spring.application.name=SchoolManagement
spring.datasource.url=jdbc:postgresql://google/${DB_NAME}?sock
etFactory=com.google.cloud.sql.postgres.SocketFactory&socketFa
ctoryArg=${DB_INSTANCE}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
#spring.datasource.url= jdbc:postgresql://google/hetdevtruth?s
ocketFactory=com.google.cloud.sql.postgres.SocketFactory&socke
tFactoryArg=het-v2:us-central1:hetdevtruth
spring.jpa.hibernate.ddl-auto=none
spring.sleuth.web.skipPattern=(^cleanup.*|.+favicon.*)

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
124
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
125
ID 68030525 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… health-record/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=none

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
126
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
127
ID 68030526 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:12 - spring.… health-record/src/main/resources/application.properties:9-15

spring.application.name=HealthRecord
spring.datasource.url=jdbc:postgresql://google/${DB_NAME}?sock
etFactory=com.google.cloud.sql.postgres.SocketFactory&socketFa
ctoryArg=${DB_INSTANCE}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect = com.marvinformatics.
hibernate.json.PostgreSQLJsonDialect
server.context-path= /healthrecord

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
128
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
129
ID 68030527 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… health-
management/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=update

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
130
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
131
ID 68030528 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:13 - spring.… health-
management/src/main/resources/application.properties:10-16

#spring.datasource.url= jdbc:postgresql://${DB_HOST}:${DB_PORT
}/${DB_NAME}
spring.datasource.url=jdbc:postgresql://google/${DB_NAME}?sock
etFactory=com.google.cloud.sql.postgres.SocketFactory&socketFa
ctoryArg=${DB_INSTANCE}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
#spring.datasource.url= jdbc:postgresql://google/hetdevtruth?s
ocketFactory=com.google.cloud.sql.postgres.SocketFactory&socke
tFactoryArg=het-v2:us-central1:hetdevtruth
spring.jpa.hibernate.ddl-auto=update
#spring.zipkin.baseUrl=http://zipkin:8080/

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
132
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
133
ID 68030529 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… health-alerts/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=update

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
134
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
135
ID 68030530 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:12 - spring.… health-alerts/src/main/resources/application.properties:9-15

spring.application.name=HealthAlert
spring.datasource.url=jdbc:postgresql://google/${DB_NAME}?sock
etFactory=com.google.cloud.sql.postgres.SocketFactory&socketFa
ctoryArg=${DB_INSTANCE}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=update
spring.jpa.properties.hibernate.dialect = com.marvinformatics.
hibernate.json.PostgreSQLJsonDialect
server.context-path= /ha

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
136
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
137
ID 68030531 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… autosave/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=update

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
138
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
139
ID 68030532 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:9 - spring.d… web-services/src/main/resources/application.properties:6-12

spring.application.name=WebService
spring.datasource.url=jdbc:postgresql://google/${DB_NAME}?sock
etFactory=com.google.cloud.sql.postgres.SocketFactory&socketFa
ctoryArg=${DB_INSTANCE}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=update
#spring.zipkin.baseUrl=http://zipkin:9411/
#spring.sleuth.sampler.percentage=1.0

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
140
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
141
ID 68030533 - Password Management: Password in Configuration File High

Analysis Trace Source

application.properties:4 - spring.d… security/src/test/resources/application.properties:1-7

spring.datasource.driver-class-name=org.postgresql.Driver
spring.datasource.url=jdbc:postgresql://localhost:5432/hetdev
spring.datasource.username=hetdev
spring.datasource.password=password
spring.test.database.replace=NONE

spring.jpa.hibernate.ddl-auto=update

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
142
 Analysis Trace Diagram

application.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
143
ID 68030542 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:21 - spri… health-record/src/main/resources/application-
dev.properties:18-24

spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
144
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
145
ID 68030543 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:5 - sprin… health-management/src/main/resources/application-
dev.properties:2-8

spring.profiles.include=common
spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
146
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
147
ID 68030544 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:21 - spri… health-alerts/src/main/resources/application-dev.properties:18-
24

spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
148
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
149
ID 68030545 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:5 - sprin… autosave/src/main/resources/application-dev.properties:2-8

spring.profiles.include=common
spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
150
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
151
ID 68030546 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:6 - sprin… web-services/src/main/resources/application-dev.properties:3-
9

spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=update
#spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
152
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
153
ID 68030547 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:5 - sprin… security/src/main/resources/application-dev.properties:2-8

spring.profiles.include=common
spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=true
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
154
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
155
ID 68030548 - Password Management: Password in Configuration File High

Analysis Trace Source

application-dev.properties:5 - sprin… school-management/src/main/resources/application-
dev.properties:2-8

spring.profiles.include=common
spring.datasource.url=jdbc:postgresql://${DB_HOST}:${DB_PORT}/
${DB_NAME}
spring.datasource.username=${DB_USER}
spring.datasource.password=${DB_PWD}
spring.jpa.hibernate.ddl-auto=none
spring.jpa.show-sql=false
spring.jpa.properties.hibernate.dialect=com.marvinformatics.hi
bernate.json.PostgreSQLJsonDialect

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
156
 Analysis Trace Diagram

application-dev.properties

spring.datasource.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
157
ID 68030550 - Password Management: Password in Configuration File High

Analysis Trace Source

application-stage.properties:12 - s… school-management/src/main/resources/application-
stage.properties:9-15

management.security.enabled=false
spring.application.name=SchoolManagement
spring.cloud.config.fail-fast= true
spring.cloud.config.password= TEST123
spring.cloud.config.username= user

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
158
 Analysis Trace Diagram

application-stage.properties

spring.cloud.config.password

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
159
ID 68030554 - Portability Flaw: Locale Dependent Comparison High

Analysis Trace Source

RuleEngineUtil.java:250 - Branch t…
RuleEngineUtil.java:258 - goto
RuleEngineUtil.java:260 - goto
RuleEngineUtil.java:269 - toUpper…
RuleEngineUtil.java:270 - equals(t…
rules/src/main/java/com/het/util/RuleEngineUtil.java:247-253
String matchedStr = matcher.group(0).replace(" ", "");
periodSet.add(matchedStr);
}
for (String periodStr : periodSet) {
StringBuilder formattedSb = new StringBuilder();

String operator = StringUtils.substring(periodStr, 0, 1);

rules/src/main/java/com/het/util/RuleEngineUtil.java:255-261

String temporal = StringUtils.substring(periodStr, periodStr.l

ength() - 1, periodStr.length());

switch (operator) {
case "+":
formattedSb.append(".plus");
break;
case "-":

rules/src/main/java/com/het/util/RuleEngineUtil.java:257-263

switch (operator) {
case "+":
formattedSb.append(".plus");
break;
case "-":
formattedSb.append(".minus");
break;

rules/src/main/java/com/het/util/RuleEngineUtil.java:266-272

// originalCondition);
}

switch (temporal.toUpperCase()) {
case "W":
formattedSb.append("Weeks");
break;

rules/src/main/java/com/het/util/RuleEngineUtil.java:267-273

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
160
 }

switch (temporal.toUpperCase()) {
case "W":
formattedSb.append("Weeks");
break;
case "D":

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
161
 Analysis Trace Diagram

RuleEngineUtil.java RuleEngineUtil.formatRule

Branch taken: periodStr~iter…

goto

goto

toUpperCase() : Case change…

equals(temporal.toUpperCase…

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
162
ID 68030519 - Spring Boot Misconfiguration: DevTools Enabled High

Analysis Trace Source

pom.xml:47 pom.xml:44-50

</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-devtools</artifactId>
<version>${spring-version}</version>
<scope>runtime</scope>
</dependency>

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
163
 Analysis Trace Diagram

pom.xml

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
164
Static File Listing
The static file listing displays all files scanned by the SCA scanner.

Filename Size (bytes) Modified Date

autosave/pom.xml 1866 2018/08/05
autosave/src/main/java/com/het/autosave/annotation/Ena… 301 2018/08/05
autosave/src/main/java/com/het/autosave/AutoSaveApplic… 596 2018/08/05
autosave/src/main/java/com/het/autosave/config/AutoSav… 3459 2018/08/05
autosave/src/main/java/com/het/autosave/config/AutoSav… 711 2018/08/05
autosave/src/main/java/com/het/autosave/controller/Auto… 1306 2018/08/05
autosave/src/main/java/com/het/autosave/interceptor/Aut… 2026 2018/08/05
autosave/src/main/java/com/het/autosave/model/AutoSav… 1107 2018/08/05
autosave/src/main/java/com/het/autosave/repository/Aut… 294 2018/08/05
autosave/src/main/java/com/het/autosave/service/IAutoSa… 214 2018/08/05
autosave/src/main/java/com/het/autosave/service/impl/Au… 1245 2018/08/05
autosave/src/main/resources/application-dev.properties 751 2018/08/05
autosave/src/main/resources/application-prod.properties 99 2018/08/05
autosave/src/main/resources/application-stage.properties 124 2018/08/05
autosave/src/main/resources/data-auto-save-dev.sql 108 2018/08/05
autosave/src/main/resources/logback-spring.xml 4086 2018/08/05
autosave/src/main/resources/schema-auto-save.sql 136 2018/08/05
autosave/src/test/java/com/het/autosave/repository/Auto… 1317 2018/08/05
autosave/src/test/java/com/het/autosave/rest/AutoSaveR… 6051 2018/08/05
autosave/src/test/java/com/het/autosave/service/AutoSav… 1827 2018/08/05
autosave/src/test/resources/application.properties 981 2018/08/05
build-tools/pom.xml 505 2018/08/05
build-tools/src/main/resources/het/checkstyle.xml 6914 2018/08/05
common/pom.xml 1858 2018/08/05
common/src/main/java/com/het/common/advice/Common… 3272 2018/08/05
common/src/main/java/com/het/common/alert/dto/AlertDt… 1664 2018/08/05
common/src/main/java/com/het/common/auth/dto/Assign… 723 2018/08/05
common/src/main/java/com/het/common/auth/dto/Chang… 497 2018/08/05
common/src/main/java/com/het/common/auth/dto/Demog… 2887 2018/08/05
common/src/main/java/com/het/common/auth/dto/Profile… 1236 2018/08/05
common/src/main/java/com/het/common/auth/dto/Regist… 1031 2018/08/05
common/src/main/java/com/het/common/auth/dto/ResetP… 530 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
165
 Filename Size (bytes) Modified Date
common/src/main/java/com/het/common/auth/dto/RoleDt… 621 2018/08/05
common/src/main/java/com/het/common/auth/dto/UserSit… 853 2018/08/05
common/src/main/java/com/het/common/CommonApplicat… 533 2018/08/05
common/src/main/java/com/het/common/config/BeanConfi… 2928 2018/08/05
common/src/main/java/com/het/common/dto/HealthNotice… 968 2018/08/05
common/src/main/java/com/het/common/dto/ResponseDt… 537 2018/08/05
common/src/main/java/com/het/common/dto/SearchCriter… 1144 2018/08/05
common/src/main/java/com/het/common/dto/SearchDto.j… 2252 2018/08/05
common/src/main/java/com/het/common/dto/SearchOrder… 643 2018/08/05
common/src/main/java/com/het/common/dto/StatusDto.j… 1005 2018/08/05
common/src/main/java/com/het/common/exception/Error… 1022 2018/08/05
common/src/main/java/com/het/common/exception/ErrorT… 191 2018/08/05
common/src/main/java/com/het/common/exception/HetEx… 1248 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1774 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 3085 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1382 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 610 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 756 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 546 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 3773 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1655 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 2417 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1467 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1730 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 3027 2018/08/05
common/src/main/java/com/het/common/health/mgmt/dt… 1328 2018/08/05
common/src/main/java/com/het/common/health/record/dt… 2513 2018/08/05
common/src/main/java/com/het/common/model/AlertCate… 118 2018/08/05
common/src/main/java/com/het/common/model/AlertType.… 119 2018/08/05
common/src/main/java/com/het/common/model/Auditable.… 1476 2018/08/05
common/src/main/java/com/het/common/rest/BaseContro… 1493 2018/08/05
common/src/main/java/com/het/common/rest/HealthChec… 345 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 1190 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 651 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 7605 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
166
 Filename Size (bytes) Modified Date
common/src/main/java/com/het/common/school/mgmt/dt… 3214 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 141 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 2763 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 924 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 132 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 3856 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 5623 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 1794 2018/08/05
common/src/main/java/com/het/common/school/mgmt/dt… 960 2018/08/05
common/src/main/java/com/het/common/service/IGeneric… 213 2018/08/05
common/src/main/java/com/het/common/service/impl/Gen… 1710 2018/08/05
common/src/main/java/com/het/common/utils/CollectionUt… 287 2018/08/05
common/src/main/java/com/het/common/utils/CommonDa… 737 2018/08/05
common/src/main/java/com/het/common/utils/CommonRe… 160 2018/08/05
common/src/main/java/com/het/common/utils/CsvUtils.java 502 2018/08/05
common/src/main/java/com/het/common/utils/HttpHostsC… 1942 2018/08/05
common/src/main/java/com/het/common/utils/JSONUtils.j… 2301 2018/08/05
common/src/main/java/com/het/common/utils/RestTempla… 1579 2018/08/05
common/src/main/java/com/het/common/utils/Utils.java 2387 2018/08/05
common/src/main/resources/application-common.properties 618 2018/08/05
config/pom.xml 2136 2018/08/05
config/src/main/java/com/het/config/ConfigApplication.java 393 2018/08/05
D:/work/work/sca18.1/build/378575-187979-bluepal/extr… 545 2018/08/05
D:/work/work/sca18.1/build/378575-187979-bluepal/extr… 571 2018/08/05
D:/work/work/sca18.1/build/378575-187979-bluepal/extr… 561 2018/08/05
health-alerts/pom.xml 3941 2018/08/05
health-alerts/src/main/java/com/het/alerts/HealthAlert.java 663 2018/08/05
health-alerts/src/main/java/com/het/alerts/helper/AlertDat… 220 2018/08/05
health-alerts/src/main/java/com/het/alerts/model/Alert.java 2035 2018/08/05
health-alerts/src/main/java/com/het/alerts/repository/Alert… 728 2018/08/05
health-alerts/src/main/java/com/het/alerts/rest/AlertRestC… 1358 2018/08/05
health-alerts/src/main/java/com/het/alerts/service/IAlertSe… 359 2018/08/05
health-alerts/src/main/java/com/het/alerts/service/impl/Ale… 1274 2018/08/05
health-alerts/src/main/resources/application.properties 1198 2018/08/05
health-alerts/src/main/resources/application-dev.properties 906 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
167
 Filename Size (bytes) Modified Date
health-alerts/src/main/resources/data-ha-dev.sql 195 2018/08/05
health-alerts/src/main/resources/logback-spring.xml 1767 2018/08/05
health-alerts/src/main/resources/schema-ha.sql 319 2018/08/05
health-alerts/src/test/java/com/het/alerts/repository/Alert… 1136 2018/08/05
health-alerts/src/test/resources/application.properties 908 2018/08/05
health-management/pom.xml 5130 2018/08/05
health-management/src/main/java/com/het/logs/handler/H… 382 2018/08/05
health-management/src/main/java/com/het/logs/handler/H… 289 2018/08/05
health-management/src/main/java/com/het/logs/helper/Ap… 1926 2018/08/05
health-management/src/main/java/com/het/logs/helper/En… 971 2018/08/05
health-management/src/main/java/com/het/logs/helper/Me… 1315 2018/08/05
health-management/src/main/java/com/het/logs/helper/Me… 1229 2018/08/05
health-management/src/main/java/com/het/logs/helper/Sc… 3971 2018/08/05
health-management/src/main/java/com/het/logs/Medicatio… 5173 2018/08/05
health-management/src/main/java/com/het/logs/model/Ap… 3028 2018/08/05
health-management/src/main/java/com/het/logs/model/En… 3482 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 348 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 148 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 344 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 1046 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 864 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 153 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 289 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 132 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 696 2018/08/05
health-management/src/main/java/com/het/logs/model/en… 303 2018/08/05
health-management/src/main/java/com/het/logs/model/Me… 2602 2018/08/05
health-management/src/main/java/com/het/logs/model/Me… 4771 2018/08/05
health-management/src/main/java/com/het/logs/model/Me… 2201 2018/08/05
health-management/src/main/java/com/het/logs/model/Pr… 2842 2018/08/05
health-management/src/main/java/com/het/logs/model/Sc… 3313 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 2189 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 1213 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 1152 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 203 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
168
 Filename Size (bytes) Modified Date
health-management/src/main/java/com/het/logs/repositor… 598 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 3077 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 760 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 622 2018/08/05
health-management/src/main/java/com/het/logs/repositor… 2901 2018/08/05
health-management/src/main/java/com/het/logs/rest/App… 3699 2018/08/05
health-management/src/main/java/com/het/logs/rest/Enco… 4223 2018/08/05
health-management/src/main/java/com/het/logs/rest/Medi… 2918 2018/08/05
health-management/src/main/java/com/het/logs/rest/Scre… 2541 2018/08/05
health-management/src/main/java/com/het/logs/service/IA… 1141 2018/08/05
health-management/src/main/java/com/het/logs/service/IE… 882 2018/08/05
health-management/src/main/java/com/het/logs/service/I… 351 2018/08/05
health-management/src/main/java/com/het/logs/service/I… 822 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 2832 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 22337 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 1436 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 8109 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 941 2018/08/05
health-management/src/main/java/com/het/logs/service/i… 2883 2018/08/05
health-management/src/main/java/com/het/logs/service/IP… 206 2018/08/05
health-management/src/main/java/com/het/logs/service/IS… 689 2018/08/05
health-management/src/main/resources/application.proper… 1691 2018/08/05
health-management/src/main/resources/application-dev.pr… 1073 2018/08/05
health-management/src/main/resources/application-prod.p… 99 2018/08/05
health-management/src/main/resources/application-stage.… 124 2018/08/05
health-management/src/main/resources/data-hm-dev.sql 6233 2018/08/05
health-management/src/main/resources/logback-spring.xml 3339 2018/08/05
health-management/src/main/resources/schema-hm.sql 4189 2018/08/05
health-management/src/test/java/com/het/logs/repository… 3660 2018/08/05
health-management/src/test/java/com/het/logs/repository… 2732 2018/08/05
health-management/src/test/java/com/het/logs/repository… 3179 2018/08/05
health-management/src/test/java/com/het/logs/repository… 599 2018/08/05
health-management/src/test/java/com/het/logs/repository… 5595 2018/08/05
health-management/src/test/java/com/het/logs/repository… 2839 2018/08/05
health-management/src/test/java/com/het/logs/rest/Medic… 3841 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
169
 Filename Size (bytes) Modified Date
health-management/src/test/java/com/het/logs/service/En… 3295 2018/08/05
health-management/src/test/java/com/het/logs/service/Me… 6032 2018/08/05
health-management/src/test/java/com/het/logs/service/Sc… 3369 2018/08/05
health-management/src/test/resources/application.propert… 967 2018/08/05
health-record/pom.xml 3566 2018/08/05
health-record/src/main/java/com/het/record/advice/Health… 364 2018/08/05
health-record/src/main/java/com/het/record/HealthRecord… 640 2018/08/05
health-record/src/main/java/com/het/record/helper/Immun… 1460 2018/08/05
health-record/src/main/java/com/het/record/model/Health… 2146 2018/08/05
health-record/src/main/java/com/het/record/model/Health… 1396 2018/08/05
health-record/src/main/java/com/het/record/model/Immun… 2542 2018/08/05
health-record/src/main/java/com/het/record/repository/He… 642 2018/08/05
health-record/src/main/java/com/het/record/repository/Im… 728 2018/08/05
health-record/src/main/java/com/het/record/rest/HealthNo… 4210 2018/08/05
health-record/src/main/java/com/het/record/rest/Immuniz… 1680 2018/08/05
health-record/src/main/java/com/het/record/service/IHealt… 512 2018/08/05
health-record/src/main/java/com/het/record/service/IImmu… 413 2018/08/05
health-record/src/main/java/com/het/record/service/impl/H… 2176 2018/08/05
health-record/src/main/java/com/het/record/service/impl/I… 1662 2018/08/05
health-record/src/main/resources/application.properties 1210 2018/08/05
health-record/src/main/resources/application-dev.properties 852 2018/08/05
health-record/src/main/resources/application-prod.propert… 99 2018/08/05
health-record/src/main/resources/application-stage.proper… 124 2018/08/05
health-record/src/main/resources/data-hr-dev.sql 284 2018/08/05
health-record/src/main/resources/logback-spring.xml 3339 2018/08/05
health-record/src/main/resources/schema-hr.sql 588 2018/08/05
health-record/src/test/java/com/het/record/repository/Hea… 2572 2018/08/05
health-record/src/test/java/com/het/record/repository/Im… 758 2018/08/05
health-record/src/test/java/com/het/record/rest/HealthNot… 3847 2018/08/05
health-record/src/test/java/com/het/record/service/Health… 1992 2018/08/05
health-record/src/test/java/com/het/record/service/Immun… 6336 2018/08/05
health-record/src/test/resources/application.properties 780 2018/08/05
monitoring/pom.xml 2040 2018/08/05
monitoring/src/main/java/com/het/monitoring/MonitoringA… 651 2018/08/05
notifications/pom.xml 650 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
170
 Filename Size (bytes) Modified Date
persistence/pom.xml 1560 2018/08/05
pom.xml 19483 2018/08/05
registry/pom.xml 1682 2018/08/05
registry/src/main/java/com/het/registry/RegistryApplicatio… 490 2018/08/05
registry/src/main/resources/application.properties 171 2018/08/05
reporting/pom.xml 629 2018/08/05
rules/pom.xml 3733 2018/08/05
rules/src/main/java/com/het/pojo/Config.java 779 2018/08/05
rules/src/main/java/com/het/pojo/Dosage.java 847 2018/08/05
rules/src/main/java/com/het/pojo/Exemption.java 656 2018/08/05
rules/src/main/java/com/het/pojo/Rule.java 3205 2018/08/05
rules/src/main/java/com/het/pojo/RulesRequest.java 1788 2018/08/05
rules/src/main/java/com/het/pojo/RulesResponse.java 1021 2018/08/05
rules/src/main/java/com/het/pojo/Scenario.java 1644 2018/08/05
rules/src/main/java/com/het/pojo/School.java 950 2018/08/05
rules/src/main/java/com/het/pojo/Student.java 1639 2018/08/05
rules/src/main/java/com/het/util/Configurations.java 2520 2018/08/05
rules/src/main/java/com/het/util/RuleAdministrator.java 9993 2018/08/05
rules/src/main/java/com/het/util/RuleEngineUtil.java 10571 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPRules.properties 187 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario1.prope… 641 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario2.prope… 768 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario3.prope… 719 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario4.prope… 704 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario5.prope… 850 2018/08/05
rules/src/main/resources/rules/DTAP/DTAPScenario6.prope… 579 2018/08/05
rules/src/main/resources/rules/HEPATITISB/HEPATITISBRu… 151 2018/08/05
rules/src/main/resources/rules/HEPATITISB/HEPATITISBSc… 650 2018/08/05
rules/src/main/resources/rules/HEPATITISB/HEPATITISBSc… 577 2018/08/05
rules/src/main/resources/rules/HEPATITISB/HEPATITISBSc… 431 2018/08/05
rules/src/main/resources/rules/MCV4/MCV4Rules.properties 151 2018/08/05
rules/src/main/resources/rules/MCV4/MCV4Scenario1.prop… 156 2018/08/05
rules/src/main/resources/rules/MCV4/MCV4Scenario2.prop… 256 2018/08/05
rules/src/main/resources/rules/MCV4/MCV4Scenario3.prop… 474 2018/08/05
rules/src/main/resources/rules/MCV4/MCV4Scenario4.prop… 265 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
171
 Filename Size (bytes) Modified Date
rules/src/main/resources/rules/MMR_VZV/MMR_VZVRules.… 143 2018/08/05
rules/src/main/resources/rules/MMR_VZV/MMR_VZVScena… 474 2018/08/05
rules/src/main/resources/rules/MMR_VZV/MMR_VZVScena… 1211 2018/08/05
rules/src/main/resources/rules/PB/PBRules.properties 111 2018/08/05
rules/src/main/resources/rules/PB/PBScenario1.properties 208 2018/08/05
rules/src/main/resources/rules/PB/PBScenario2.properties 97 2018/08/05
rules/src/main/resources/rules/POLIO/POLIORules.properties 174 2018/08/05
rules/src/main/resources/rules/POLIO/POLIOScenario1.pro… 700 2018/08/05
rules/src/main/resources/rules/POLIO/POLIOScenario2.pro… 914 2018/08/05
rules/src/main/resources/rules/POLIO/POLIOScenario3.pro… 804 2018/08/05
rules/src/main/resources/rules/POLIO/POLIOScenario4.pro… 613 2018/08/05
rules/src/main/resources/rules/POLIO/POLIOScenario5.pro… 612 2018/08/05
rules/src/test/java/com/het/TestAllRules_DTaP.java 6115 2018/08/05
rules/src/test/java/com/het/TestAllRules_HepatitisB.java 4852 2018/08/05
rules/src/test/java/com/het/TestAllRules_MCV4.java 5656 2018/08/05
rules/src/test/java/com/het/TestAllRules_MMR_VZV.java 10725 2018/08/05
rules/src/test/java/com/het/TestAllRules_Pb.java 3387 2018/08/05
rules/src/test/java/com/het/TestAllRules_Polio.java 8824 2018/08/05
rules/src/test/java/com/het/TestByScenario.java 6484 2018/08/05
rules/src/test/java/com/het/TestConfiguartions.java 2611 2018/08/05
rules/src/test/java/com/het/TestExceptions.java 7176 2018/08/05
rules/src/test/java/com/het/TestFromExcel.java 6440 2018/08/05
rules/src/test/java/com/het/TestHelper.java 6224 2018/08/05
rules/src/test/java/com/het/TestLocalDateTime.java 562 2018/08/05
rules/src/test/java/com/het/TestMultipleRuleRequest.java 4451 2018/08/05
rules/src/test/java/com/het/TestRuleEngine.java 3889 2018/08/05
rules/src/test/java/com/het/TestRuleExemptions.java 1856 2018/08/05
rules/src/test/java/com/het/TestRuleFormatting.java 1479 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPRules.properties 187 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario1.prope… 646 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario2.prope… 773 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario3.prope… 719 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario4.prope… 704 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario5.prope… 854 2018/08/05
rules/src/test/resources/rules/DTAP/DTAPScenario6.prope… 583 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
172
 Filename Size (bytes) Modified Date
rules/src/test/resources/rules/HEPATITISB/HEPATITISBRul… 151 2018/08/05
rules/src/test/resources/rules/HEPATITISB/HEPATITISBSce… 650 2018/08/05
rules/src/test/resources/rules/HEPATITISB/HEPATITISBSce… 577 2018/08/05
rules/src/test/resources/rules/HEPATITISB/HEPATITISBSce… 296 2018/08/05
rules/src/test/resources/rules/MCV4/MCV4Rules.properties 151 2018/08/05
rules/src/test/resources/rules/MCV4/MCV4Scenario1.prop… 156 2018/08/05
rules/src/test/resources/rules/MCV4/MCV4Scenario2.prop… 258 2018/08/05
rules/src/test/resources/rules/MCV4/MCV4Scenario3.prop… 474 2018/08/05
rules/src/test/resources/rules/MCV4/MCV4Scenario4.prop… 127 2018/08/05
rules/src/test/resources/rules/MMR_VZV/MMR_VZVRules.p… 143 2018/08/05
rules/src/test/resources/rules/MMR_VZV/MMR_VZVScenari… 474 2018/08/05
rules/src/test/resources/rules/MMR_VZV/MMR_VZVScenari… 1213 2018/08/05
rules/src/test/resources/rules/PB/PBRules.properties 111 2018/08/05
rules/src/test/resources/rules/PB/PBScenario1.properties 208 2018/08/05
rules/src/test/resources/rules/PB/PBScenario2.properties 97 2018/08/05
rules/src/test/resources/rules/POLIO/POLIORules.properties 174 2018/08/05
rules/src/test/resources/rules/POLIO/POLIOScenario1.prop… 703 2018/08/05
rules/src/test/resources/rules/POLIO/POLIOScenario2.prop… 915 2018/08/05
rules/src/test/resources/rules/POLIO/POLIOScenario3.prop… 804 2018/08/05
rules/src/test/resources/rules/POLIO/POLIOScenario4.prop… 613 2018/08/05
rules/src/test/resources/rules/POLIO/POLIOScenario5.prop… 612 2018/08/05
rules/src/test/resources/test/DUMMY/DUMMYRules.propert… 117 2018/08/05
rules/src/test/resources/test/DUMMY/DUMMYScenario1.pr… 134 2018/08/05
rules/src/test/resources/test/test1.properties 71 2018/08/05
rules/src/test/resources/test/test2.properties 121 2018/08/05
scheduling/pom.xml 640 2018/08/05
school-management/pom.xml 5745 2018/08/05
school-management/src/main/java/com/het/management/… 242 2018/08/05
school-management/src/main/java/com/het/management/… 388 2018/08/05
school-management/src/main/java/com/het/management/… 246 2018/08/05
school-management/src/main/java/com/het/management/… 225 2018/08/05
school-management/src/main/java/com/het/management/… 229 2018/08/05
school-management/src/main/java/com/het/management/… 141 2018/08/05
school-management/src/main/java/com/het/management/… 152 2018/08/05
school-management/src/main/java/com/het/management/… 151 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
173
 Filename Size (bytes) Modified Date
school-management/src/main/java/com/het/management/… 140 2018/08/05
school-management/src/main/java/com/het/management/… 149 2018/08/05
school-management/src/main/java/com/het/management/… 154 2018/08/05
school-management/src/main/java/com/het/management/… 130 2018/08/05
school-management/src/main/java/com/het/management/… 927 2018/08/05
school-management/src/main/java/com/het/management/… 1233 2018/08/05
school-management/src/main/java/com/het/management/… 5465 2018/08/05
school-management/src/main/java/com/het/management/… 4206 2018/08/05
school-management/src/main/java/com/het/management/… 2294 2018/08/05
school-management/src/main/java/com/het/management/… 1734 2018/08/05
school-management/src/main/java/com/het/management/… 1859 2018/08/05
school-management/src/main/java/com/het/management/… 223 2018/08/05
school-management/src/main/java/com/het/management/… 3229 2018/08/05
school-management/src/main/java/com/het/management/… 3036 2018/08/05
school-management/src/main/java/com/het/management/… 2512 2018/08/05
school-management/src/main/java/com/het/management/… 746 2018/08/05
school-management/src/main/java/com/het/management/… 322 2018/08/05
school-management/src/main/java/com/het/management/… 341 2018/08/05
school-management/src/main/java/com/het/management/… 7832 2018/08/05
school-management/src/main/java/com/het/management/… 336 2018/08/05
school-management/src/main/java/com/het/management/… 382 2018/08/05
school-management/src/main/java/com/het/management/… 284 2018/08/05
school-management/src/main/java/com/het/management/… 287 2018/08/05
school-management/src/main/java/com/het/management/… 345 2018/08/05
school-management/src/main/java/com/het/management/… 1438 2018/08/05
school-management/src/main/java/com/het/management/… 2230 2018/08/05
school-management/src/main/java/com/het/management/… 1150 2018/08/05
school-management/src/main/java/com/het/management/… 445 2018/08/05
school-management/src/main/java/com/het/management/… 2055 2018/08/05
school-management/src/main/java/com/het/management/… 2182 2018/08/05
school-management/src/main/java/com/het/management/… 2559 2018/08/05
school-management/src/main/java/com/het/management/… 1779 2018/08/05
school-management/src/main/java/com/het/management/… 3250 2018/08/05
school-management/src/main/java/com/het/management/… 2090 2018/08/05
school-management/src/main/java/com/het/management/… 2621 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
174
 Filename Size (bytes) Modified Date
school-management/src/main/java/com/het/management/… 3783 2018/08/05
school-management/src/main/java/com/het/management/… 457 2018/08/05
school-management/src/main/java/com/het/management/… 415 2018/08/05
school-management/src/main/java/com/het/management/… 206 2018/08/05
school-management/src/main/java/com/het/management/… 215 2018/08/05
school-management/src/main/java/com/het/management/… 1357 2018/08/05
school-management/src/main/java/com/het/management/… 918 2018/08/05
school-management/src/main/java/com/het/management/… 960 2018/08/05
school-management/src/main/java/com/het/management/… 1009 2018/08/05
school-management/src/main/java/com/het/management/… 2054 2018/08/05
school-management/src/main/java/com/het/management/… 920 2018/08/05
school-management/src/main/java/com/het/management/… 2525 2018/08/05
school-management/src/main/java/com/het/management/… 7568 2018/08/05
school-management/src/main/java/com/het/management/… 358 2018/08/05
school-management/src/main/java/com/het/management/… 388 2018/08/05
school-management/src/main/java/com/het/management/… 206 2018/08/05
school-management/src/main/java/com/het/management/… 647 2018/08/05
school-management/src/main/java/com/het/management/… 638 2018/08/05
school-management/src/main/java/com/het/management/… 199 2018/08/05
school-management/src/main/resources/application.proper… 1487 2018/08/05
school-management/src/main/resources/application-dev.pr… 858 2018/08/05
school-management/src/main/resources/application-prod.… 99 2018/08/05
school-management/src/main/resources/application-stage.… 380 2018/08/05
school-management/src/main/resources/data-sm-dev.sql 15967 2018/08/05
school-management/src/main/resources/logback-spring.xml 3423 2018/08/05
school-management/src/main/resources/schema-sm.sql 4471 2018/08/05
school-management/src/test/java/com/het/management/i… 2040 2018/08/05
school-management/src/test/java/com/het/management/r… 835 2018/08/05
school-management/src/test/java/com/het/management/r… 900 2018/08/05
school-management/src/test/java/com/het/management/r… 1161 2018/08/05
school-management/src/test/java/com/het/management/r… 2318 2018/08/05
school-management/src/test/java/com/het/management/r… 1339 2018/08/05
school-management/src/test/java/com/het/management/r… 1528 2018/08/05
school-management/src/test/java/com/het/management/r… 3479 2018/08/05
school-management/src/test/java/com/het/management/r… 5957 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
175
 Filename Size (bytes) Modified Date
school-management/src/test/java/com/het/management/r… 2449 2018/08/05
school-management/src/test/java/com/het/management/r… 2456 2018/08/05
school-management/src/test/java/com/het/management/r… 6605 2018/08/05
school-management/src/test/java/com/het/management/r… 707 2018/08/05
school-management/src/test/java/com/het/management/s… 1913 2018/08/05
school-management/src/test/java/com/het/management/s… 3639 2018/08/05
school-management/src/test/resources/application.proper… 779 2018/08/05
security/pom.xml 3595 2018/08/05
security/src/main/java/com/het/auth/config/SecurityConfig… 4289 2018/08/05
security/src/main/java/com/het/security/audit/RevisionInfo… 1367 2018/08/05
security/src/main/java/com/het/security/audit/RevisionInfo… 931 2018/08/05
security/src/main/java/com/het/security/exception/HetSec… 781 2018/08/05
security/src/main/java/com/het/security/exception/Securit… 428 2018/08/05
security/src/main/java/com/het/security/filter/AuthFilter.java 2545 2018/08/05
security/src/main/java/com/het/security/filter/LoginFilter.java 4642 2018/08/05
security/src/main/java/com/het/security/interceptor/HostH… 1899 2018/08/05
security/src/main/java/com/het/security/interceptor/TokenI… 1529 2018/08/05
security/src/main/java/com/het/security/model/user/Acces… 1347 2018/08/05
security/src/main/java/com/het/security/model/user/Permi… 1199 2018/08/05
security/src/main/java/com/het/security/model/user/Role.j… 1505 2018/08/05
security/src/main/java/com/het/security/model/user/User.j… 2183 2018/08/05
security/src/main/java/com/het/security/model/user/UserS… 2185 2018/08/05
security/src/main/java/com/het/security/model/UserAuthe… 3461 2018/08/05
security/src/main/java/com/het/security/model/UserLoginL… 1153 2018/08/05
security/src/main/java/com/het/security/repository/user/A… 742 2018/08/05
security/src/main/java/com/het/security/repository/user/P… 297 2018/08/05
security/src/main/java/com/het/security/repository/user/R… 279 2018/08/05
security/src/main/java/com/het/security/repository/user/U… 545 2018/08/05
security/src/main/java/com/het/security/repository/user/U… 860 2018/08/05
security/src/main/java/com/het/security/repository/user/U… 696 2018/08/05
security/src/main/java/com/het/security/rest/AccountRest… 2565 2018/08/05
security/src/main/java/com/het/security/SecurityApplicatio… 1051 2018/08/05
security/src/main/java/com/het/security/service/IAccountS… 908 2018/08/05
security/src/main/java/com/het/security/service/impl/Acco… 7221 2018/08/05
security/src/main/java/com/het/security/service/impl/Defau… 1318 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
176
 Filename Size (bytes) Modified Date
security/src/main/java/com/het/security/service/impl/LastT… 2213 2018/08/05
security/src/main/java/com/het/security/service/impl/Token… 2565 2018/08/05
security/src/main/java/com/het/security/service/IPassword… 417 2018/08/05
security/src/main/java/com/het/security/service/ITokenSer… 502 2018/08/05
security/src/main/java/com/het/security/utils/AuthorityBas… 1000 2018/08/05
security/src/main/java/com/het/security/utils/AuthRequest… 67 2018/08/05
security/src/main/java/com/het/security/utils/AuthRespon… 1976 2018/08/05
security/src/main/java/com/het/security/utils/Constants.ja… 1112 2018/08/05
security/src/main/java/com/het/security/utils/RestMapping… 394 2018/08/05
security/src/main/resources/application-dev.properties 739 2018/08/05
security/src/main/resources/application-prod.properties 99 2018/08/05
security/src/main/resources/application-stage.properties 124 2018/08/05
security/src/main/resources/data-sec-dev.sql 2085 2018/08/05
security/src/main/resources/logback-spring.xml 4086 2018/08/05
security/src/main/resources/schema-sec.sql 2175 2018/08/05
security/src/test/java/com/het/security/repository/user/Ac… 2140 2018/08/05
security/src/test/java/com/het/security/repository/user/Pe… 936 2018/08/05
security/src/test/java/com/het/security/repository/user/Ro… 1208 2018/08/05
security/src/test/java/com/het/security/repository/user/Us… 1948 2018/08/05
security/src/test/java/com/het/security/service/user/UserS… 5136 2018/08/05
security/src/test/java/com/het/security/service/user/UserS… 3316 2018/08/05
security/src/test/java/com/het/security/service/user/UserS… 4099 2018/08/05
security/src/test/resources/application.properties 780 2018/08/05
ui/app/browserHistorySingleton.js 90 2018/08/05
ui/app/components/A/index.js 190 2018/08/05
ui/app/components/AcademicNoticesForm/messages.js 555 2018/08/05
ui/app/components/AcademicNoticesForm/tests/index.test… 255 2018/08/05
ui/app/components/AllergiesForm/messages.js 312 2018/08/05
ui/app/components/AllergiesForm/tests/index.test.js 243 2018/08/05
ui/app/components/AppointmentForm/messages.js 1064 2018/08/05
ui/app/components/AppointmentForm/tests/index.test.js 247 2018/08/05
ui/app/components/Avatar/tests/index.test.js 229 2018/08/05
ui/app/components/BMIForm/messages.js 923 2018/08/05
ui/app/components/BMIForm/tests/index.test.js 231 2018/08/05
ui/app/components/Button/A.js 145 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
177
 Filename Size (bytes) Modified Date
ui/app/components/Button/buttonStyles.js 556 2018/08/05
ui/app/components/Button/StyledButton.js 172 2018/08/05
ui/app/components/Button/Wrapper.js 151 2018/08/05
ui/app/components/ButtonRadio/tests/index.test.js 239 2018/08/05
ui/app/components/CdmForm/messages.js 594 2018/08/05
ui/app/components/CdmForm/tests/index.test.js 231 2018/08/05
ui/app/components/ChronicConditionsForm/messages.js 338 2018/08/05
ui/app/components/ChronicConditionsForm/tests/index.te… 259 2018/08/05
ui/app/components/ConditionsForm/messages.js 482 2018/08/05
ui/app/components/ConditionsForm/tests/index.test.js 245 2018/08/05
ui/app/components/ContactForm/messages.js 744 2018/08/05
ui/app/components/ContactForm/tests/index.test.js 239 2018/08/05
ui/app/components/CustomSearch/messages.js 329 2018/08/05
ui/app/components/CustomSearch/tests/index.test.js 241 2018/08/05
ui/app/components/CustomToolBar/tests/index.test.js 243 2018/08/05
ui/app/components/DentalForm/messages.js 834 2018/08/05
ui/app/components/DentalForm/tests/index.test.js 237 2018/08/05
ui/app/components/EmergencyConditionsForm/messages.js 552 2018/08/05
ui/app/components/EmergencyConditionsForm/tests/inde… 263 2018/08/05
ui/app/components/EncounterButtons/messages.js 320 2018/08/05
ui/app/components/EncounterButtons/tests/index.test.js 245 2018/08/05
ui/app/components/Error/tests/index.test.js 227 2018/08/05
ui/app/components/FormErrors/tests/index.test.js 237 2018/08/05
ui/app/components/GroupBmi/tests/index.test.js 233 2018/08/05
ui/app/components/GroupDental/tests/index.test.js 239 2018/08/05
ui/app/components/GroupHearing/tests/index.test.js 241 2018/08/05
ui/app/components/GroupPhysical/tests/index.test.js 243 2018/08/05
ui/app/components/GroupScoliosis/tests/index.test.js 245 2018/08/05
ui/app/components/GroupStatusInfo/tests/index.test.js 247 2018/08/05
ui/app/components/GroupVision/tests/index.test.js 239 2018/08/05
ui/app/components/H1/index.js 129 2018/08/05
ui/app/components/H2/index.js 106 2018/08/05
ui/app/components/Header/A.js 103 2018/08/05
ui/app/components/Header/HeaderLink.js 557 2018/08/05
ui/app/components/Header/Img.js 188 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
178
 Filename Size (bytes) Modified Date
ui/app/components/Header/messages.js 359 2018/08/05
ui/app/components/Header/NavBar.js 93 2018/08/05
ui/app/components/HealthNoticeForm/messages.js 391 2018/08/05
ui/app/components/HealthNoticeForm/tests/index.test.js 249 2018/08/05
ui/app/components/HearingForm/messages.js 1020 2018/08/05
ui/app/components/HearingForm/tests/index.test.js 239 2018/08/05
ui/app/components/IllnessForm/messages.js 325 2018/08/05
ui/app/components/IllnessForm/tests/index.test.js 239 2018/08/05
ui/app/components/ImmunizationsForm/messages.js 2185 2018/08/05
ui/app/components/ImmunizationsForm/tests/index.test.js 251 2018/08/05
ui/app/components/IndividualOrderForm/messages.js 2702 2018/08/05
ui/app/components/IndividualOrderForm/tests/index.test.js 255 2018/08/05
ui/app/components/InjuryFields/messages.js 968 2018/08/05
ui/app/components/InjuryFields/tests/index.test.js 241 2018/08/05
ui/app/components/InjuryForm/messages.js 797 2018/08/05
ui/app/components/InjuryForm/tests/index.test.js 237 2018/08/05
ui/app/components/List/Ul.js 192 2018/08/05
ui/app/components/List/Wrapper.js 234 2018/08/05
ui/app/components/ListItem/Item.js 196 2018/08/05
ui/app/components/ListItem/Wrapper.js 263 2018/08/05
ui/app/components/LoadingIndicator/Wrapper.js 170 2018/08/05
ui/app/components/MedsForm/messages.js 759 2018/08/05
ui/app/components/MedsForm/tests/index.test.js 196 2018/08/05
ui/app/components/MultiCheckbox/tests/index.test.js 243 2018/08/05
ui/app/components/Navbar/messages.js 949 2018/08/05
ui/app/components/Navbar/tests/index.test.js 229 2018/08/05
ui/app/components/OtherForm/messages.js 400 2018/08/05
ui/app/components/OtherForm/tests/index.test.js 235 2018/08/05
ui/app/components/PhysicalForm/messages.js 3653 2018/08/05
ui/app/components/PhysicalForm/tests/index.test.js 259 2018/08/05
ui/app/components/ProviderOnly/messages.js 306 2018/08/05
ui/app/components/ProviderOnly/tests/index.test.js 241 2018/08/05
ui/app/components/ReposList/Wrapper.js 165 2018/08/05
ui/app/components/ScoliosisForm/messages.js 687 2018/08/05
ui/app/components/ScoliosisForm/tests/index.test.js 243 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
179
 Filename Size (bytes) Modified Date
ui/app/components/ScreeningChart/messages.js 2293 2018/08/05
ui/app/components/ScreeningChart/tests/index.test.js 245 2018/08/05
ui/app/components/ScreeningDetails/messages.js 648 2018/08/05
ui/app/components/ScreeningDetails/tests/index.test.js 249 2018/08/05
ui/app/components/ScreeningForm/actions.js 1080 2018/08/05
ui/app/components/ScreeningForm/constants.js 297 2018/08/05
ui/app/components/ScreeningForm/messages.js 462 2018/08/05
ui/app/components/ScreeningForm/reducer.js 898 2018/08/05
ui/app/components/ScreeningForm/saga.js 1201 2018/08/05
ui/app/components/ScreeningForm/selectors.js 494 2018/08/05
ui/app/components/ScreeningForm/tests/index.test.js 243 2018/08/05
ui/app/components/StandingOrderAuthForm/messages.js 737 2018/08/05
ui/app/components/StandingOrderAuthForm/tests/index.t… 259 2018/08/05
ui/app/components/StudentPanel/tests/index.test.js 241 2018/08/05
ui/app/components/Tabs/tests/index.test.js 225 2018/08/05
ui/app/components/Toggle/Select.js 169 2018/08/05
ui/app/components/VisionForm/messages.js 1703 2018/08/05
ui/app/components/VisionForm/tests/index.test.js 237 2018/08/05
ui/app/configureStore.js 1936 2018/08/05
ui/app/containers/Alerts/actions.js 704 2018/08/05
ui/app/containers/Alerts/constants.js 414 2018/08/05
ui/app/containers/Alerts/reducer.js 919 2018/08/05
ui/app/containers/Alerts/saga.js 2930 2018/08/05
ui/app/containers/Alerts/selectors.js 554 2018/08/05
ui/app/containers/Alerts/tests/actions.test.js 349 2018/08/05
ui/app/containers/Alerts/tests/index.test.js 233 2018/08/05
ui/app/containers/Alerts/tests/reducer.test.js 226 2018/08/05
ui/app/containers/Alerts/tests/saga.test.js 347 2018/08/05
ui/app/containers/Alerts/tests/selectors.test.js 228 2018/08/05
ui/app/containers/App/actions.js 1061 2018/08/05
ui/app/containers/App/baseConstants.js 517 2018/08/05
ui/app/containers/App/constants.js 6495 2018/08/05
ui/app/containers/App/reducer.js 2273 2018/08/05
ui/app/containers/App/saga.js 5110 2018/08/05
ui/app/containers/App/selectors.js 1678 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
180
 Filename Size (bytes) Modified Date
ui/app/containers/App/tests/actions.test.js 1136 2018/08/05
ui/app/containers/App/tests/reducer.test.js 1512 2018/08/05
ui/app/containers/App/tests/selectors.test.js 2099 2018/08/05
ui/app/containers/AppointmentList/actions.js 818 2018/08/05
ui/app/containers/AppointmentList/constants.js 1232 2018/08/05
ui/app/containers/AppointmentList/messages.js 337 2018/08/05
ui/app/containers/AppointmentList/reducer.js 2114 2018/08/05
ui/app/containers/AppointmentList/saga.js 7495 2018/08/05
ui/app/containers/AppointmentList/selectors.js 824 2018/08/05
ui/app/containers/AppointmentList/tests/actions.test.js 358 2018/08/05
ui/app/containers/AppointmentList/tests/index.test.js 251 2018/08/05
ui/app/containers/AppointmentList/tests/reducer.test.js 253 2018/08/05
ui/app/containers/AppointmentList/tests/saga.test.js 347 2018/08/05
ui/app/containers/AppointmentList/tests/selectors.test.js 246 2018/08/05
ui/app/containers/Auth/actions.js 1365 2018/08/05
ui/app/containers/Auth/AtPrefix.js 138 2018/08/05
ui/app/containers/Auth/CenteredSection.js 132 2018/08/05
ui/app/containers/Auth/constants.js 845 2018/08/05
ui/app/containers/Auth/Form.js 114 2018/08/05
ui/app/containers/Auth/Input.js 146 2018/08/05
ui/app/containers/Auth/messages.js 778 2018/08/05
ui/app/containers/Auth/reducer.js 2205 2018/08/05
ui/app/containers/Auth/saga.js 8555 2018/08/05
ui/app/containers/Auth/Section.js 163 2018/08/05
ui/app/containers/Auth/selectors.js 1461 2018/08/05
ui/app/containers/Auth/tests/actions.test.js 347 2018/08/05
ui/app/containers/Auth/tests/index.test.js 229 2018/08/05
ui/app/containers/Auth/tests/reducer.test.js 220 2018/08/05
ui/app/containers/Auth/tests/saga.test.js 347 2018/08/05
ui/app/containers/Auth/tests/selectors.test.js 224 2018/08/05
ui/app/containers/DailyLogList/actions.js 425 2018/08/05
ui/app/containers/DailyLogList/constants.js 263 2018/08/05
ui/app/containers/DailyLogList/messages.js 325 2018/08/05
ui/app/containers/DailyLogList/reducer.js 858 2018/08/05
ui/app/containers/DailyLogList/saga.js 2665 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
181
 Filename Size (bytes) Modified Date
ui/app/containers/DailyLogList/selectors.js 756 2018/08/05
ui/app/containers/DailyLogList/tests/actions.test.js 355 2018/08/05
ui/app/containers/DailyLogList/tests/index.test.js 245 2018/08/05
ui/app/containers/DailyLogList/tests/reducer.test.js 244 2018/08/05
ui/app/containers/DailyLogList/tests/saga.test.js 347 2018/08/05
ui/app/containers/DailyLogList/tests/selectors.test.js 240 2018/08/05
ui/app/containers/EncounterForm/actions.js 2401 2018/08/05
ui/app/containers/EncounterForm/constants.js 1665 2018/08/05
ui/app/containers/EncounterForm/messages.js 548 2018/08/05
ui/app/containers/EncounterForm/reducer.js 5936 2018/08/05
ui/app/containers/EncounterForm/saga.js 7446 2018/08/05
ui/app/containers/EncounterForm/selectors.js 1568 2018/08/05
ui/app/containers/EncounterForm/tests/actions.test.js 356 2018/08/05
ui/app/containers/EncounterForm/tests/index.test.js 247 2018/08/05
ui/app/containers/EncounterForm/tests/reducer.test.js 247 2018/08/05
ui/app/containers/EncounterForm/tests/saga.test.js 347 2018/08/05
ui/app/containers/EncounterForm/tests/selectors.test.js 240 2018/08/05
ui/app/containers/EncounterSummary/actions.js 524 2018/08/05
ui/app/containers/EncounterSummary/constants.js 327 2018/08/05
ui/app/containers/EncounterSummary/messages.js 341 2018/08/05
ui/app/containers/EncounterSummary/reducer.js 896 2018/08/05
ui/app/containers/EncounterSummary/saga.js 1626 2018/08/05
ui/app/containers/EncounterSummary/selectors.js 793 2018/08/05
ui/app/containers/EncounterSummary/tests/actions.test.js 359 2018/08/05
ui/app/containers/EncounterSummary/tests/index.test.js 253 2018/08/05
ui/app/containers/EncounterSummary/tests/reducer.test.js 256 2018/08/05
ui/app/containers/EncounterSummary/tests/saga.test.js 347 2018/08/05
ui/app/containers/EncounterSummary/tests/selectors.test… 248 2018/08/05
ui/app/containers/Footer/actions.js 950 2018/08/05
ui/app/containers/Footer/constants.js 147 2018/08/05
ui/app/containers/Footer/messages.js 301 2018/08/05
ui/app/containers/Footer/reducer.js 2162 2018/08/05
ui/app/containers/Footer/saga.js 191 2018/08/05
ui/app/containers/Footer/selectors.js 559 2018/08/05
ui/app/containers/Footer/tests/actions.test.js 349 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
182
 Filename Size (bytes) Modified Date
ui/app/containers/Footer/tests/index.test.js 233 2018/08/05
ui/app/containers/Footer/tests/reducer.test.js 226 2018/08/05
ui/app/containers/Footer/tests/saga.test.js 347 2018/08/05
ui/app/containers/Footer/tests/selectors.test.js 228 2018/08/05
ui/app/containers/Footer/Wrapper.js 202 2018/08/05
ui/app/containers/GroupEncounter/actions.js 476 2018/08/05
ui/app/containers/GroupEncounter/constants.js 303 2018/08/05
ui/app/containers/GroupEncounter/messages.js 333 2018/08/05
ui/app/containers/GroupEncounter/reducer.js 1032 2018/08/05
ui/app/containers/GroupEncounter/saga.js 191 2018/08/05
ui/app/containers/GroupEncounter/selectors.js 940 2018/08/05
ui/app/containers/GroupEncounter/tests/actions.test.js 357 2018/08/05
ui/app/containers/GroupEncounter/tests/index.test.js 249 2018/08/05
ui/app/containers/GroupEncounter/tests/reducer.test.js 250 2018/08/05
ui/app/containers/GroupEncounter/tests/saga.test.js 347 2018/08/05
ui/app/containers/GroupEncounter/tests/selectors.test.js 244 2018/08/05
ui/app/containers/GroupList/actions.js 566 2018/08/05
ui/app/containers/GroupList/constants.js 343 2018/08/05
ui/app/containers/GroupList/messages.js 313 2018/08/05
ui/app/containers/GroupList/reducer.js 1158 2018/08/05
ui/app/containers/GroupList/saga.js 1673 2018/08/05
ui/app/containers/GroupList/selectors.js 860 2018/08/05
ui/app/containers/GroupList/tests/actions.test.js 352 2018/08/05
ui/app/containers/GroupList/tests/index.test.js 239 2018/08/05
ui/app/containers/GroupList/tests/reducer.test.js 235 2018/08/05
ui/app/containers/GroupList/tests/saga.test.js 347 2018/08/05
ui/app/containers/GroupList/tests/selectors.test.js 234 2018/08/05
ui/app/containers/GroupScreening/actions.js 1444 2018/08/05
ui/app/containers/GroupScreening/constants.js 1002 2018/08/05
ui/app/containers/GroupScreening/reducer.js 4401 2018/08/05
ui/app/containers/GroupScreening/saga.js 4228 2018/08/05
ui/app/containers/GroupScreening/selectors.js 941 2018/08/05
ui/app/containers/GroupScreening/tests/actions.test.js 357 2018/08/05
ui/app/containers/GroupScreening/tests/index.test.js 249 2018/08/05
ui/app/containers/GroupScreening/tests/reducer.test.js 250 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
183
 Filename Size (bytes) Modified Date
ui/app/containers/GroupScreening/tests/saga.test.js 347 2018/08/05
ui/app/containers/GroupScreening/tests/selectors.test.js 244 2018/08/05
ui/app/containers/GroupStudentList/actions.js 1053 2018/08/05
ui/app/containers/GroupStudentList/constants.js 708 2018/08/05
ui/app/containers/GroupStudentList/reducer.js 1339 2018/08/05
ui/app/containers/GroupStudentList/saga.js 6240 2018/08/05
ui/app/containers/GroupStudentList/selectors.js 788 2018/08/05
ui/app/containers/GroupStudentList/tests/actions.test.js 359 2018/08/05
ui/app/containers/GroupStudentList/tests/index.test.js 253 2018/08/05
ui/app/containers/GroupStudentList/tests/reducer.test.js 256 2018/08/05
ui/app/containers/GroupStudentList/tests/saga.test.js 347 2018/08/05
ui/app/containers/GroupStudentList/tests/selectors.test.js 248 2018/08/05
ui/app/containers/HomePage/actions.js 868 2018/08/05
ui/app/containers/HomePage/AtPrefix.js 138 2018/08/05
ui/app/containers/HomePage/CenteredSection.js 132 2018/08/05
ui/app/containers/HomePage/constants.js 497 2018/08/05
ui/app/containers/HomePage/Form.js 114 2018/08/05
ui/app/containers/HomePage/Input.js 146 2018/08/05
ui/app/containers/HomePage/messages.js 833 2018/08/05
ui/app/containers/HomePage/reducer.js 768 2018/08/05
ui/app/containers/HomePage/saga.js 1262 2018/08/05
ui/app/containers/HomePage/Section.js 163 2018/08/05
ui/app/containers/HomePage/selectors.js 283 2018/08/05
ui/app/containers/HomePage/tests/actions.test.js 445 2018/08/05
ui/app/containers/HomePage/tests/reducer.test.js 646 2018/08/05
ui/app/containers/HomePage/tests/saga.test.js 1759 2018/08/05
ui/app/containers/HomePage/tests/selectors.test.js 687 2018/08/05
ui/app/containers/IndividualEncounter/actions.js 2132 2018/08/05
ui/app/containers/IndividualEncounter/constants.js 2629 2018/08/05
ui/app/containers/IndividualEncounter/messages.js 353 2018/08/05
ui/app/containers/IndividualEncounter/selectors.js 3593 2018/08/05
ui/app/containers/IndividualEncounter/tests/actions.test.js 362 2018/08/05
ui/app/containers/IndividualEncounter/tests/index.test.js 259 2018/08/05
ui/app/containers/IndividualEncounter/tests/reducer.test.js 265 2018/08/05
ui/app/containers/IndividualEncounter/tests/saga.test.js 347 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
184
 Filename Size (bytes) Modified Date
ui/app/containers/IndividualEncounter/tests/selectors.test.… 254 2018/08/05
ui/app/containers/LanguageProvider/actions.js 222 2018/08/05
ui/app/containers/LanguageProvider/constants.js 109 2018/08/05
ui/app/containers/LanguageProvider/reducer.js 495 2018/08/05
ui/app/containers/LanguageProvider/selectors.js 371 2018/08/05
ui/app/containers/LanguageProvider/tests/actions.test.js 385 2018/08/05
ui/app/containers/LanguageProvider/tests/reducer.test.js 503 2018/08/05
ui/app/containers/LanguageProvider/tests/selectors.test.js 348 2018/08/05
ui/app/containers/LocaleToggle/messages.js 351 2018/08/05
ui/app/containers/LocaleToggle/Wrapper.js 113 2018/08/05
ui/app/containers/NotFoundPage/messages.js 308 2018/08/05
ui/app/containers/StaffDetail/actions.js 199 2018/08/05
ui/app/containers/StaffDetail/constants.js 103 2018/08/05
ui/app/containers/StaffDetail/messages.js 321 2018/08/05
ui/app/containers/StaffDetail/reducer.js 362 2018/08/05
ui/app/containers/StaffDetail/saga.js 191 2018/08/05
ui/app/containers/StaffDetail/selectors.js 452 2018/08/05
ui/app/containers/StaffDetail/tests/actions.test.js 354 2018/08/05
ui/app/containers/StaffDetail/tests/index.test.js 243 2018/08/05
ui/app/containers/StaffDetail/tests/reducer.test.js 241 2018/08/05
ui/app/containers/StaffDetail/tests/saga.test.js 347 2018/08/05
ui/app/containers/StaffDetail/tests/selectors.test.js 238 2018/08/05
ui/app/containers/StudentDetail/actions.js 3839 2018/08/05
ui/app/containers/StudentDetail/constants.js 2839 2018/08/05
ui/app/containers/StudentDetail/messages.js 329 2018/08/05
ui/app/containers/StudentDetail/reducer.js 3975 2018/08/05
ui/app/containers/StudentDetail/saga.js 13688 2018/08/05
ui/app/containers/StudentDetail/selectors.js 962 2018/08/05
ui/app/containers/StudentDetail/tests/actions.test.js 356 2018/08/05
ui/app/containers/StudentDetail/tests/index.test.js 247 2018/08/05
ui/app/containers/StudentDetail/tests/reducer.test.js 247 2018/08/05
ui/app/containers/StudentDetail/tests/saga.test.js 347 2018/08/05
ui/app/containers/StudentDetail/tests/selectors.test.js 242 2018/08/05
ui/app/containers/StudentList/actions.js 753 2018/08/05
ui/app/containers/StudentList/constants.js 1026 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
185
 Filename Size (bytes) Modified Date
ui/app/containers/StudentList/messages.js 321 2018/08/05
ui/app/containers/StudentList/reducer.js 4064 2018/08/05
ui/app/containers/StudentList/saga.js 5701 2018/08/05
ui/app/containers/StudentList/selectors.js 1143 2018/08/05
ui/app/containers/StudentList/tests/actions.test.js 354 2018/08/05
ui/app/containers/StudentList/tests/index.test.js 243 2018/08/05
ui/app/containers/StudentList/tests/reducer.test.js 241 2018/08/05
ui/app/containers/StudentList/tests/saga.test.js 347 2018/08/05
ui/app/containers/StudentList/tests/selectors.test.js 238 2018/08/05
ui/app/index.html 1820 2018/08/05
ui/app/tests/store.test.js 1129 2018/08/05
ui/app/utils/actionCreator.js 238 2018/08/05
ui/app/utils/bmiAge.js 45933 2018/08/05
ui/app/utils/checkStore.js 584 2018/08/05
ui/app/utils/constants.js 190 2018/08/05
ui/app/utils/FA_ICONS.js 213 2018/08/05
ui/app/utils/FilterTypes.js 360 2018/08/05
ui/app/utils/Formatters.js 2708 2018/08/05
ui/app/utils/reducerInjectors.js 1068 2018/08/05
ui/app/utils/Shapes.js 5066 2018/08/05
ui/app/utils/tests/reducerInjectors.test.js 2686 2018/08/05
ui/app/utils/tests/sagaInjectors.test.js 7140 2018/08/05
ui/app/utils/utilities.js 1623 2018/08/05
ui/assembly.xml 415 2018/08/05
ui/dependencies/mdbreact/dist/mdbreact.js 1101955 2018/08/05
ui/dependencies/mdbreact/docs/registerServiceWorker.js 4015 2018/08/05
ui/dependencies/mdbreact/index.js 50 2018/08/05
ui/dependencies/mdbreact/public/index.html 1586 2018/08/05
ui/dependencies/mdbreact/src/components/utils.js 4207 2018/08/05
ui/dependencies/mdbreact/src/index.js 3640 2018/08/05
ui/dependencies/mdbreact/webpack.base.config.js 2087 2018/08/05
ui/dependencies/mdbreact/webpack.config.js 150 2018/08/05
ui/dependencies/mdbreact/webpack.dev.config.js 1134 2018/08/05
ui/dependencies/staticmdbreact/mdbreact.js 1100019 2018/08/05
ui/internals/config.js 1754 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
186
 Filename Size (bytes) Modified Date
ui/internals/generators/component/index.js 2334 2018/08/05
ui/internals/generators/container/index.js 4856 2018/08/05
ui/internals/generators/index.js 807 2018/08/05
ui/internals/generators/language/index.js 2811 2018/08/05
ui/internals/generators/utils/componentExists.js 524 2018/08/05
ui/internals/mocks/cssModule.js 31 2018/08/05
ui/internals/mocks/image.js 31 2018/08/05
ui/internals/scripts/analyze.js 832 2018/08/05
ui/internals/scripts/clean.js 1768 2018/08/05
ui/internals/scripts/dependencies.js 1375 2018/08/05
ui/internals/scripts/extract-intl.js 5187 2018/08/05
ui/internals/scripts/generate-templates-for-linting.js 3466 2018/08/05
ui/internals/scripts/helpers/checkmark.js 208 2018/08/05
ui/internals/scripts/helpers/progress.js 633 2018/08/05
ui/internals/scripts/helpers/xmark.js 198 2018/08/05
ui/internals/scripts/npmcheckversion.js 252 2018/08/05
ui/internals/scripts/setup.js 3504 2018/08/05
ui/internals/templates/configureStore.js 1851 2018/08/05
ui/internals/templates/containers/App/constants.js 473 2018/08/05
ui/internals/templates/containers/App/selectors.js 250 2018/08/05
ui/internals/templates/containers/App/tests/selectors.test.js 405 2018/08/05
ui/internals/templates/containers/HomePage/messages.js 308 2018/08/05
ui/internals/templates/containers/LanguageProvider/action… 209 2018/08/05
ui/internals/templates/containers/LanguageProvider/consta… 145 2018/08/05
ui/internals/templates/containers/LanguageProvider/reduce… 518 2018/08/05
ui/internals/templates/containers/LanguageProvider/select… 371 2018/08/05
ui/internals/templates/containers/NotFoundPage/messages… 324 2018/08/05
ui/internals/templates/index.html 1102 2018/08/05
ui/internals/templates/tests/store.test.js 750 2018/08/05
ui/internals/templates/utils/checkStore.js 584 2018/08/05
ui/internals/templates/utils/constants.js 190 2018/08/05
ui/internals/templates/utils/reducerInjectors.js 1068 2018/08/05
ui/internals/templates/utils/tests/reducerInjectors.test.js 2686 2018/08/05
ui/internals/templates/utils/tests/sagaInjectors.test.js 7105 2018/08/05
ui/internals/testing/enzyme-setup.js 123 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
187
 Filename Size (bytes) Modified Date
ui/internals/testing/test-bundler.js 112 2018/08/05
ui/internals/webpack/webpack.base.babel.js 3869 2018/08/05
ui/internals/webpack/webpack.dev.babel.js 4232 2018/08/05
ui/internals/webpack/webpack.dll.babel.js 1090 2018/08/05
ui/internals/webpack/webpack.prod.babel.js 2216 2018/08/05
ui/pom.xml 5376 2018/08/05
ui/server/argv.js 61 2018/08/05
ui/server/index.js 1373 2018/08/05
ui/server/middlewares/addDevMiddlewares.js 1050 2018/08/05
ui/server/middlewares/addProdMiddlewares.js 702 2018/08/05
ui/server/middlewares/frontendMiddleware.js 499 2018/08/05
ui/server/port.js 105 2018/08/05
web-services/pom.xml 8829 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/Cr… 1837 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/Cr… 1917 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/Del… 1607 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/Del… 1314 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 503 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 345 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 346 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 347 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 345 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/adapter/ex… 375 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/builder/Sag… 3476 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/sagas/Crea… 2730 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/sagas/TripB… 1724 2018/08/05
web-services/src/main/java/com/het/ws/bpmn/SagaServic… 2287 2018/08/05
web-services/src/main/java/com/het/ws/config/GZipConfig… 3401 2018/08/05
web-services/src/main/java/com/het/ws/config/HetDevCon… 420 2018/08/05
web-services/src/main/java/com/het/ws/config/PageNotFo… 417 2018/08/05
web-services/src/main/java/com/het/ws/config/WebConfig.… 3415 2018/08/05
web-services/src/main/java/com/het/ws/config/WebConfig… 1388 2018/08/05
web-services/src/main/java/com/het/ws/exception/RestTe… 734 2018/08/05
web-services/src/main/java/com/het/ws/facade/IAlertFacad… 344 2018/08/05
web-services/src/main/java/com/het/ws/facade/IAppointm… 620 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
188
 Filename Size (bytes) Modified Date
web-services/src/main/java/com/het/ws/facade/IEncounter… 909 2018/08/05
web-services/src/main/java/com/het/ws/facade/IHealthNoti… 500 2018/08/05
web-services/src/main/java/com/het/ws/facade/IImmuniza… 281 2018/08/05
web-services/src/main/java/com/het/ws/facade/IMedication… 509 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/AlertF… 2213 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Appoi… 5404 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Encou… 6698 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Health… 948 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/IImm… 865 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Medic… 1478 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Rules… 319 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Scree… 1284 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Stude… 1016 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/Stude… 1159 2018/08/05
web-services/src/main/java/com/het/ws/facade/impl/UserF… 3135 2018/08/05
web-services/src/main/java/com/het/ws/facade/IRulesFaca… 147 2018/08/05
web-services/src/main/java/com/het/ws/facade/IScreening… 447 2018/08/05
web-services/src/main/java/com/het/ws/facade/IStudentFa… 922 2018/08/05
web-services/src/main/java/com/het/ws/facade/IStudentG… 364 2018/08/05
web-services/src/main/java/com/het/ws/facade/IUserFacad… 632 2018/08/05
web-services/src/main/java/com/het/ws/handler/ApiContro… 354 2018/08/05
web-services/src/main/java/com/het/ws/helper/DataMappi… 4273 2018/08/05
web-services/src/main/java/com/het/ws/helper/RulesHelper… 22148 2018/08/05
web-services/src/main/java/com/het/ws/HETApplication.java 5341 2018/08/05
web-services/src/main/java/com/het/ws/repository/IAccou… 181 2018/08/05
web-services/src/main/java/com/het/ws/repository/IAlertR… 352 2018/08/05
web-services/src/main/java/com/het/ws/repository/IAnony… 454 2018/08/05
web-services/src/main/java/com/het/ws/repository/IAppoi… 616 2018/08/05
web-services/src/main/java/com/het/ws/repository/IEncou… 879 2018/08/05
web-services/src/main/java/com/het/ws/repository/IHealth… 508 2018/08/05
web-services/src/main/java/com/het/ws/repository/IImmu… 289 2018/08/05
web-services/src/main/java/com/het/ws/repository/IMedica… 517 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 905 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 2125 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 2740 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
189
 Filename Size (bytes) Modified Date
web-services/src/main/java/com/het/ws/repository/impl/R… 4152 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 6254 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 2081 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 1969 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 3732 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 2623 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 1424 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 3095 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 1467 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 2928 2018/08/05
web-services/src/main/java/com/het/ws/repository/impl/R… 4049 2018/08/05
web-services/src/main/java/com/het/ws/repository/IPerso… 372 2018/08/05
web-services/src/main/java/com/het/ws/repository/ISchoo… 257 2018/08/05
web-services/src/main/java/com/het/ws/repository/IScree… 455 2018/08/05
web-services/src/main/java/com/het/ws/repository/IStaffR… 197 2018/08/05
web-services/src/main/java/com/het/ws/repository/IStude… 473 2018/08/05
web-services/src/main/java/com/het/ws/repository/IStude… 558 2018/08/05
web-services/src/main/java/com/het/ws/rest/AlertControll… 1231 2018/08/05
web-services/src/main/java/com/het/ws/rest/APIRestContr… 460 2018/08/05
web-services/src/main/java/com/het/ws/rest/Appointment… 2167 2018/08/05
web-services/src/main/java/com/het/ws/rest/EncounterCo… 2781 2018/08/05
web-services/src/main/java/com/het/ws/rest/HealthNotice… 2135 2018/08/05
web-services/src/main/java/com/het/ws/rest/Immunization… 2432 2018/08/05
web-services/src/main/java/com/het/ws/rest/MasterDataC… 1247 2018/08/05
web-services/src/main/java/com/het/ws/rest/MedicationOr… 1961 2018/08/05
web-services/src/main/java/com/het/ws/rest/ScreeningCo… 1444 2018/08/05
web-services/src/main/java/com/het/ws/rest/StudentCont… 3688 2018/08/05
web-services/src/main/java/com/het/ws/rest/StudentGrou… 3240 2018/08/05
web-services/src/main/java/com/het/ws/rest/UnknownRou… 548 2018/08/05
web-services/src/main/java/com/het/ws/rest/UserControlle… 3245 2018/08/05
web-services/src/main/java/com/het/ws/utils/Constants.ja… 173 2018/08/05
web-services/src/main/resources/application.properties 1570 2018/08/05
web-services/src/main/resources/application-dev.properties 1580 2018/08/05
web-services/src/main/resources/application-prod.properti… 99 2018/08/05
web-services/src/main/resources/application-stage.propert… 124 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
190
 Filename Size (bytes) Modified Date
web-services/src/main/resources/logback-spring.xml 3426 2018/08/05
zipkin/pom.xml 1784 2018/08/05
zipkin/src/main/java/com/het/monitoring/MonitoringApplica… 526 2018/08/05

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
191
Appendix - Descriptions of Key Terminology
Security Rating
The Fortify on Demand 5-star assessment rating provides information on the likelihood and impact of
defects present within an application. A perfect rating within this system would be 5 complete stars
indicating that no high impact vulnerabilities were uncovered.

Rating

Fortify on Demand awards one star to applications that have undergone a

security review that identifies critical (high likelihood and high impact) issues.

Fortify on Demand awards two stars to applications that have undergone a

security review that identifies no critical (high likelihood and high impact) issues.
Vulnerabilities that are trivial to exploit and have a high business or technical
impact should never exist in business-critical software.
Fortify on Demand awards three stars to applications that have undergone a
security review that identifies no high (low likelihood and high impact) issues
and meets the requirements needed to receive two stars. Vulnerabilities that
have a high impact, even if they are non-trivial to exploit, should never exist in
business critical software.
Fortify on Demand awards four stars to applications that have undergone a
security review that identifies no medium (high likelihood and low impact) issues
and meets the requirements for three stars. Vulnerabilities that have a low
impact, but are easy to exploit, should be considered carefully as they may pose
a greater threat if an attacker exploits many of them as part of a concerted
effort or leverages a low impact vulnerability as a stepping stone to mount a
high-impact attack.

Fortify on Demand awards five stars, the highest rating, to applications that
have undergone a security review that identifies no issues.

Likelihood and Impact

Likelihood
Likelihood is the probability that a vulnerability will be accurately identified and successfully exploited.
Impact
Impact is the potential damage an attacker could do to assets by successfully exploiting a
vulnerability. This damage can be in the form of, but not limited to, financial loss, compliance violation,
loss of brand reputation, and negative publicity.

Fortify on Demand Priority Order

Critical
Critical-priority issues have high impact and high likelihood. Critical-priority issues are easy to detect
and exploit and result in large asset damage. These issues represent the highest security risk to the
application. As such, they should be remediated immediately.

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
192
SQL Injection is an example of a critical issue.
High
High-priority issues have high impact and low likelihood. High-priority issues are often difficult to
detect and exploit, but can result in large asset damage. These issues represent a high security risk
to the application. High priority issues should be remediated in the next scheduled patch release.
Password Management: Hardcoded Password is an example of a high issue.
Medium
Medium-priority issues have low impact and high likelihood. Medium-priority issues are easy to detect
and exploit, but typically result in small asset damage. These issues represent a moderate security
risk to the application. Medium-priority issues should be remediated in the next scheduled product.
Path Manipulation is an example of a medium issue.
Low
Low-priority issues have low impact and low likelihood. Low-priority issues can be difficult to detect
and exploit and typically result in small asset damage. These issues represent a minor security risk to
the application. Low priority issues should be remediated as time allows.
Dead Code is an example of a low issue.

Issue Status
New
New issues are ones that have been identified for the first time in the most recent analysis of the
application.
Existing
Existing issues are issues that have been found in a previous analysis of the application and are still
present in the latest analysis.
Reopened
Reopened issues have been discovered in a previous analysis of the application but were not present
in subsequent analyses. These issues are now present again in the most recent analysis of the
application.

This report contains Micro Focus CONFIDENTIAL information, including but not limited to Micro Focus's analysis, techniques for analysis and
recommendations. This report may not be made public, used for competitive or consulting purposes or used outside of the recipient.
193