From 69ea4ed57bc8726229913ac1b2e37f7e3e04caa1 Mon Sep 17 00:00:00 2001 From: Luke Cartey Date: Wed, 20 Nov 2024 10:19:10 +0000 Subject: [PATCH] Rename XSJS packs to remove async qualifier We support the non-async versions of XSJS, so rename the packs for clarity. --- .github/workflows/javascript.sarif.expected | 2 +- README.md | 7 +++++-- javascript/frameworks/xsjs/ext/qlpack.yml | 2 +- javascript/frameworks/xsjs/lib/qlpack.yml | 2 +- javascript/frameworks/xsjs/src/qlpack.yml | 6 +++--- javascript/frameworks/xsjs/test/qlpack.yml | 6 +++--- 6 files changed, 14 insertions(+), 11 deletions(-) diff --git a/.github/workflows/javascript.sarif.expected b/.github/workflows/javascript.sarif.expected index 800ed81d..e1508e9c 100644 --- a/.github/workflows/javascript.sarif.expected +++ b/.github/workflows/javascript.sarif.expected @@ -1 +1 @@ -{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.18.4","notifications":[{"id":"cli/expected-extracted-files/javascript","name":"cli/expected-extracted-files/javascript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"JavaScript"}},{"id":"cli/expected-extracted-files/python","name":"cli/expected-extracted-files/python","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"Python"}},{"id":"codeql-action/zstd-availability","name":"codeql-action/zstd-availability","shortDescription":{"text":"Zstandard availability"},"fullDescription":{"text":"Zstandard availability"},"defaultConfiguration":{"enabled":true}}],"rules":[]},"extensions":[{"name":"generated/extension-pack","semanticVersion":"0.0.0","locations":[{"uri":"file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-queries","semanticVersion":"1.1.3+561abced2df2733191d9ca05dd3935c19c165bef","notifications":[{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}}],"rules":[{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n","markdown":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n \n // GOOD: if a random value between 0 and 1 is desired\n var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n","markdown":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n \n // GOOD: if a random value between 0 and 1 is desired\n var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n \n Polyfill.io demo\n \n \n \n ...\n \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n \n \n \n ...\n \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n \n \n \n ...\n \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n \n Polyfill.io demo\n \n \n \n ...\n \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n \n \n \n ...\n \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n \n \n \n ...\n \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n","markdown":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/hardcoded-credentials","name":"js/hardcoded-credentials","shortDescription":{"text":"Hard-coded credentials"},"fullDescription":{"text":"Hard-coding credentials in source code may enable an attacker to gain unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n","markdown":"# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n"},"properties":{"tags":["security","external/cwe/cwe-259","external/cwe/cwe-321","external/cwe/cwe-798"],"description":"Hard-coding credentials in source code may enable an attacker\n to gain unauthorized access.","id":"js/hardcoded-credentials","kind":"path-problem","name":"Hard-coded credentials","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n","markdown":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n","markdown":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n","markdown":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n","markdown":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n","markdown":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = ''\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = ''\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = ''\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = ''\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n","markdown":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n","markdown":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n ampersand, the meta-character has to be escaped first to avoid double-escaping,\n and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/\n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.","id":"js/ui5-xss","kind":"path-problem","name":"UI5 Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-path-injection","name":"js/ui5-path-injection","shortDescription":{"text":"UI5 Path Injection"},"fullDescription":{"text":"Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n","markdown":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-035"],"description":"Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.","id":"js/ui5-path-injection","kind":"path-problem","name":"UI5 Path Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-clickjacking","name":"js/ui5-clickjacking","shortDescription":{"text":"UI5 Clickjacking"},"fullDescription":{"text":"The absence of frame options allows for clickjacking."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n","markdown":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n"},"properties":{"tags":["security","external/cwe/cwe-451"],"description":"The absence of frame options allows for clickjacking.","id":"js/ui5-clickjacking","kind":"problem","name":"UI5 Clickjacking","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-unsafe-log-access","name":"js/ui5-unsafe-log-access","shortDescription":{"text":"Access to user-controlled UI5 Logs"},"fullDescription":{"text":"Log entries from user-controlled sources should not be further processed."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Log entries from user-controlled sources should not be further processed.","id":"js/ui5-unsafe-log-access","kind":"path-problem","name":"Access to user-controlled UI5 Logs","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/ui5-log-injection-to-http","name":"js/ui5-log-injection-to-http","shortDescription":{"text":"UI5 Log injection in outbound network request"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"js/ui5-log-injection-to-http","kind":"path-problem","name":"UI5 Log injection in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-models","semanticVersion":"0.6.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-all","semanticVersion":"1.1.4+561abced2df2733191d9ca05dd3935c19c165bef","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.18.4/x64/codeql/qlpacks/codeql/javascript-all/1.1.4/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.18.4/x64/codeql/qlpacks/codeql/javascript-all/1.1.4/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-cap-queries","semanticVersion":"0.3.0+95725b3c8b07ea95d444399881c59e00cebec5fe","rules":[{"id":"js/cap-sensitive-log","name":"js/cap-sensitive-log","shortDescription":{"text":"Insertion of sensitive information into log files"},"fullDescription":{"text":"Writing sensitive information to log files can allow that information to be leaked to an attacker more easily."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n name : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n name @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n init() {\n LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).","markdown":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n name : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n name @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n init() {\n LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations)."},"properties":{"tags":["security","external/cwe/cwe-532"],"description":"Writing sensitive information to log files can allow that\n information to be leaked to an attacker more easily.","id":"js/cap-sensitive-log","kind":"path-problem","name":"Insertion of sensitive information into log files","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cap-non-prod-auth-strategy","name":"js/cap-non-prod-auth-strategy","shortDescription":{"text":"Non-production authentication strategy used"},"fullDescription":{"text":"Using non-production authentication strategies can lead to unwanted authentication behavior in production."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n },\n \"[deploy]\": {\n \"auth\": \"xsuaa\"\n }\n }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n \"cds\": {\n \"requires\": {\n \"auth\": {\n \"kind\": \"basic\",\n \"users\": {\n \"JohnDoe\": {\n \"password\": \"JohnDoesPassword\",\n \"roles\": [\"JohnDoesRole\"],\n \"attr\": {}\n },\n \"JaneDoe\": {\n \"password\": \"JaneDoesPassword\",\n \"roles\": [\"JaneDoesRole\"],\n \"attr\": {}\n }\n }\n }\n }\n }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n","markdown":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n },\n \"[deploy]\": {\n \"auth\": \"xsuaa\"\n }\n }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n \"cds\": {\n \"requires\": {\n \"auth\": {\n \"kind\": \"basic\",\n \"users\": {\n \"JohnDoe\": {\n \"password\": \"JohnDoesPassword\",\n \"roles\": [\"JohnDoesRole\"],\n \"attr\": {}\n },\n \"JaneDoe\": {\n \"password\": \"JaneDoesPassword\",\n \"roles\": [\"JaneDoesRole\"],\n \"attr\": {}\n }\n }\n }\n }\n }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n"},"properties":{"tags":["security"],"description":"Using non-production authentication strategies can lead to unwanted authentication behavior in production.","id":"js/cap-non-prod-auth-strategy","kind":"problem","name":"Non-production authentication strategy used","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-default-user-is-privileged","name":"js/cap-default-user-is-privileged","shortDescription":{"text":"Default user is privileged"},"fullDescription":{"text":"Overriding the default user to the privileged user allows for authentication bypass."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n }\n }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n","markdown":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n }\n }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n"},"properties":{"tags":["security"],"description":"Overriding the default user to the privileged user allows for authentication bypass.","id":"js/cap-default-user-is-privileged","kind":"problem","name":"Default user is privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-unnecessarily-granted-privileged-access-rights","name":"js/cap-unnecessarily-granted-privileged-access-rights","shortDescription":{"text":"Access rights to an entity is unnecessarily elevated to privileged"},"fullDescription":{"text":"An entity requiring authorization is being accessed with privileged rights."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n const Service2 = await cds.connect.to(\"Service2\");\n const { Service2Entity } = Service2.entities;\n return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n tx.run(\n SELECT.from(Service2Entity) // Declared in service2.cds\n .where`Attribute4=${req.data.messageToPass}`,\n ),\n );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n /* Read access only to users with access level greater than 2. */\n @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n entity Service2Entity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n","markdown":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n const Service2 = await cds.connect.to(\"Service2\");\n const { Service2Entity } = Service2.entities;\n return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n tx.run(\n SELECT.from(Service2Entity) // Declared in service2.cds\n .where`Attribute4=${req.data.messageToPass}`,\n ),\n );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n /* Read access only to users with access level greater than 2. */\n @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n entity Service2Entity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n"},"properties":{"tags":["security"],"description":"An entity requiring authorization is being accessed with privileged rights.","id":"js/cap-unnecessarily-granted-privileged-access-rights","kind":"problem","name":"Access rights to an entity is unnecessarily elevated to privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-entity-exposed-without-authentication","name":"js/cap-entity-exposed-without-authentication","shortDescription":{"text":"Entity exposed without authentication"},"fullDescription":{"text":"Entities exposed to external protocols should require an CDS-based or JS-based access control."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n /* Do something */\n } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n init() {\n this.on(\"READ\", \"SomeService\", (req) => { })\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n /* Do something */\n } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n init() {\n this.on(\"READ\", \"SomeService\", (req) => { })\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security"],"description":"Entities exposed to external protocols should require an\n CDS-based or JS-based access control.","id":"js/cap-entity-exposed-without-authentication","kind":"problem","name":"Entity exposed without authentication","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-sql-injection","name":"js/cap-sql-injection","shortDescription":{"text":"CQL query built from user-controlled sources"},"fullDescription":{"text":"Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/cap-sql-injection","kind":"path-problem","name":"CQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/cap-log-injection","name":"js/cap-log-injection","shortDescription":{"text":"CAP Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"js/cap-log-injection","kind":"path-problem","name":"CAP Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-async-xsjs-queries","semanticVersion":"0.1.0+95725b3c8b07ea95d444399881c59e00cebec5fe","rules":[{"id":"js/xsjs-disabled-csrf-protection","name":"js/xsjs-disabled-csrf-protection","shortDescription":{"text":"Disabled XSJS CSRF protection"},"fullDescription":{"text":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabled XSJS CSRF protection\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. \n- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. \n- In `XS Classic` CSRF protection should be enabled explicitly. \n\n## Example\n\nThe following `xs-app.json` fragment enables CSRF protection in XSJS.\n\n```json\n\"routes\": [\n {\n \"source\": \"/bad/(.*)\",\n \"destination\": \"srv_api\",\n \"csrfProtection\": true,\n ...\n }\n]\n ...\n }\n]\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n","markdown":"# Disabled XSJS CSRF protection\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. \n- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. \n- In `XS Classic` CSRF protection should be enabled explicitly. \n\n## Example\n\nThe following `xs-app.json` fragment enables CSRF protection in XSJS.\n\n```json\n\"routes\": [\n {\n \"source\": \"/bad/(.*)\",\n \"destination\": \"srv_api\",\n \"csrfProtection\": true,\n ...\n }\n]\n ...\n }\n]\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"js/xsjs-disabled-csrf-protection","kind":"problem","name":"Disabled XSJS CSRF protection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/xsjs-zip-slip","name":"js/xsjs-zip-slip","shortDescription":{"text":"XSJS Zip Slip"},"fullDescription":{"text":"Saving an entry of a zip archive into a file with its stated path allows for a path traversal and writing to an arbitrary location."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n if (targetFilePath.indexOf(targetFolderName) === 0) {\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = targetFolderName + \"/\" + entryPath;\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n","markdown":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n if (targetFilePath.indexOf(targetFolderName) === 0) {\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = targetFolderName + \"/\" + entryPath;\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n"},"properties":{"tags":["security"],"description":"Saving an entry of a zip archive into a file with its stated path\n allows for a path traversal and writing to an arbitrary location.","id":"js/xsjs-zip-slip","kind":"path-problem","name":"XSJS Zip Slip","precision":"medium","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xsjs-reflected-xss","name":"js/xsjs-reflected-xss","shortDescription":{"text":"XSJS Reflected XSS"},"fullDescription":{"text":"Including uncontrolled value into a response body and setting it to a scriptable MIME type allows for cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as ``. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"
\" + clientData + \"
\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n","markdown":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as ``. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"
\" + clientData + \"
\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n"},"properties":{"tags":["security"],"description":"Including uncontrolled value into a response body and setting it to\n a scriptable MIME type allows for cross-site scripting vulnerability.","id":"js/xsjs-reflected-xss","kind":"path-problem","name":"XSJS Reflected XSS","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xsjs-broken-authentication","name":"js/xsjs-broken-authentication","shortDescription":{"text":"Broken XSJS authentication"},"fullDescription":{"text":"Disabling XSJS authentication makes the application vulnerable to unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Broken XSJS authentication\n\nIf you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies). \n- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. \n- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.\n\n## Example\n\nThe following `xs-app.json` fragment shows disabled XSJS authentication.\n\n```json\n{\n \"welcomeFile\": \"index.html\",\n \"authenticationMethod\": \"none\",\n ...\n} \n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)\n* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)\n* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# Broken XSJS authentication\n\nIf you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies). \n- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. \n- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.\n\n## Example\n\nThe following `xs-app.json` fragment shows disabled XSJS authentication.\n\n```json\n{\n \"welcomeFile\": \"index.html\",\n \"authenticationMethod\": \"none\",\n ...\n} \n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)\n* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)\n* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security","external/cwe/cwe-306"],"description":"Disabling XSJS authentication makes the application vulnerable to unauthorized access.","id":"js/xsjs-broken-authentication","kind":"problem","name":"Broken XSJS authentication","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xsjs-url-redirect","name":"js/xsjs-url-redirect","shortDescription":{"text":"XSJS URL Redirect"},"fullDescription":{"text":"Setting the `location` response header to an uncontrolled value allows for redirection to an arbitrary URL."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n","markdown":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n"},"properties":{"tags":["security"],"description":"Setting the `location` response header to an uncontrolled value\n allows for redirection to an arbitrary URL.","id":"js/xsjs-url-redirect","kind":"path-problem","name":"XSJS URL Redirect","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/xsjs-sql-injection","name":"js/xsjs-sql-injection","shortDescription":{"text":"XSJS SQL injection"},"fullDescription":{"text":"Directly concatenating an uncontrolled value with an SQL query allows for an SQL injection vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security"],"description":"Directly concatenating an uncontrolled value with an SQL query allows\n for an SQL injection vulnerability.","id":"js/xsjs-sql-injection","kind":"path-problem","name":"XSJS SQL injection","precision":"medium","problem.severity":"error","security-severity":"8.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-async-xsjs-models","semanticVersion":"0.1.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds.json","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":98}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":100}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":101}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":103}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":105}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":106}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":109}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":114}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":116}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":119}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":121}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":126}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":133}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":135}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":137}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":138}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":140}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":145}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":148}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":149}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":154}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":158}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":161}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":163}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":165}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":166}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":168}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds.json","uriBaseId":"%SRCROOT%","index":171}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":174}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":175}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":177}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":178}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.html","uriBaseId":"%SRCROOT%","index":180}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.json","uriBaseId":"%SRCROOT%","index":181}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.xml","uriBaseId":"%SRCROOT%","index":183}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":185}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":187}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":188}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":189}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":190}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":192}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":196}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":197}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":198}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":199}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":201}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":206}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":208}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":210}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":215}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":218}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":219}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":220}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":223}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":225}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":226}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":227}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":230}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":232}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":233}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":235}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":239}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":241}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":242}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":243}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":245}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":247}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":251}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":252}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":253}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":255}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":258}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":261}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":262}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":265}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":267}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":268}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":270}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":272}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":274}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":276}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":279}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":283}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":285}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":287}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":289}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":291}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":293}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":295}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":296}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":298}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":304}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":310}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":313}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":317}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":320}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":322}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":326}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":328}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":330}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":331}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":332}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":335}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":337}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":339}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":340}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":341}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":344}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":346}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":348}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":349}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":350}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":353}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":356}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":357}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":358}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":362}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":364}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":365}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":366}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":368}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":370}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":372}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":374}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":375}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":376}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":378}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":380}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":384}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":386}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":388}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":390}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":391}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":392}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":394}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":396}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":397}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":398}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":399}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":405}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":411}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":422}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":424}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":426}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":427}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":430}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":432}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":436}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":438}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":440}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":443}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":444}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":448}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":450}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":452}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":454}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":458}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":460}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":463}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":465}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":466}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":468}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":470}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":471}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":473}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":474}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":475}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":477}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":486}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":487}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":488}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/qlpack.yml","uriBaseId":"%SRCROOT%","index":489}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":490}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/python","index":1},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"none","timeUtc":"2024-09-19T08:44:27.830+00:00","descriptor":{"id":"codeql-action/zstd-availability","index":2},"properties":{"attributes":{"available":true,"version":{"type":"gnu","version":"1.34"}},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":64}},{"location":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":65}},{"location":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":66}},{"location":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":67}},{"location":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":68}},{"location":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":69}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":70}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":71}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":73}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":75}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds.json","uriBaseId":"%SRCROOT%","index":77}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":79}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":80}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":82}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":84}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":86}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":87}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":89}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":91}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":92}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":94}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":96}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":98}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":100}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":101}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":103}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":105}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":106}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":108}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":109}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":112}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":114}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":116}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":119}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":121}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":122}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":126}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":128}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":130}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":133}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":135}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":137}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":138}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":140}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":142}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":144}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":145}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":148}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":149}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":151}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":152}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":154}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":156}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":158}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":160}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":161}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":163}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":165}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":166}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":168}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":170}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds.json","uriBaseId":"%SRCROOT%","index":171}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}},{"location":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":174}},{"location":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":175}},{"location":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":176}},{"location":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":177}},{"location":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":178}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.html","uriBaseId":"%SRCROOT%","index":180}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.json","uriBaseId":"%SRCROOT%","index":181}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.xml","uriBaseId":"%SRCROOT%","index":183}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}},{"location":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":185}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":186}},{"location":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":187}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":188}},{"location":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":189}},{"location":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":190}},{"location":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":191}},{"location":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":192}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":193}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":196}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":197}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":198}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":199}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":200}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":201}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":204}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":206}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":208}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":209}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":210}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":213}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":215}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":217}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":218}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":219}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":220}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":223}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":225}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":226}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":227}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":230}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":232}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":233}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":234}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":235}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":236}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":239}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":241}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":242}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":243}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":244}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":245}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":247}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":249}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":251}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":252}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":253}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":255}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":258}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":261}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":262}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":265}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":267}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":268}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":269}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":270}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":272}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":274}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":276}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":278}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":279}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":280}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":283}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":285}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":287}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":288}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":289}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":291}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":293}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":295}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":296}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":297}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":298}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":303}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":304}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":310}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":313}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":317}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":320}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":321}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":322}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":323}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":326}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":328}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":330}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":331}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":332}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":335}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":337}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":339}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":340}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":341}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":344}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":346}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":348}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":349}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":350}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":353}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":355}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":356}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":357}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":358}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":359}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":362}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":364}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":365}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":366}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":367}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":368}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":370}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":372}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":374}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":375}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":376}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":378}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":380}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":382}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":383}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":384}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":386}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":388}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":390}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":391}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":392}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":394}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":396}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":397}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":398}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":399}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":400}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":402}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":405}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":407}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":408}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":409}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":411}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":413}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":415}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":416}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":417}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":422}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":424}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":426}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":427}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":428}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":430}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":432}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":434}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":435}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":436}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":438}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":440}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":442}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":443}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":444}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":448}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":450}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":452}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":453}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":454}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":458}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":460}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":462}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":463}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":465}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":466}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":468}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469}},{"location":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":470}},{"location":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":471}},{"location":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":472}},{"location":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":473}},{"location":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":474}},{"location":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":475}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":477}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":478}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484}},{"location":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":485}},{"location":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":486}},{"location":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":487}},{"location":{"uri":"scripts/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":488}},{"location":{"uri":"scripts/qlpack.yml","uriBaseId":"%SRCROOT%","index":489}},{"location":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":490}}],"results":[{"ruleId":"js/missing-rate-limiting","rule":{"id":"js/missing-rate-limiting","index":24,"toolComponent":{"index":1}},"message":{"text":"This route handler performs [a database access](1), but is not rate-limited."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":40,"startColumn":25,"endLine":44,"endColumn":8}}}],"partialFingerprints":{"primaryLocationLineHash":"ac6d3bdd3d52ea9b:1","primaryLocationStartColumnFingerprint":"18"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":9,"endLine":43,"endColumn":11}},"message":{"text":"a database access"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"6311a9ed7e4091a4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"8e517fc6fdf32a1a:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"c51cf11a085c01f4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"e309bf8540256a05:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/sql-injection","rule":{"id":"js/sql-injection","index":62,"toolComponent":{"index":1}},"message":{"text":"This query string depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"4fc3122b51f477a1:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"req2.params.category"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"ccc6f77c65eccb45:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":32,"endColumn":36}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"\"console:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:2","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":9,"endColumn":37}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":24}},"message":{"text":"q.query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":33}},"message":{"text":"q.query.username"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":9,"endColumn":33}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":18,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"e197b363f9dc3962:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":9,"endColumn":37}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":24}},"message":{"text":"q.query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":33}},"message":{"text":"q.query.username"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":9,"endColumn":33}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":34,"endColumn":40}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":18,"endColumn":42}},"message":{"text":"`[INFO] ... alue1}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45280b24f3d81287:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"req.responseText"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"req.responseText"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":17,"startColumn":27,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"41899ff1a967017d:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":17,"startColumn":27,"endColumn":45}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":23,"startColumn":27,"endColumn":39}}}],"partialFingerprints":{"primaryLocationLineHash":"9afa5fd07ee36af6:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":15,"startColumn":21,"endColumn":47}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":21,"endColumn":60}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":23,"startColumn":27,"endColumn":39}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":16,"startColumn":23,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"e701acdf85af03b4:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":16,"startColumn":23,"endColumn":51}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"3bb21c52eb38cf8:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":37}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":45}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"92dbc37bdafc7694:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"faa1832c387d2ee5:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"8291f53a2e235d15:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"63ace7b071639814:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"oSearch ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":11,"endColumn":48}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":27,"startColumn":34,"endColumn":45}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":17,"startColumn":13,"endColumn":31}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":133,"startColumn":8,"endColumn":27}},"message":{"text":"oControl.getTitle()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}},"message":{"text":"\"
T ...
\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":14,"startColumn":23,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"fc87b07640e9d85:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":14,"startColumn":23,"endColumn":41}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":14,"startColumn":32,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5eac262ae765:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":14,"startColumn":32,"endColumn":50}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":14,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5ec8b0c3bb0d:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":7,"startColumn":19,"endColumn":37}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":14,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":27,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"8ceecee7055f4fa2:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":17,"endColumn":42}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":27,"startColumn":36,"endColumn":41}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419},"region":{"startLine":5,"startColumn":15,"endColumn":33}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":21,"startColumn":22,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"5d5122f6c75b5d01:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"/input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":21,"startColumn":22,"endColumn":32}},"message":{"text":"/input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":13,"startColumn":15,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"c18df3aa119b40dc:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"\"value\": \"{/input}\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":13,"startColumn":15,"endColumn":25}},"message":{"text":"\"content\": \"{/input}\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":8,"startColumn":5,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"74b35e217af6aa05:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":8,"startColumn":5,"endColumn":50}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"9caa0f252fbe2993:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":31,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":9,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":9,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":10,"startColumn":44,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":32,"startColumn":17,"endColumn":30}},"message":{"text":"output1: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output1}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":17,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"2963bbd458e69924:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"oEvent. ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":17,"endColumn":60}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":19,"startColumn":44,"endColumn":55}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":34,"startColumn":17,"endColumn":30}},"message":{"text":"output3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":17,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"1406455ac263a2d9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":12,"startColumn":26,"endColumn":46}},"message":{"text":"new JSONModel(oData)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":15,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":16,"startColumn":43,"endColumn":48}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":10,"startColumn":17,"endColumn":29}},"message":{"text":"output: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":8,"startColumn":40,"endColumn":63}},"message":{"text":"\"contro ... l.json\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":8,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"5edd24be658b61a4:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"data-value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":8,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"6e0d8f690e30e24a:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":17,"startColumn":43,"endColumn":61}}}],"partialFingerprints":{"primaryLocationLineHash":"68e5ff83e2198ff5:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":17,"startColumn":43,"endColumn":61}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":23,"startColumn":43,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b79de9dff4d8f842:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":15,"startColumn":21,"endColumn":47}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":21,"endColumn":60}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":23,"startColumn":43,"endColumn":55}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":16,"startColumn":39,"endColumn":67}}}],"partialFingerprints":{"primaryLocationLineHash":"de27f6d546a116e8:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":16,"startColumn":39,"endColumn":67}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":9,"startColumn":9,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"6152b8f74a1abdf5:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":28,"startColumn":34,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"b01bd23ca3666824:1","primaryLocationStartColumnFingerprint":"25"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"7fe81114896a63c:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"df700c15dad274b2:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":5,"startColumn":9,"endLine":24,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"fad475448f62563d:1","primaryLocationStartColumnFingerprint":"-139"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":15,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":17,"startColumn":34,"endColumn":39}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"e10e4681e4f3a5f2:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":5,"toolComponent":{"index":3}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":45}},"message":{"text":"Log.get ... es()[0]"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":53}},"message":{"text":"Log.get ... message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":13,"endColumn":53}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":5,"toolComponent":{"index":3}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"84768bf2b1d6e5a5:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":25}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":33}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}}]},{"ruleId":"js/cap-sensitive-log","rule":{"id":"js/cap-sensitive-log","index":0,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on the [name](1) field which is annotated as potentially sensitive."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"c2d27f652a20308e:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}},"message":{"text":"Sample.name"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}},"message":{"text":"Sample.name"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48},"region":{"startLine":4,"startColumn":5,"endLine":5,"endColumn":2}},"message":{"text":"name"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Current authentication strategy contains [credentials of mocked users](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"189356aa691178ee:1","primaryLocationStartColumnFingerprint":"9"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}},"message":{"text":"credentials of mocked users"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [basic](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":16,"startColumn":17,"endColumn":24}}}],"partialFingerprints":{"primaryLocationLineHash":"8ec70b5c261c793b:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":16,"startColumn":17,"endColumn":24}},"message":{"text":"basic"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [dummy](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124},"region":{"startLine":15,"startColumn":15,"endColumn":22}}}],"partialFingerprints":{"primaryLocationLineHash":"2a27bf058be4572:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124},"region":{"startLine":15,"startColumn":15,"endColumn":22}},"message":{"text":"dummy"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [mocked](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":21,"startColumn":15,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"2af5230c91e6a4cd:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":21,"startColumn":15,"endColumn":23}},"message":{"text":"mocked"}}]},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102},"region":{"startLine":8,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"b6ec748aef5ccec4:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104},"region":{"startLine":14,"startColumn":7,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2c0c554bf5b5f7d:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107},"region":{"startLine":12,"startColumn":5,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"ee143e9aad9c9a16:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":18,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"62915c8622048073:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":33,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"8c5c989d244a1f09:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":50,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"faab9436420ec8fd:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":67,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"8eb12b95cf4128eb:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that may require authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":83,"startColumn":24,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"9343d25bdd5ba748:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115},"region":{"startLine":18,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115},"region":{"startLine":35,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:2","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS entity `Service1.Service1Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":6,"startColumn":10,"endLine":7,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"3984db8d11cdcda4:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send2` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":18,"startColumn":10,"endLine":19,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"28b66b32406f07ba:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send3` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":23,"startColumn":10,"endLine":24,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"a5382f0f9fda534:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send4` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":28,"startColumn":10,"endLine":29,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"ebf09aafb38c42ae:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send5` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":33,"startColumn":10,"endLine":34,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"65cd9b8a9955401b:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS entity `Service2.Service2Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":6,"startColumn":10,"endLine":7,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b02237ac8be3c990:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service2.send1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":13,"startColumn":10,"endLine":14,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"d2bdf8ef231dddd1:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"e5ae8639cd6967fb:1","primaryLocationStartColumnFingerprint":"29"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":50,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":44,"endColumn":56}},"message":{"text":"`ID=${book}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":19,"endColumn":57}},"message":{"text":"SELECT. ... book}`)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":11,"endColumn":57}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":36,"endColumn":41}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":27,"endColumn":65}}}],"partialFingerprints":{"primaryLocationLineHash":"b41554298e90b620:1","primaryLocationStartColumnFingerprint":"20"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":58,"endColumn":62}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":52,"endColumn":64}},"message":{"text":"`ID=${book}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":27,"endColumn":65}},"message":{"text":"SELECT. ... book}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":18,"startColumn":37,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"967d7be3edc97a9e:1","primaryLocationStartColumnFingerprint":"30"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":53,"endColumn":57}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":45,"endColumn":57}},"message":{"text":"'ID=' + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":20,"endColumn":58}},"message":{"text":"SELECT. ... + book)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":11,"endColumn":58}},"message":{"text":"query2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":18,"startColumn":37,"endColumn":43}},"message":{"text":"query2"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":27,"endColumn":65}}}],"partialFingerprints":{"primaryLocationLineHash":"1c132adaa6986472:1","primaryLocationStartColumnFingerprint":"20"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":60,"endColumn":64}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":52,"endColumn":64}},"message":{"text":"'ID=' + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":27,"endColumn":65}},"message":{"text":"SELECT. ... + book)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28,"startColumn":39,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"144d55d233768c80:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":59,"endColumn":63}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":17,"endColumn":63}},"message":{"text":"CQL`SEL ... + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":11,"endColumn":63}},"message":{"text":"cqn"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28,"startColumn":39,"endColumn":42}},"message":{"text":"cqn"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":31,"startColumn":39,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"1cd6f1adc2ef8f7c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":56,"endColumn":60}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":32,"endColumn":60}},"message":{"text":"`SELECT ... + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":18,"endColumn":61}},"message":{"text":"cds.par ... + book)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":11,"endColumn":61}},"message":{"text":"cqn1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":31,"startColumn":39,"endColumn":43}},"message":{"text":"cqn1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":16,"endColumn":29}}}],"partialFingerprints":{"primaryLocationLineHash":"eae426bf8fad0192:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":25,"endColumn":29}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":16,"endColumn":29}},"message":{"text":"\"CAP:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":47,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"e05b39891dddd161:1","primaryLocationStartColumnFingerprint":"40"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":24,"endColumn":27}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":17,"endColumn":20}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":17,"endColumn":25}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":13,"endColumn":25}},"message":{"text":"$"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":47,"endColumn":48}},"message":{"text":"$"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":24,"endColumn":27}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":16,"endColumn":29}}}],"partialFingerprints":{"primaryLocationLineHash":"4dc77ce4a9b7031e:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":25,"endColumn":29}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":16,"endColumn":29}},"message":{"text":"\"CAP:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":39,"endColumn":42}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":19,"endColumn":47}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":39,"endColumn":42}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":19,"endColumn":47}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":0,"toolComponent":{"index":7}},"message":{"text":"CSRF protection is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"c1675fd626f895bf:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":0,"toolComponent":{"index":7}},"message":{"text":"CSRF protection should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":14,"startColumn":31,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"c66a379bed25dd74:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-zip-slip","rule":{"id":"js/xsjs-zip-slip","index":1,"toolComponent":{"index":7}},"message":{"text":"The path of [this zip file](1) being saved depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"54d432c04bb48c9c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":35,"endColumn":62}},"message":{"text":"request ... uffer()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":7,"endColumn":63}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":9,"endColumn":75}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"this zip file"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":35,"endColumn":62}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-reflected-xss","rule":{"id":"js/xsjs-reflected-xss","index":2,"toolComponent":{"index":7}},"message":{"text":"Reflected XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":22,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"a31830db0e0a3d3c:1","primaryLocationStartColumnFingerprint":"19"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":7,"endColumn":68}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":46,"endColumn":65}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":22,"endColumn":66}},"message":{"text":"request ... Value1)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476},"region":{"startLine":3,"startColumn":23,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"a900cae7399fb257:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b57c6bae252883be:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":3,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"7c987b52e21935f7:1","primaryLocationStartColumnFingerprint":"24"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":15,"startColumn":35,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"f2aa90ab66c52c3c:1","primaryLocationStartColumnFingerprint":"22"}},{"ruleId":"js/xsjs-url-redirect","rule":{"id":"js/xsjs-url-redirect","index":4,"toolComponent":{"index":7}},"message":{"text":"[This URL](1) depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}}}],"partialFingerprints":{"primaryLocationLineHash":"f02e3e17e12824b3:1","primaryLocationStartColumnFingerprint":"35"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"request ... meter\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":7,"endColumn":66}},"message":{"text":"someParameterValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"someParameterValue"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"This URL"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-sql-injection","rule":{"id":"js/xsjs-sql-injection","index":5,"toolComponent":{"index":7}},"message":{"text":"This query depends on a [user-provided value](1).\nThis query depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}}}],"partialFingerprints":{"primaryLocationLineHash":"65aa43aa4e46559c:1","primaryLocationStartColumnFingerprint":"54"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter1\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":7,"endColumn":80}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":32,"endColumn":51}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":15,"endColumn":107}},"message":{"text":"\"INSERT ... 2 + \")\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":7,"endColumn":107}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter2\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter2\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":7,"endColumn":80}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":82,"endColumn":101}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":15,"endColumn":107}},"message":{"text":"\"INSERT ... 2 + \")\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":7,"endColumn":107}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}}]}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest","metricResults":[{"rule":{"id":"js/summary/lines-of-user-code","index":102,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-user-code","value":3190,"baseline":2578},{"rule":{"id":"js/summary/lines-of-code","index":103,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-code","value":3190}],"codeqlConfigSummary":{"disableDefaultQueries":false,"queries":[{"type":"builtinSuite","uses":"security-extended"},{"type":"localQuery","uses":"./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls"}]}}}]} \ No newline at end of file +{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.18.4","notifications":[{"id":"cli/expected-extracted-files/javascript","name":"cli/expected-extracted-files/javascript","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"JavaScript"}},{"id":"cli/expected-extracted-files/python","name":"cli/expected-extracted-files/python","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"],"languageDisplayName":"Python"}},{"id":"codeql-action/zstd-availability","name":"codeql-action/zstd-availability","shortDescription":{"text":"Zstandard availability"},"fullDescription":{"text":"Zstandard availability"},"defaultConfiguration":{"enabled":true}}],"rules":[]},"extensions":[{"name":"generated/extension-pack","semanticVersion":"0.0.0","locations":[{"uri":"file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/_temp/codeql_databases/javascript/temp/extension-pack/codeql-pack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-queries","semanticVersion":"1.1.3+561abced2df2733191d9ca05dd3935c19c165bef","notifications":[{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}}],"rules":[{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Polynomial regular expression used on uncontrolled data\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this use of a regular expression, which removes all leading and trailing whitespace in a string:\n\n```javascript\n\ntext.replace(/^\\s+|\\s+$/g, ''); // BAD\n```\nThe sub-expression `\"\\s+$\"` will match the whitespace characters in `text` from left to right, but it can start matching anywhere within a whitespace sequence. This is problematic for strings that do **not** end with a whitespace character. Such a string will force the regular expression engine to process each whitespace sequence once per whitespace character in the sequence.\n\nThis ultimately means that the time cost of trimming a string is quadratic in the length of the string. So a string like `\"a b\"` will take milliseconds to process, but a similar string with a million spaces instead of just one will take several minutes.\n\nAvoid this problem by rewriting the regular expression to not contain the ambiguity about when to start matching whitespace sequences. For instance, by using a negative look-behind (`/^\\s+|(? 1000) {\n throw new Error(\"Input too long\");\n}\n\n/^(\\+|-)?(\\d+|(\\d*\\.\\d*))?(E|e)?([-+])?(\\d+)?$/.test(str)\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Inefficient regular expression\nSome regular expressions take a long time to match certain input strings to the point where the time it takes to match a string of length *n* is proportional to *nk* or even *2n*. Such regular expressions can negatively affect performance, or even allow a malicious user to perform a Denial of Service (\"DoS\") attack by crafting an expensive input string for the regular expression to match.\n\nThe regular expression engines provided by many popular JavaScript platforms use backtracking non-deterministic finite automata to implement regular expression matching. While this approach is space-efficient and allows supporting advanced features like capture groups, it is not time-efficient in general. The worst-case time complexity of such an automaton can be polynomial or even exponential, meaning that for strings of a certain shape, increasing the input length by ten characters may make the automaton about 1000 times slower.\n\nTypically, a regular expression is affected by this problem if it contains a repetition of the form `r*` or `r+` where the sub-expression `r` is ambiguous in the sense that it can match some string in multiple ways. More information about the precise circumstances can be found in the references.\n\n\n## Recommendation\nModify the regular expression to remove the ambiguity, or ensure that the strings matched with the regular expression are short enough that the time-complexity does not matter.\n\n\n## Example\nConsider this regular expression:\n\n```javascript\n\n/^_(__|.)+_$/\n```\nIts sub-expression `\"(__|.)+?\"` can match the string `\"__\"` either by the first alternative `\"__\"` to the left of the `\"|\"` operator, or by two repetitions of the second alternative `\".\"` to the right. Thus, a string consisting of an odd number of underscores followed by some other character will cause the regular expression engine to run for an exponential amount of time before rejecting the input.\n\nThis problem can be avoided by rewriting the regular expression to remove the ambiguity between the two branches of the alternative inside the repetition:\n\n```javascript\n\n/^_(__|[^_])+_$/\n```\n\n## References\n* OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS).\n* Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS).\n* Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity).\n* James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](https://arxiv.org/abs/1301.0849).\n* Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n","markdown":"# Clear text transmission of sensitive cookie\nCookies that are transmitted in clear text can be intercepted by an attacker. If sensitive cookies are intercepted, the attacker can read the cookie and use it to perform actions on the user's behalf.\n\n\n## Recommendation\nAlways transmit sensitive cookies using SSL by setting the `secure` attribute on the cookie.\n\n\n## Example\nThe following example stores an authentication token in a cookie that can be transmitted in clear text.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\nTo force the cookie to be transmitted using SSL, set the `secure` attribute on the cookie.\n\n\n```javascript\nconst http = require('http');\n\nconst server = http.createServer((req, res) => {\n res.setHeader(\"Set-Cookie\", `authKey=${makeAuthkey()}; secure; httpOnly`);\n res.writeHead(200, { 'Content-Type': 'text/html' });\n res.end('

Hello world

');\n});\n```\n\n## References\n* ExpressJS: [Use cookies securely](https://expressjs.com/en/advanced/best-practice-security.html#use-cookies-securely).\n* OWASP: [Set cookie flags appropriately](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#set-cookie-flags-appropriately).\n* Mozilla: [Set-Cookie](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie).\n* Common Weakness Enumeration: [CWE-614](https://cwe.mitre.org/data/definitions/614.html).\n* Common Weakness Enumeration: [CWE-311](https://cwe.mitre.org/data/definitions/311.html).\n* Common Weakness Enumeration: [CWE-312](https://cwe.mitre.org/data/definitions/312.html).\n* Common Weakness Enumeration: [CWE-319](https://cwe.mitre.org/data/definitions/319.html).\n"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n \n // GOOD: if a random value between 0 and 1 is desired\n var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n","markdown":"# Insecure randomness\nUsing a cryptographically weak pseudo-random number generator to generate a security-sensitive value, such as a password, makes it easier for an attacker to predict the value.\n\nPseudo-random number generators generate a sequence of numbers that only approximates the properties of random numbers. The sequence is not truly random because it is completely determined by a relatively small set of initial values, the seed. If the random number generator is cryptographically weak, then this sequence may be easily predictable through outside observations.\n\n\n## Recommendation\nUse a cryptographically secure pseudo-random number generator if the output is to be used in a security-sensitive context. As a rule of thumb, a value should be considered \"security-sensitive\" if predicting it would allow the attacker to perform an action that they would otherwise be unable to perform. For example, if an attacker could predict the random password generated for a new user, they would be able to log in as that new user.\n\nFor JavaScript on the NodeJS platform, `crypto.getRandomBytes` provides a cryptographically secure pseudo-random byte generator. Note that the conversion from bytes to numbers can introduce bias that breaks the security.\n\nFor JavaScript in the browser, `crypto.getRandomValues` provides a cryptographically secure pseudo-random number generator.\n\n\n## Example\nThe following examples show different ways of generating a password.\n\nIn the first case, we generate a fresh password by appending a random integer to the end of a static string. The random number generator used (`Math.random`) is not cryptographically secure, so it may be possible for an attacker to predict the generated password.\n\n\n```javascript\nfunction insecurePassword() {\n // BAD: the random suffix is not cryptographically secure\n var suffix = Math.random();\n var password = \"myPassword\" + suffix;\n return password;\n}\n\n```\nIn the second example, a cryptographically secure random number generator is used for the same purpose. In this case, it is much harder to predict the generated integers.\n\n\n```javascript\nfunction securePassword() {\n // GOOD: the random suffix is cryptographically secure\n var suffix = window.crypto.getRandomValues(new Uint32Array(1))[0];\n var password = \"myPassword\" + suffix;\n \n // GOOD: if a random value between 0 and 1 is desired\n var secret = window.crypto.getRandomValues(new Uint32Array(1))[0] * Math.pow(2,-32);\n}\n\n```\n\n## References\n* Wikipedia: [Pseudo-random number generator](http://en.wikipedia.org/wiki/Pseudorandom_number_generator).\n* Mozilla Developer Network: [Crypto: getRandomValues()](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues).\n* NodeJS: [crypto.randomBytes](https://nodejs.org/api/crypto.html#crypto_crypto_randombytes_size_callback)\n* Common Weakness Enumeration: [CWE-338](https://cwe.mitre.org/data/definitions/338.html).\n"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n \n Polyfill.io demo\n \n \n \n ...\n \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n \n \n \n ...\n \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n \n \n \n ...\n \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Untrusted domain used in script or other content\nContent Delivery Networks (CDNs) are used to deliver content to users quickly and efficiently. However, they can change hands or be operated by untrustworthy owners, risking the security of the sites that use them. Some CDN domains are operated by entities that have used CDNs to deliver malware, which this query identifies.\n\nFor example, `polyfill.io` was a popular JavaScript CDN, used to support new web browser standards on older browsers. In February 2024 the domain was sold, and in June 2024 it was publicised that the domain had been used to serve malicious scripts. It was taken down later in that month, leaving a window where sites that used the service could have been compromised. The same operator runs several other CDNs, undermining trust in those too.\n\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element) on a page, it is important to ensure that the received data is not malicious.\n\nEven when `https` is used, an untrustworthy operator might deliver malware.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of untrusted domains used by this query.\n\n\n## Recommendation\nCarefully research the ownership of a Content Delivery Network (CDN) before using it in your application.\n\nIf you find code that originated from an untrusted domain in your application, you should review your logs to check for compromise.\n\nTo help mitigate the risk of including a script that could be compromised in the future, consider whether you need to use polyfill or another library at all. Modern browsers do not require a polyfill, and other popular libraries were made redundant by enhancements to HTML 5.\n\nIf you do need a polyfill service or library, move to using a CDN that you trust.\n\nWhen you use a `script` or `link` element, you should check for [subresource integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity), and pin to a hash of a version of the service that you can trust (for example, because you have audited it for security and unwanted features). A dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as hashes for the content required for the major browsers used by your users.\n\nYou can also choose to self-host an uncompromised version of the service or library.\n\n\n## Example\nThe following example loads the Polyfill.io library from the `polyfill.io` CDN. This use was open to malicious scripts being served by the CDN.\n\n\n```html\n\n \n Polyfill.io demo\n \n \n \n ...\n \n\n```\nInstead, load the Polyfill library from a trusted CDN, as in the next example:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (but no integrity checking, since it is dynamically generated)\n \n \n \n ...\n \n\n```\nIf you know which browsers are used by the majority of your users, you can list the hashes of the polyfills for those browsers:\n\n\n```html\n\n \n Polyfill demo - Cloudflare hosted with pinned version (with integrity checking for a *very limited* browser set - just an example!)\n \n \n \n ...\n \n\n```\n\n## References\n* Sansec: [Polyfill supply chain attack hits 100K+ sites](https://sansec.io/research/polyfill-supply-chain-attack)\n* Cloudflare: [Upgrade the web. Automatically. Delivers only the polyfills required by the user's web browser.](https://cdnjs.cloudflare.com/polyfill)\n* Fastly: [New options for Polyfill.io users](https://community.fastly.com/t/new-options-for-polyfill-io-users/2540)\n* Wikipedia: [Polyfill (programming)](https://en.wikipedia.org/wiki/Polyfill_(programming))\n* MDN Web Docs: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n","markdown":"# Inclusion of functionality from an untrusted source\nIncluding a resource from an untrusted source or using an untrusted channel may allow an attacker to include arbitrary code in the response. When including an external resource (for example, a `script` element or an `iframe` element) on a page, it is important to ensure that the received data is not malicious.\n\nWhen including external resources, it is possible to verify that the responding server is the intended one by using an `https` URL. This prevents a MITM (man-in-the-middle) attack where an attacker might have been able to spoof a server response.\n\nEven when `https` is used, an attacker might still compromise the server. When you use a `script` element, you can check for subresource integrity - that is, you can check the contents of the data received by supplying a cryptographic digest of the expected sources to the `script` element. The script will only load sources that match the digest and an attacker will be unable to modify the script even when the server is compromised.\n\nSubresource integrity (SRI) checking is commonly recommended when importing a fixed version of a library - for example, from a CDN (content-delivery network). Then, the fixed digest of that version of the library can easily be added to the `script` element's `integrity` attribute.\n\nA dynamic service cannot be easily used with SRI. Nevertheless, it is possible to list multiple acceptable SHA hashes in the `integrity` attribute, such as those for the content generated for major browers used by your users.\n\nSee the \\[\\`CUSTOMIZING.md\\`\\](https://github.com/github/codeql/blob/main/javascript/ql/src/Security/CWE-830/CUSTOMIZING.md) file in the source code for this query for information on how to extend the list of hostnames required to use SRI by this query.\n\n\n## Recommendation\nWhen an `iframe` element is used to embed a page, it is important to use an `https` URL.\n\nWhen using a `script` element to load a script, it is important to use an `https` URL and to consider checking subresource integrity.\n\n\n## Example\nThe following example loads the jQuery library from the jQuery CDN without using `https` and without checking subresource integrity.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\nInstead, loading jQuery from the same domain using `https` and checking subresource integrity is recommended, as in the next example.\n\n\n```html\n\n \n jQuery demo\n \n \n \n ...\n \n\n```\n\n## References\n* MDN: [Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)\n* Smashing Magazine: [Understanding Subresource Integrity](https://www.smashingmagazine.com/2019/04/understanding-subresource-integrity/)\n* Common Weakness Enumeration: [CWE-830](https://cwe.mitre.org/data/definitions/830.html).\n"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n","markdown":"# Server-side request forgery\nDirectly incorporating user input in the URL of an outgoing HTTP request can enable a request forgery attack, in which the request is altered to target an unintended API endpoint or resource. If the server performing the request is connected to an internal network, this can give an attacker the means to bypass the network boundary and make requests against internal services. A forged request may perform an unintended action on behalf of the attacker, or cause information leak if redirected to an external server or if the request response is fed back to the user. It may also compromise the server making the request, if the request response is handled in an unsafe way.\n\n\n## Recommendation\nRestrict user inputs in the URL of an outgoing request, in particular:\n\n* Avoid user input in the hostname of the URL. Pick the hostname from an allow-list instead of constructing it directly from user input.\n* Take care when user input is part of the pathname of the URL. Restrict the input so that path traversal (\"`../`\") cannot be used to redirect the request to an unintended endpoint.\n\n## Example\nThe following example shows an HTTP request parameter being used directly in the URL of a request without validating the input, which facilitates an SSRF attack. The request `http.get(...)` is vulnerable since attackers can choose the value of `target` to be anything they want. For instance, the attacker can choose `\"internal.example.com/#\"` as the target, causing the URL used in the request to be `\"https://internal.example.com/#.example.com/data\"`.\n\nA request to `https://internal.example.com` may be problematic if that server is not meant to be directly accessible from the attacker's machine.\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n // BAD: `target` is controlled by the attacker\n http.get('https://' + target + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\nOne way to remedy the problem is to use the user input to select a known fixed string before performing the request:\n\n\n```javascript\nimport http from 'http';\n\nconst server = http.createServer(function(req, res) {\n const target = new URL(req.url, \"http://example.com\").searchParams.get(\"target\");\n\n let subdomain;\n if (target === 'EU') {\n subdomain = \"europe\"\n } else {\n subdomain = \"world\"\n }\n\n // GOOD: `subdomain` is controlled by the server\n http.get('https://' + subdomain + \".example.com/data/\", res => {\n // process request response ...\n });\n\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* Common Weakness Enumeration: [CWE-918](https://cwe.mitre.org/data/definitions/918.html).\n"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n","markdown":"# Information exposure through a stack trace\nSoftware developers often add stack traces to error messages, as a debugging aid. Whenever that error message occurs for an end user, the developer can use the stack trace to help identify how to fix the problem. In particular, stack traces can tell the developer more about the sequence of events that led to a failure, as opposed to merely the final state of the software when the error occurred.\n\nUnfortunately, the same information can be useful to an attacker. The sequence of function names in a stack trace can reveal the structure of the application as well as any internal components it relies on. Furthermore, the error message at the top of a stack trace can include information such as server-side file names and SQL code that the application relies on, allowing an attacker to fine-tune a subsequent injection attack.\n\n\n## Recommendation\nSend the user a more generic error message that reveals less information. Either suppress the stack trace entirely, or log it only on the server.\n\n\n## Example\nIn the following example, an exception is caught and its stack trace is sent back to the remote user as part of the HTTP response. As such, the user is able to see a detailed stack trace, which may contain sensitive information.\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n res.end(err.stack); // NOT OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\nInstead, the stack trace should be logged only on the server. That way, the developers can still access and use the error log, but remote users will not see the information:\n\n\n```javascript\nvar http = require('http');\n\nhttp.createServer(function onRequest(req, res) {\n var body;\n try {\n body = handleRequest(req);\n }\n catch (err) {\n res.statusCode = 500;\n res.setHeader(\"Content-Type\", \"text/plain\");\n log(\"Exception occurred\", err.stack);\n res.end(\"An exception occurred\"); // OK\n return;\n }\n res.statusCode = 200;\n res.setHeader(\"Content-Type\", \"application/json\");\n res.setHeader(\"Content-Length\", body.length);\n res.end(body);\n}).listen(3000);\n\n```\n\n## References\n* OWASP: [Improper Error Handling](https://owasp.org/www-community/Improper_Error_Handling).\n* Common Weakness Enumeration: [CWE-209](https://cwe.mitre.org/data/definitions/209.html).\n* Common Weakness Enumeration: [CWE-497](https://cwe.mitre.org/data/definitions/497.html).\n"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/hardcoded-credentials","name":"js/hardcoded-credentials","shortDescription":{"text":"Hard-coded credentials"},"fullDescription":{"text":"Hard-coding credentials in source code may enable an attacker to gain unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n","markdown":"# Hard-coded credentials\nIncluding unencrypted hard-coded authentication credentials in source code is dangerous because the credentials may be easily discovered. For example, the code may be open source, or it may be leaked or accidentally revealed, making the credentials visible to an attacker. This, in turn, might enable them to gain unauthorized access, or to obtain privileged information.\n\n\n## Recommendation\nRemove hard-coded credentials, such as user names, passwords and certificates, from source code. Instead, place them in configuration files, environment variables or other data stores if necessary. If possible, store configuration files including credential data separately from the source code, in a secure location with restricted access.\n\nIf the credentials are a placeholder value, make sure the value is obviously a placeholder by using a name such as `\"SampleToken\"` or `\"MyPassword\"`.\n\n\n## Example\nThe following code example connects to an HTTP request using an hard-codes authentication header:\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = 'user';\nlet password = 'passwd';\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\nInstead, user name and password can be supplied through the environment variables `username` and `password`, which can be set externally without hard-coding credentials in the source code.\n\n\n```javascript\nlet base64 = require('base-64');\n\nlet url = 'http://example.org/auth';\nlet username = process.env.USERNAME;\nlet password = process.env.PASSWORD;\n\nlet headers = new Headers();\n\nheaders.append('Content-Type', 'text/json');\nheaders.append('Authorization', 'Basic' + base64.encode(username + \":\" + password));\n\nfetch(url, {\n method:'GET',\n headers: headers\n })\n.then(response => response.json())\n.then(json => console.log(json))\n.done();\n\n```\n\n## Example\nThe following code example connects to a Postgres database using the `pg` package and hard-codes user name and password:\n\n\n```javascript\nconst pg = require(\"pg\");\n\nconst client = new pg.Client({\n user: \"bob\",\n host: \"database.server.com\",\n database: \"mydb\",\n password: \"correct-horse-battery-staple\",\n port: 3211\n});\nclient.connect();\n\n```\nInstead, user name and password can be supplied through the environment variables `PGUSER` and `PGPASSWORD`, which can be set externally without hard-coding credentials in the source code.\n\n\n## References\n* OWASP: [Use of hard-coded password](https://www.owasp.org/index.php/Use_of_hard-coded_password).\n* Common Weakness Enumeration: [CWE-259](https://cwe.mitre.org/data/definitions/259.html).\n* Common Weakness Enumeration: [CWE-321](https://cwe.mitre.org/data/definitions/321.html).\n* Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n"},"properties":{"tags":["security","external/cwe/cwe-259","external/cwe/cwe-321","external/cwe/cwe-798"],"description":"Hard-coding credentials in source code may enable an attacker\n to gain unauthorized access.","id":"js/hardcoded-credentials","kind":"path-problem","name":"Hard-coded credentials","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n","markdown":"# Download of sensitive file through insecure connection\nDownloading executables or other sensitive files over an unencrypted connection can leave a server open to man-in-the-middle attacks (MITM). Such an attack can allow an attacker to insert arbitrary content into the downloaded file, and in the worst case, allow the attacker to execute arbitrary code on the vulnerable system.\n\n\n## Recommendation\nUse a secure transfer protocol when downloading executables or other sensitive files.\n\n\n## Example\nIn this example, a server downloads a shell script from a remote URL using the `node-fetch` library, and then executes this shell script.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('http://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\nThe HTTP protocol is vulnerable to MITM, and thus an attacker could potentially replace the downloaded shell script with arbitrary code, which gives the attacker complete control over the system.\n\nThe issue has been fixed in the example below by replacing the HTTP protocol with the HTTPS protocol.\n\n\n```javascript\nconst fetch = require(\"node-fetch\");\nconst cp = require(\"child_process\");\n\nfetch('https://mydownload.example.org/myscript.sh')\n .then(res => res.text())\n .then(script => cp.execSync(script));\n```\n\n## References\n* Wikipedia: [Man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)\n* Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n","markdown":"# CORS misconfiguration for credentials transfer\nA server can send the `\"Access-Control-Allow-Credentials\"` CORS header to control when a browser may send user credentials in Cross-Origin HTTP requests.\n\nWhen the `Access-Control-Allow-Credentials` header is `\"true\"`, the `Access-Control-Allow-Origin` header must have a value different from `\"*\"` in order to make browsers accept the header. Therefore, to allow multiple origins for Cross-Origin requests with credentials, the server must dynamically compute the value of the `\"Access-Control-Allow-Origin\"` header. Computing this header value from information in the request to the server can therefore potentially allow an attacker to control the origins that the browser sends credentials to.\n\n\n## Recommendation\nWhen the `Access-Control-Allow-Credentials` header value is `\"true\"`, a dynamic computation of the `Access-Control-Allow-Origin` header must involve sanitization if it relies on user-controlled input.\n\nSince the `\"null\"` origin is easy to obtain for an attacker, it is never safe to use `\"null\"` as the value of the `Access-Control-Allow-Origin` header when the `Access-Control-Allow-Credentials` header value is `\"true\"`.\n\n\n## Example\nIn the example below, the server allows the browser to send user credentials in a Cross-Origin request. The request header `origins` controls the allowed origins for such a Cross-Origin request.\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin;\n // BAD: attacker can choose the value of origin\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n\n // ...\n});\n\n```\nThis is not secure, since an attacker can choose the value of the `origin` request header to make the browser send credentials to their own server. The use of a whitelist containing allowed origins for the Cross-Origin request fixes the issue:\n\n\n```javascript\nvar https = require('https'),\n url = require('url');\n\nvar server = https.createServer(function(){});\n\nserver.on('request', function(req, res) {\n let origin = url.parse(req.url, true).query.origin,\n whitelist = {\n \"https://example.com\": true,\n \"https://subdomain.example.com\": true,\n \"https://example.com:1337\": true\n };\n\n if (origin in whitelist) {\n // GOOD: the origin is in the whitelist\n res.setHeader(\"Access-Control-Allow-Origin\", origin);\n res.setHeader(\"Access-Control-Allow-Credentials\", true);\n }\n\n // ...\n});\n\n```\n\n## References\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Origin](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin).\n* Mozilla Developer Network: [CORS, Access-Control-Allow-Credentials](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials).\n* PortSwigger: [Exploiting CORS Misconfigurations for Bitcoins and Bounties](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n* W3C: [CORS for developers, Advice for Resource Owners](https://w3c.github.io/webappsec-cors-for-developers/#resources)\n* Common Weakness Enumeration: [CWE-346](https://cwe.mitre.org/data/definitions/346.html).\n* Common Weakness Enumeration: [CWE-639](https://cwe.mitre.org/data/definitions/639.html).\n* Common Weakness Enumeration: [CWE-942](https://cwe.mitre.org/data/definitions/942.html).\n"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# XML internal entity expansion\nParsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.\n\nIn XML, so-called *internal entities* are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.\n\nIf untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called an *XML bomb* attack.\n\n\n## Recommendation\nThe safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. How this is done depends on the library being used. Note that some libraries, such as recent versions of `libxmljs` (though not its SAX parser API), disable entity expansion by default, so unless you have explicitly enabled entity expansion, no further action is needed.\n\n\n## Example\nThe following example uses the XML parser provided by the `node-expat` package to parse a string `xmlSrc`. If that string is from an untrusted source, this code may be vulnerable to a DoS attack, since `node-expat` expands internal entities by default:\n\n\n```javascript\nconst app = require(\"express\")(),\n expat = require(\"node-expat\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = new expat.Parser();\n parser.on(\"startElement\", handleStart);\n parser.on(\"text\", handleText);\n parser.write(xmlSrc);\n});\n\n```\nAt the time of writing, `node-expat` does not provide a way of controlling entity expansion, but the example could be rewritten to use the `sax` package instead, which only expands standard entities such as `&`:\n\n\n```javascript\nconst app = require(\"express\")(),\n sax = require(\"sax\");\n\napp.post(\"upload\", (req, res) => {\n let xmlSrc = req.body,\n parser = sax.parser(true);\n parser.onopentag = handleStart;\n parser.ontext = handleText;\n parser.write(xmlSrc);\n});\n\n```\n\n## References\n* Wikipedia: [Billion Laughs](https://en.wikipedia.org/wiki/Billion_laughs).\n* Bryan Sullivan: [Security Briefs - XML Denial of Service Attacks and Defenses](https://msdn.microsoft.com/en-us/magazine/ee335713.aspx).\n* Common Weakness Enumeration: [CWE-776](https://cwe.mitre.org/data/definitions/776.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n","markdown":"# Cross-window communication with unrestricted target origin\nThe `window.postMessage` method allows different windows or iframes to communicate directly, even if they were loaded from different origins, circumventing the usual same-origin policy.\n\nThe sender of the message can restrict the origin of the receiver by specifying a target origin. If the receiver window does not come from this origin, the message is not sent.\n\nAlternatively, the sender can specify a target origin of `'*'`, which means that any origin is acceptable and the message is always sent.\n\nThis feature should not be used if the message being sent contains sensitive data such as user credentials: the target window may have been loaded from a malicious site, to which the data would then become available.\n\n\n## Recommendation\nIf possible, specify a target origin when using `window.postMessage`. Alternatively, encrypt the sensitive data before sending it to prevent an unauthorized receiver from accessing it.\n\n\n## Example\nThe following example code sends user credentials (in this case, their user name) to `window.parent` without checking its origin. If a malicious site loads the page containing this code into an iframe it would be able to gain access to the user name.\n\n\n```javascript\nwindow.parent.postMessage(userName, '*');\n\n```\nTo prevent this from happening, the origin of the target window should be restricted, as in this example:\n\n\n```javascript\nwindow.parent.postMessage(userName, 'https://github.com');\n\n```\n\n## References\n* Mozilla Developer Network: [Window.postMessage](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage).\n* Mozilla Developer Network: [Same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).\n* Common Weakness Enumeration: [CWE-201](https://cwe.mitre.org/data/definitions/201.html).\n* Common Weakness Enumeration: [CWE-359](https://cwe.mitre.org/data/definitions/359.html).\n"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n","markdown":"# Template Object Injection\nDirectly using user-controlled objects as arguments to template engines might allow an attacker to do local file reads or even remote code execution.\n\n\n## Recommendation\nAvoid using user-controlled objects as arguments to a template engine. Instead, construct the object explicitly with the specific properties needed by the template.\n\n\n## Example\nIn the example below a server uses the user-controlled `profile` object to render the `index` template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', profile);\n});\n```\nHowever, if an attacker adds a `layout` property to the `profile` object then the server will load the file specified by the `layout` property, thereby allowing an attacker to do local file reads.\n\nThe fix is to have the server construct the object, and only add the properties that are needed by the template.\n\n\n```javascript\nvar app = require('express')();\napp.set('view engine', 'hbs');\n\napp.post('/', function (req, res, next) {\n var profile = req.body.profile;\n res.render('index', {\n name: profile.name,\n location: profile.location\n });\n});\n```\n\n## References\n* blog.shoebpatel.com: [The Secret Parameter, LFR, and Potential RCE in NodeJS Apps](https://blog.shoebpatel.com/2021/01/23/The-Secret-Parameter-LFR-and-Potential-RCE-in-NodeJS-Apps/).\n* cwe.mitre.org: [CWE-73: External Control of File Name or Path](https://cwe.mitre.org/data/definitions/73.html)\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-94](https://cwe.mitre.org/data/definitions/94.html).\n"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n","markdown":"# Uncontrolled data used in path expression\nAccessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\n\n## Recommendation\nValidate user input before using it to construct a file path.\n\nThe validation method you should use depends on whether you want to allow the user to specify complex paths with multiple components that may span multiple folders, or only simple filenames without a path component.\n\nIn the former case, a common strategy is to make sure that the constructed file path is contained within a safe root folder. First, normalize the path using `path.resolve` or `fs.realpathSync` to remove any \"..\" segments. You should always normalize the file path since an unnormalized path that starts with the root folder can still be used to access files outside the root folder. Then, after you have normalized the path, check that the path starts with the root folder.\n\nIn the latter case, you can use a library like the `sanitize-filename` npm package to eliminate any special characters from the file path. Note that it is *not* sufficient to only remove \"../\" sequences: for example, applying this filter to \".../...//\" would still result in the string \"../\".\n\nFinally, the simplest (but most restrictive) option is to use an allow list of safe patterns and make sure that the user input matches one of these patterns.\n\n\n## Example\nIn the first (bad) example, the code reads the file name from an HTTP request, then accesses that file within a root folder. A malicious user could enter a file name containing \"../\" segments to navigate outside the root folder and access sensitive files.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // BAD: This function uses unsanitized input that can read any file on the file system.\n res.write(fs.readFileSync(ROOT + filePath, 'utf8'));\n});\n```\nThe second (good) example shows how to avoid access to sensitive files by sanitizing the file path. First, the code resolves the file name relative to a root folder, normalizing the path and removing any \"../\" segments in the process. Then, the code calls `fs.realpathSync` to resolve any symbolic links in the path. Finally, the code checks that the normalized path starts with the path of the root folder, ensuring the file is contained within the root folder.\n\n\n```javascript\nconst fs = require('fs'),\n http = require('http'),\n path = require('path'),\n url = require('url');\n\nconst ROOT = \"/var/www/\";\n\nvar server = http.createServer(function(req, res) {\n let filePath = url.parse(req.url, true).query.path;\n\n // GOOD: Verify that the file path is under the root directory\n filePath = fs.realpathSync(path.resolve(ROOT, filePath));\n if (!filePath.startsWith(ROOT)) {\n res.statusCode = 403;\n res.end();\n return;\n }\n res.write(fs.readFileSync(filePath, 'utf8'));\n});\n```\n\n## References\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* npm: [sanitize-filename](https://www.npmjs.com/package/sanitize-filename) package.\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-36](https://cwe.mitre.org/data/definitions/36.html).\n* Common Weakness Enumeration: [CWE-73](https://cwe.mitre.org/data/definitions/73.html).\n* Common Weakness Enumeration: [CWE-99](https://cwe.mitre.org/data/definitions/99.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n","markdown":"# Arbitrary file access during archive extraction (\"Zip Slip\")\nExtracting files from a malicious zip file, or similar type of archive, is at risk of directory traversal attacks if filenames from the archive are not properly validated. archive paths.\n\nZip archives contain archive entries representing each file in the archive. These entries include a file path for the entry, but these file paths are not restricted and may contain unexpected special elements such as the directory traversal element (`..`). If these file paths are used to create a filesystem path, then a file operation may happen in an unexpected location. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.\n\nFor example, if a zip file contains a file entry `..\\sneaky-file`, and the zip file is extracted to the directory `c:\\output`, then naively combining the paths would result in an output file path of `c:\\output\\..\\sneaky-file`, which would cause the file to be written to `c:\\sneaky-file`.\n\n\n## Recommendation\nEnsure that output paths constructed from zip archive entries are validated to prevent writing files to unexpected locations.\n\nThe recommended way of writing an output file from a zip archive entry is to check that `\"..\"` does not occur in the path.\n\n\n## Example\nIn this example an archive is extracted without validating file paths. If `archive.zip` contained relative paths (for instance, if it were created by something like `zip archive.zip ../file.txt`) then executing this code could write to locations outside the destination directory.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // BAD: This could write any file on the filesystem.\n entry.pipe(fs.createWriteStream(fileName));\n });\n\n```\nTo fix this vulnerability, we need to check that the path does not contain any `\"..\"` elements in it.\n\n\n```javascript\nconst fs = require('fs');\nconst unzip = require('unzip');\n\nfs.createReadStream('archive.zip')\n .pipe(unzip.Parse())\n .on('entry', entry => {\n const fileName = entry.path;\n // GOOD: ensures the path is safe to write to.\n if (fileName.indexOf('..') == -1) {\n entry.pipe(fs.createWriteStream(fileName));\n }\n else {\n console.log('skipping bad path', fileName);\n }\n });\n\n```\n\n## References\n* Snyk: [Zip Slip Vulnerability](https://snyk.io/research/zip-slip-vulnerability).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* Common Weakness Enumeration: [CWE-22](https://cwe.mitre.org/data/definitions/22.html).\n"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Overly permissive regular expression range\nIt's easy to write a regular expression range that matches a wider range of characters than you intended. For example, `/[a-zA-z]/` matches all lowercase and all uppercase letters, as you would expect, but it also matches the characters: `` [ \\ ] ^ _ ` ``.\n\nAnother common problem is failing to escape the dash character in a regular expression. An unescaped dash is interpreted as part of a range. For example, in the character class `[a-zA-Z0-9%=.,-_]` the last character range matches the 55 characters between `,` and `_` (both included), which overlaps with the range `[0-9]` and is clearly not intended by the writer.\n\n\n## Recommendation\nAvoid any confusion about which characters are included in the range by writing unambiguous regular expressions. Always check that character ranges match only the expected characters.\n\n\n## Example\nThe following example code is intended to check whether a string is a valid 6 digit hex color.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9a-fA-f]{6}$/i.test(color);\n}\n\n```\nHowever, the `A-f` range is overly large and matches every uppercase character. It would parse a \"color\" like `#XXYYZZ` as valid.\n\nThe fix is to use an uppercase `A-F` range instead.\n\n```javascript\n\nfunction isValidHexColor(color) {\n return /^#[0-9A-F]{6}$/i.test(color);\n}\n\n```\n\n## References\n* GitHub Advisory Database: [CVE-2021-42740: Improper Neutralization of Special Elements used in a Command in Shell-quote](https://github.com/advisories/GHSA-g4rg-993r-mgx7)\n* wh0.github.io: [Exploiting CVE-2021-42740](https://wh0.github.io/2021/10/28/shell-quote-rce-exploiting.html)\n* Yosuke Ota: [no-obscure-range](https://ota-meshi.github.io/eslint-plugin-regexp/rules/no-obscure-range.html)\n* Paul Boyd: [The regex \\[,-.\\]](https://pboyd.io/posts/comma-dash-dot/)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incorrect suffix check\nThe `indexOf` and `lastIndexOf` methods are sometimes used to check if a substring occurs at a certain position in a string. However, if the returned index is compared to an expression that might evaluate to -1, the check may pass in some cases where the substring was not found at all.\n\nSpecifically, this can easily happen when implementing `endsWith` using `indexOf`.\n\n\n## Recommendation\nUse `String.prototype.endsWith` if it is available. Otherwise, explicitly handle the -1 case, either by checking the relative lengths of the strings, or by checking if the returned index is -1.\n\n\n## Example\nThe following example uses `lastIndexOf` to determine if the string `x` ends with the string `y`:\n\n\n```javascript\nfunction endsWith(x, y) {\n return x.lastIndexOf(y) === x.length - y.length;\n}\n\n```\nHowever, if `y` is one character longer than `x`, the right-hand side `x.length - y.length` becomes -1, which then equals the return value of `lastIndexOf`. This will make the test pass, even though `x` does not end with `y`.\n\nTo avoid this, explicitly check for the -1 case:\n\n\n```javascript\nfunction endsWith(x, y) {\n let index = x.lastIndexOf(y);\n return index !== -1 && index === x.length - y.length;\n}\n\n```\n\n## References\n* MDN: [String.prototype.endsWith](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith)\n* MDN: [String.prototype.indexOf](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete regular expression for hostnames\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Often, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nIf a regular expression implements such a check, it is easy to accidentally make the check too permissive by not escaping the `.` meta-characters appropriately. Even if the check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when it accidentally succeeds.\n\n\n## Recommendation\nEscape all meta-characters appropriately when constructing regular expressions for security checks, and pay special attention to the `.` meta-character.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n let regex = /^((www|beta).)?example.com/;\n if (host.match(regex)) {\n res.redirect(url);\n }\n});\n\n```\nThe check is however easy to bypass because the unescaped `.` allows for any character before `example.com`, effectively allowing the redirect to go to an attacker-controlled domain such as `wwwXexample.com`.\n\nAddress this vulnerability by escaping `.` appropriately: `let regex = /^((www|beta)\\.)?example\\.com/`.\n\n\n## References\n* MDN: [Regular Expressions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions)\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Incomplete URL substring sanitization\nSanitizing untrusted URLs is an important technique for preventing attacks such as request forgeries and malicious redirections. Usually, this is done by checking that the host of a URL is in a set of allowed hosts.\n\nHowever, treating the URL as a string and checking if one of the allowed hosts is a substring of the URL is very prone to errors. Malicious URLs can bypass such security checks by embedding one of the allowed hosts in an unexpected location.\n\nEven if the substring check is not used in a security-critical context, the incomplete check may still cause undesirable behaviors when the check succeeds accidentally.\n\n\n## Recommendation\nParse a URL before performing a check on its host value, and ensure that the check handles arbitrary subdomain sequences correctly.\n\n\n## Example\nThe following example code checks that a URL redirection will reach the `example.com` domain, or one of its subdomains, and not some malicious site.\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\");\n // BAD: the host of `url` may be controlled by an attacker\n if (url.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThe substring check is, however, easy to bypass. For example by embedding `example.com` in the path component: `http://evil-example.net/example.com`, or in the query string component: `http://evil-example.net/?x=example.com`. Address these shortcomings by checking the host of the parsed URL instead:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param(\"url\"),\n host = urlLib.parse(url).host;\n // BAD: the host of `url` may be controlled by an attacker\n if (host.includes(\"example.com\")) {\n res.redirect(url);\n }\n});\n\n```\nThis is still not a sufficient check as the following URLs bypass it: `http://evil-example.com` `http://example.com.evil-example.net`. Instead, use an explicit whitelist of allowed hosts to make the redirect secure:\n\n\n```javascript\napp.get('/some/path', function(req, res) {\n let url = req.param('url'),\n host = urlLib.parse(url).host;\n // GOOD: the host of `url` can not be controlled by an attacker\n let allowedHosts = [\n 'example.com',\n 'beta.example.com',\n 'www.example.com'\n ];\n if (allowedHosts.includes(host)) {\n res.redirect(url);\n }\n});\n\n```\n\n## References\n* OWASP: [SSRF](https://www.owasp.org/index.php/Server_Side_Request_Forgery)\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n","markdown":"# Incomplete URL scheme check\nURLs starting with `javascript:` can be used to encode JavaScript code to be executed when the URL is visited. While this is a powerful mechanism for creating feature-rich and responsive web applications, it is also a potential security risk: if the URL comes from an untrusted source, it might contain harmful JavaScript code. For this reason, many frameworks and libraries first check the URL scheme of any untrusted URL, and reject URLs with the `javascript:` scheme.\n\nHowever, the `data:` and `vbscript:` schemes can be used to represent executable code in a very similar way, so any validation logic that checks against `javascript:`, but not against `data:` and `vbscript:`, is likely to be insufficient.\n\n\n## Recommendation\nAdd checks covering both `data:` and `vbscript:`.\n\n\n## Example\nThe following function validates a (presumably untrusted) URL `url`. If it starts with `javascript:` (case-insensitive and potentially preceded by whitespace), the harmless placeholder URL `about:blank` is returned to prevent code injection; otherwise `url` itself is returned.\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\nWhile this check provides partial projection, it should be extended to cover `data:` and `vbscript:` as well:\n\n\n```javascript\nfunction sanitizeUrl(url) {\n let u = decodeURI(url).trim().toLowerCase();\n if (u.startsWith(\"javascript:\") || u.startsWith(\"data:\") || u.startsWith(\"vbscript:\"))\n return \"about:blank\";\n return url;\n}\n\n```\n\n## References\n* WHATWG: [URL schemes](https://wiki.whatwg.org/wiki/URL_schemes).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Useless regular-expression character escape\nWhen a character in a string literal or regular expression literal is preceded by a backslash, it is interpreted as part of an escape sequence. For example, the escape sequence `\\n` in a string literal corresponds to a single `newline` character, and not the `\\` and `n` characters. However, not all characters change meaning when used in an escape sequence. In this case, the backslash just makes the character appear to mean something else, and the backslash actually has no effect. For example, the escape sequence `\\k` in a string literal just means `k`. Such superfluous escape sequences are usually benign, and do not change the behavior of the program.\n\nThe set of characters that change meaning when in escape sequences is different for regular expression literals and string literals. This can be problematic when a regular expression literal is turned into a regular expression that is built from one or more string literals. The problem occurs when a regular expression escape sequence loses its special meaning in a string literal.\n\n\n## Recommendation\nEnsure that the right amount of backslashes is used when escaping characters in strings, template literals and regular expressions. Pay special attention to the number of backslashes when rewriting a regular expression as a string literal.\n\n\n## Example\nThe following example code checks that a string is `\"my-marker\"`, possibly surrounded by white space:\n\n\n```javascript\nlet regex = new RegExp('(^\\s*)my-marker(\\s*$)'),\n isMyMarkerText = regex.test(text);\n\n```\nHowever, the check does not work properly for white space as the two `\\s` occurrences are semantically equivalent to just `s`, meaning that the check will succeed for strings like `\"smy-markers\"` instead of `\" my-marker \"`. Address these shortcomings by either using a regular expression literal (`/(^\\s*)my-marker(\\s*$)/`), or by adding extra backslashes (`'(^\\\\s*)my-marker(\\\\s*$)'`).\n\n\n## References\n* MDN: [Regular expression escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#Escaping)\n* MDN: [String escape notation](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String#Escape_notation)\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n","markdown":"# Case-sensitive middleware path\nUsing a case-sensitive regular expression path in a middleware route enables an attacker to bypass that middleware when accessing an endpoint with a case-insensitive path. Paths specified using a string are case-insensitive, whereas regular expressions are case-sensitive by default.\n\n\n## Recommendation\nWhen using a regular expression as a middleware path, make sure the regular expression is case-insensitive by adding the `i` flag.\n\n\n## Example\nThe following example restricts access to paths in the `/admin` path to users logged in as administrators:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\nA path such as `/admin/users/45` can only be accessed by an administrator. However, the path `/ADMIN/USERS/45` can be accessed by anyone because the upper-case path doesn't match the case-sensitive regular expression, whereas Express considers it to match the path string `/admin/users`.\n\nThe issue can be fixed by adding the `i` flag to the regular expression:\n\n\n```javascript\nconst app = require('express')();\n\napp.use(/\\/admin\\/.*/i, (req, res, next) => {\n if (!req.user.isAdmin) {\n res.status(401).send('Unauthorized');\n } else {\n next();\n }\n});\n\napp.get('/admin/users/:id', (req, res) => {\n res.send(app.database.users[req.params.id]);\n});\n\n```\n\n## References\n* MDN [Regular Expression Flags](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions#advanced_searching_with_flags).\n* Common Weakness Enumeration: [CWE-178](https://cwe.mitre.org/data/definitions/178.html).\n"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n","markdown":"# JWT missing secret or public key verification\nApplications decoding JSON Web Tokens (JWT) may be misconfigured due to the `None` algorithm.\n\nThe `None` algorithm is selected by calling the `verify()` function with a falsy value instead of a cryptographic secret or key. The `None` algorithm disables the integrity enforcement of a JWT payload and may allow a malicious actor to make unintended changes to a JWT payload leading to critical security issues like privilege escalation.\n\n\n## Recommendation\nCalls to `verify()` functions should use a cryptographic secret or key to decode JWT payloads.\n\n\n## Example\nIn the example below, `false` is used to disable the integrity enforcement of a JWT payload. This may allow a malicious actor to make changes to a JWT payload.\n\n\n```javascript\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"none\" })\njwt.verify(token, false, { algorithms: [\"HS256\", \"none\"] })\n```\nThe following code fixes the problem by using a cryptographic secret or key to decode JWT payloads.\n\n\n```javascript\n\nconst jwt = require(\"jsonwebtoken\");\n\nconst secret = \"my-secret-key\";\n\nvar token = jwt.sign({ foo: 'bar' }, secret, { algorithm: \"HS256\" }) \njwt.verify(token, secret, { algorithms: [\"HS256\", \"none\"] })\n```\n\n## References\n* Auth0 Blog: [Meet the \"None\" Algorithm](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#Meet-the--None--Algorithm).\n* Common Weakness Enumeration: [CWE-347](https://cwe.mitre.org/data/definitions/347.html).\n"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n","markdown":"# Missing rate limiting\nHTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.\n\n\n## Recommendation\nA rate-limiting middleware should be used to prevent such attacks.\n\n\n## Example\nThe following example shows an Express application that serves static files without rate limiting:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\nTo prevent denial-of-service attacks, the `express-rate-limit` package can be used:\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\n// set up rate limiter: maximum of five requests per minute\nvar RateLimit = require('express-rate-limit');\nvar limiter = RateLimit({\n windowMs: 15 * 60 * 1000, // 15 minutes\n max: 100, // max 100 requests per windowMs\n});\n\n// apply rate limiter to all requests\napp.use(limiter);\n\napp.get('/:path', function(req, res) {\n let path = req.params.path;\n if (isValidPath(path))\n res.sendFile(path);\n});\n\n```\n\n## References\n* OWASP: [Denial of Service Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Denial_of_Service_Cheat_Sheet.html).\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* NPM: [express-rate-limit](https://www.npmjs.com/package/express-rate-limit).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n* Common Weakness Enumeration: [CWE-307](https://cwe.mitre.org/data/definitions/307.html).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n","markdown":"# Resource exhaustion\nApplications are constrained by how many resources they can make use of. Failing to respect these constraints may cause the application to be unresponsive or crash. It is therefore problematic if attackers can control the sizes or lifetimes of allocated objects.\n\n\n## Recommendation\nEnsure that attackers can not control object sizes and their lifetimes. If object sizes and lifetimes must be controlled by external parties, ensure you restrict the object sizes and lifetimes so that they are within acceptable ranges.\n\n\n## Example\nThe following example allocates a buffer with a user-controlled size.\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet buffer = Buffer.alloc(size); // BAD\n\n\t// ... use the buffer\n});\n```\nThis is problematic since an attacker can choose a size that makes the application run out of memory. Even worse, in older versions of Node.js, this could leak confidential memory. To prevent such attacks, limit the buffer size:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet buffer = Buffer.alloc(size); // GOOD\n\n\t// ... use the buffer\n});\n```\n\n## Example\nAs another example, consider an application that allocates an array with a user-controlled size, and then fills it with values:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tlet dogs = new Array(size).fill(\"dog\"); // BAD\n\n\t// ... use the dog\n});\n```\nThe allocation of the array itself is not problematic since arrays are allocated sparsely, but the subsequent filling of the array will take a long time, causing the application to be unresponsive, or even run out of memory. Again, a limit on the size will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar size = parseInt(url.parse(req.url, true).query.size);\n\n\tif (size > 1024) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tlet dogs = new Array(size).fill(\"dog\"); // GOOD\n\n\t// ... use the dogs\n});\n```\n\n## Example\nFinally, the following example lets a user choose a delay after which a function is executed:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tsetTimeout(f, delay); // BAD\n\n});\n\n```\nThis is problematic because a large delay essentially makes the application wait indefinitely before executing the function. Repeated registrations of such delays will therefore use up all of the memory in the application. A limit on the delay will prevent the attack:\n\n\n```javascript\nvar http = require(\"http\"),\n url = require(\"url\");\n\nvar server = http.createServer(function(req, res) {\n\tvar delay = parseInt(url.parse(req.url, true).query.delay);\n\n\tif (delay > 1000) {\n\t\tres.statusCode = 400;\n\t\tres.end(\"Bad request.\");\n\t\treturn;\n\t}\n\n\tsetTimeout(f, delay); // GOOD\n\n});\n\n```\n\n## References\n* Wikipedia: [Denial-of-service attack](https://en.wikipedia.org/wiki/Denial-of-service_attack).\n* Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).\n* Common Weakness Enumeration: [CWE-770](https://cwe.mitre.org/data/definitions/770.html).\n"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Stored cross-site scripting\nDirectly using uncontrolled stored value (for example, file names) to create HTML content without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *stored* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before using uncontrolled stored values to create HTML content, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes file names directly to a HTTP response. This leaves the website vulnerable to cross-site scripting, if an attacker can choose the file names on the disk.\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // BAD: `fileName` can contain HTML elements\n list += '
  • ' + fileName + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\nSanitizing the file names prevents the vulnerability:\n\n\n```javascript\nvar express = require('express'),\n fs = require('fs'),\n escape = require('escape-html');\n\nexpress().get('/list-directory', function(req, res) {\n fs.readdir('/public', function (error, fileNames) {\n var list = '
    ';\n fileNames.forEach(fileName => {\n // GOOD: escaped `fileName` can not contain HTML elements\n list += '
  • ' + escape(fileName) + '
    • ';\n });\n list += '
'\n res.send(list);\n });\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# DOM text reinterpreted as HTML\nExtracting text from a DOM node and interpreting it as HTML can lead to a cross-site scripting vulnerability.\n\nA webpage with this vulnerability reads text from the DOM, and afterwards adds the text as HTML to the DOM. Using text from the DOM as HTML effectively unescapes the text, and thereby invalidates any escaping done on the text. If an attacker is able to control the safe sanitized text, then this vulnerability can be exploited to perform a cross-site scripting attack.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing text to the page, or one of the other solutions that are mentioned in the References section below.\n\n\n## Example\nThe following example shows a webpage using a `data-target` attribute to select and manipulate a DOM element using the JQuery library. In the example, the `data-target` attribute is read into the `target` variable, and the `$` function is then supposed to use the `target` variable as a CSS selector to determine which element should be manipulated.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n $(target).hide();\n});\n\n```\nHowever, if an attacker can control the `data-target` attribute, then the value of `target` can be used to cause the `$` function to execute arbitrary JavaScript.\n\nThe above vulnerability can be fixed by using `$.find` instead of `$`. The `$.find` function will only interpret `target` as a CSS selector and never as HTML, thereby preventing an XSS attack.\n\n\n```javascript\n$(\"button\").click(function () {\n var target = $(this).attr(\"data-target\");\n\t$.find(target).hide();\n});\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Exception text reinterpreted as HTML\nDirectly writing error messages to a webpage without sanitization allows for a cross-site scripting vulnerability if parts of the error message can be influenced by a user.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows an exception being written directly to the document, and this exception can potentially be influenced by the page URL, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n \n try {\n var parsed = unknownParseFunction(deflt); \n } catch(e) {\n document.write(\"Had an error: \" + e + \".\");\n }\n}\n\n```\n\n## Example\nThis second example shows an input being validated using the JSON schema validator `ajv`, and in case of an error, the error message is sent directly back in the response.\n\n\n```javascript\nimport express from 'express';\nimport Ajv from 'ajv';\n\nlet app = express();\nlet ajv = new Ajv();\n\najv.addSchema({type: 'object', additionalProperties: {type: 'number'}}, 'pollData');\n\napp.post('/polldata', (req, res) => {\n if (!ajv.validate('pollData', req.body)) {\n res.send(ajv.errorsText());\n }\n});\n\n```\nThis is unsafe, because the error message can contain parts of the input. For example, the input `{'': 'foo'}` will generate the error `data/ should be number`, causing reflected XSS.\n\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\nDirectly writing user input (for example, a URL query parameter) to a webpage without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *DOM-based* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the page, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example shows part of the page URL being written directly to the document, leaving the website vulnerable to cross-site scripting.\n\n\n```javascript\nfunction setLanguageOptions() {\n var href = document.location.href,\n deflt = href.substring(href.indexOf(\"default=\")+8);\n document.write(\"\");\n document.write(\"\");\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe jQuery plugin\nLibrary plugins, such as those for the jQuery library, are often configurable through options provided by the clients of the plugin. Clients, however, do not know the implementation details of the plugin, so it is important to document the capabilities of each option. The documentation for the plugin options that the client is responsible for sanitizing is of particular importance. Otherwise, the plugin may write user input (for example, a URL query parameter) to a web page without properly sanitizing it first, which allows for a cross-site scripting vulnerability in the client application through dynamic HTML construction.\n\n\n## Recommendation\nDocument all options that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example shows a jQuery plugin that selects a DOM element, and copies its text content to another DOM element. The selection is performed by using the plugin option `sourceSelector` as a CSS selector.\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// BAD may evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\nThis is, however, not a safe plugin, since the call to `jQuery` interprets `sourceSelector` as HTML if it is a string that starts with `<`.\n\nInstead of documenting that the client is responsible for sanitizing `sourceSelector`, the plugin can use `jQuery.find` to always interpret `sourceSelector` as a CSS selector:\n\n\n```javascript\njQuery.fn.copyText = function(options) {\n\t// GOOD may not evaluate `options.sourceSelector` as HTML\n\tvar source = jQuery.find(options.sourceSelector),\n\t text = source.text();\n\tjQuery(this).text(text);\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* jQuery: [Plugin creation](https://learn.jquery.com/plugins/basic-plugin-creation/).\n* Bootstrap: [XSS vulnerable bootstrap plugins](https://github.com/twbs/bootstrap/pull/27047).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe HTML constructed from library input\nWhen a library function dynamically constructs HTML in a potentially unsafe way, then it's important to document to clients of the library that the function should only be used with trusted inputs. If the function is not documented as being potentially unsafe, then a client may inadvertently use inputs containing unsafe HTML fragments, and thereby leave the client vulnerable to cross-site scripting attacks.\n\n\n## Recommendation\nDocument all library functions that can lead to cross-site scripting attacks, and guard against unsafe inputs where dynamic HTML construction is not intended.\n\n\n## Example\nThe following example has a library function that renders a boldface name by writing to the `innerHTML` property of an element.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + name + \"\";\n}\n\n```\nThis library function, however, does not escape unsafe HTML, and a client that calls the function with user-supplied input may be vulnerable to cross-site scripting attacks.\n\nThe library could either document that this function should not be used with unsafe inputs, or use safe APIs such as `innerText`.\n\n\n```javascript\nmodule.exports = function showBoldName(name) {\n const bold = document.createElement('b');\n bold.innerText = name;\n document.getElementById('name').appendChild(bold);\n}\n\n```\nAlternatively, an HTML sanitizer can be used to remove unsafe content.\n\n\n```javascript\n\nconst striptags = require('striptags');\nmodule.exports = function showBoldName(name) {\n document.getElementById('name').innerHTML = \"\" + striptags(name) + \"\";\n}\n\n```\n\n## References\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet).\n* OWASP [DOM Based XSS](https://www.owasp.org/index.php/DOM_Based_XSS).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Reflected cross-site scripting\nDirectly writing user input (for example, an HTTP request parameter) to an HTTP response without properly sanitizing the input first, allows for a cross-site scripting vulnerability.\n\nThis kind of vulnerability is also called *reflected* cross-site scripting, to distinguish it from other types of cross-site scripting.\n\n\n## Recommendation\nTo guard against cross-site scripting, consider using contextual output encoding/escaping before writing user input to the response, or one of the other solutions that are mentioned in the references.\n\n\n## Example\nThe following example code writes part of an HTTP request (which is controlled by the user) directly to the response. This leaves the website vulnerable to cross-site scripting.\n\n\n```javascript\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // BAD: a request parameter is incorporated without validation into the response\n res.send(\"Unknown user: \" + req.params.id);\n else\n // TODO: do something exciting\n ;\n});\n\n```\nSanitizing the user-controlled data prevents the vulnerability:\n\n\n```javascript\nvar escape = require('escape-html');\n\nvar app = require('express')();\n\napp.get('/user/:id', function(req, res) {\n if (!isValidUserId(req.params.id))\n // GOOD: request parameter is sanitized before incorporating it into the response\n res.send(\"Unknown user: \" + escape(req.params.id));\n else\n // TODO: do something exciting\n ;\n});\n\n```\n\n## References\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site Scripting](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n","markdown":"# Loop bound injection\nUsing the `.length` property of an untrusted object as a loop bound may cause indefinite looping since a malicious attacker can set the `.length` property to a very large number. For example, when a program that expects an array is passed a JSON object such as `{length: 1e100}`, the loop will be run for 10100 iterations. This may cause the program to hang or run out of memory, which can be used to mount a denial-of-service (DoS) attack.\n\n\n## Recommendation\nEither check that the object is indeed an array or limit the size of the `.length` property.\n\n\n## Example\nIn the example below, an HTTP request handler iterates over a user-controlled object `obj` using the `obj.length` property in order to copy the elements from `obj` to an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n\n var ret = [];\n\n // Potential DoS if obj.length is large.\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\nThis is not secure since an attacker can control the value of `obj.length`, and thereby cause the loop to iterate indefinitely. Here the potential DoS is fixed by enforcing that the user-controlled object is an array.\n\n\n```javascript\nvar express = require('express');\nvar app = express();\n\napp.post(\"/foo\", (req, res) => {\n var obj = req.body;\n \n if (!(obj instanceof Array)) { // Prevents DoS.\n return [];\n }\n\n var ret = [];\n\n for (var i = 0; i < obj.length; i++) {\n ret.push(obj[i]);\n }\n});\n\n```\n\n## References\n* Common Weakness Enumeration: [CWE-834](https://cwe.mitre.org/data/definitions/834.html).\n* Common Weakness Enumeration: [CWE-730](https://cwe.mitre.org/data/definitions/730.html).\n"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n","markdown":"# XPath injection\nIf an XPath expression is built using string concatenation, and the components of the concatenation include user input, it makes it very easy for a user to create a malicious XPath expression.\n\n\n## Recommendation\nIf user input must be included in an XPath expression, either sanitize the data or use variable references to safely embed it without altering the structure of the expression.\n\n\n## Example\nIn this example, the code accepts a user name specified by the user, and uses this unvalidated and unsanitized value in an XPath expression constructed using the `xpath` package. This is vulnerable to the user providing special characters or string sequences that change the meaning of the XPath expression to search for different values.\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // BAD: Use user-provided data directly in an XPath expression\n let badXPathExpr = xpath.parse(\"//users/user[login/text()='\" + userName + \"']/home_dir/text()\");\n badXPathExpr.select({\n node: root\n });\n});\n\n```\nInstead, embed the user input using the variable replacement mechanism offered by `xpath`:\n\n\n```javascript\nconst express = require('express');\nconst xpath = require('xpath');\nconst app = express();\n\napp.get('/some/route', function(req, res) {\n let userName = req.param(\"userName\");\n\n // GOOD: Embed user-provided data using variables\n let goodXPathExpr = xpath.parse(\"//users/user[login/text()=$userName]/home_dir/text()\");\n goodXPathExpr.select({\n node: root,\n variables: { userName: userName }\n });\n});\n\n```\n\n## References\n* OWASP: [Testing for XPath Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/09-Testing_for_XPath_Injection).\n* OWASP: [XPath Injection](https://www.owasp.org/index.php/XPATH_Injection).\n* npm: [xpath](https://www.npmjs.com/package/xpath).\n* Common Weakness Enumeration: [CWE-643](https://cwe.mitre.org/data/definitions/643.html).\n"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n","markdown":"# Bad HTML filtering regexp\nIt is possible to match some single HTML tags using regular expressions (parsing general HTML using regular expressions is impossible). However, if the regular expression is not written well it might be possible to circumvent it, which can lead to cross-site scripting or other security issues.\n\nSome of these mistakes are caused by browsers having very forgiving HTML parsers, and will often render invalid HTML containing syntax errors. Regular expressions that attempt to match HTML should also recognize tags containing such syntax errors.\n\n\n## Recommendation\nUse a well-tested sanitization or parser library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation.\n\n\n## Example\nThe following example attempts to filters out all `` as script end tags, but also tags such as `` even though it is a parser error. This means that an attack string such as `` will not be filtered by the function, and `alert(1)` will be executed by a browser if the string is rendered as HTML.\n\nOther corner cases include that HTML comments can end with `--!>`, and that HTML tag names can contain upper case characters.\n\n\n## References\n* Securitum: [The Curious Case of Copy & Paste](https://research.securitum.com/the-curious-case-of-copy-paste/).\n* stackoverflow.com: [You can't parse \\[X\\]HTML with regex](https://stackoverflow.com/questions/1732348/regex-match-open-tags-except-xhtml-self-contained-tags#answer-1732454).\n* HTML Standard: [Comment end bang state](https://html.spec.whatwg.org/multipage/parsing.html#comment-end-bang-state).\n* stackoverflow.com: [Why aren't browsers strict about HTML?](https://stackoverflow.com/questions/25559999/why-arent-browsers-strict-about-html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n* Common Weakness Enumeration: [CWE-80](https://cwe.mitre.org/data/definitions/80.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-184](https://cwe.mitre.org/data/definitions/184.html).\n* Common Weakness Enumeration: [CWE-185](https://cwe.mitre.org/data/definitions/185.html).\n* Common Weakness Enumeration: [CWE-186](https://cwe.mitre.org/data/definitions/186.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Unsafe expansion of self-closing HTML tag\nSanitizing untrusted input for HTML meta-characters is a common technique for preventing cross-site scripting attacks. But even a sanitized input can be dangerous to use if it is modified further before a browser treats it as HTML. A seemingly innocent transformation that expands a self-closing HTML tag from `
` to `
` may in fact cause cross-site scripting vulnerabilities.\n\n\n## Recommendation\nUse a well-tested sanitization library if at all possible, and avoid modifying sanitized values further before treating them as HTML.\n\nAn even safer alternative is to design the application so that sanitization is not needed, for instance by using HTML templates that are explicit about the values they treat as HTML.\n\n\n## Example\nThe following function transforms a self-closing HTML tag to a pair of open/close tags. It does so for all non-`img` and non-`area` tags, by using a regular expression with two capture groups. The first capture group corresponds to the name of the tag, and the second capture group to the content of the tag.\n\n\n```javascript\nfunction expandSelfClosingTags(html) {\n\tvar rxhtmlTag = /<(?!img|area)(([a-z][^\\w\\/>]*)[^>]*)\\/>/gi;\n\treturn html.replace(rxhtmlTag, \"<$1>\"); // BAD\n}\n\n```\nWhile it is generally known regular expressions are ill-suited for parsing HTML, variants of this particular transformation pattern have long been considered safe.\n\nHowever, the function is not safe. As an example, consider the following string:\n\n\n```html\n
\n\"/>\n\n```\nWhen the above function transforms the string, it becomes a string that results in an alert when a browser treats it as HTML.\n\n\n```html\n
\n\"/>\n\n```\n\n## References\n* jQuery: [Security fixes in jQuery 3.5.0](https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/)\n* OWASP: [DOM based XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html).\n* OWASP: [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* OWASP [Types of Cross-Site](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* Wikipedia: [Cross-site scripting](http://en.wikipedia.org/wiki/Cross-site_scripting).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n","markdown":"# Double escaping or unescaping\nEscaping meta-characters in untrusted input is an important technique for preventing injection attacks such as cross-site scripting. One particular example of this is HTML entity encoding, where HTML special characters are replaced by HTML character entities to prevent them from being interpreted as HTML markup. For example, the less-than character is encoded as `<` and the double-quote character as `"`. Other examples include backslash-escaping for including untrusted data in string literals and percent-encoding for URI components.\n\nThe reverse process of replacing escape sequences with the characters they represent is known as unescaping.\n\nNote that the escape characters themselves (such as ampersand in the case of HTML encoding) play a special role during escaping and unescaping: they are themselves escaped, but also form part of the escaped representations of other characters. Hence care must be taken to avoid double escaping and unescaping: when escaping, the escape character must be escaped first, when unescaping it has to be unescaped last.\n\nIf used in the context of sanitization, double unescaping may render the sanitization ineffective. Even if it is not used in a security-critical context, it may still result in confusing or garbled output.\n\n\n## Recommendation\nUse a (well-tested) sanitization library if at all possible. These libraries are much more likely to handle corner cases correctly than a custom implementation. For URI encoding, you can use the standard `encodeURIComponent` and `decodeURIComponent` functions.\n\nOtherwise, make sure to always escape the escape character first, and unescape it last.\n\n\n## Example\nThe following example shows a pair of hand-written HTML encoding and decoding functions:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\");\n};\n\n```\nThe encoding function correctly handles ampersand before the other characters. For example, the string `me & \"you\"` is encoded as `me & "you"`, and the string `"` is encoded as `&quot;`.\n\nThe decoding function, however, incorrectly decodes `&` into `&` before handling the other characters. So while it correctly decodes the first example above, it decodes the second example (`&quot;`) to `\"` (a single double quote), which is not correct.\n\nInstead, the decoding function should decode the ampersand last:\n\n\n```javascript\nmodule.exports.encode = function(s) {\n return s.replace(/&/g, \"&\")\n .replace(/\"/g, \""\")\n .replace(/'/g, \"'\");\n};\n\nmodule.exports.decode = function(s) {\n return s.replace(/"/g, \"\\\"\")\n .replace(/'/g, \"'\")\n .replace(/&/g, \"&\");\n};\n\n```\n\n## References\n* OWASP Top 10: [A1 Injection](https://www.owasp.org/index.php/Top_10-2017_A1-Injection).\n* npm: [html-entities](https://www.npmjs.com/package/html-entities) package.\n* npm: [js-string-escape](https://www.npmjs.com/package/js-string-escape) package.\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-20](https://cwe.mitre.org/data/definitions/20.html).\n"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n ampersand, the meta-character has to be escaped first to avoid double-escaping,\n and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Incomplete multi-character sanitization\nSanitizing untrusted input is a common technique for preventing injection attacks and other security vulnerabilities. Regular expressions are often used to perform this sanitization. However, when the regular expression matches multiple consecutive characters, replacing it just once can result in the unsafe text reappearing in the sanitized input.\n\nAttackers can exploit this issue by crafting inputs that, when sanitized with an ineffective regular expression, still contain malicious code or content. This can lead to code execution, data exposure, or other vulnerabilities.\n\n\n## Recommendation\nTo prevent this issue, it is highly recommended to use a well-tested sanitization library whenever possible. These libraries are more likely to handle corner cases and ensure effective sanitization.\n\nIf a library is not an option, you can consider alternative strategies to fix the issue. For example, applying the regular expression replacement repeatedly until no more replacements can be performed, or rewriting the regular expression to match single characters instead of the entire unsafe text.\n\n\n## Example\nConsider the following JavaScript code that aims to remove all HTML comment start and end tags:\n\n```javascript\n\nstr.replace(/\n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n","markdown":"# Client-side cross-site scripting\n\nReceiving text from the user, most notably through a control, and rendering it as HTML in another control can lead to a cross-site scripting vulnerability.\n\n## Recommendation\n\n### Preventing XSS Involving User Defined Control\n\nIf the XSS attack vector includes a user-defined control, then we can mitigate the issue by sanitizing the user-provided input in the implementation of the control:\n- Where possible, define the property type to something other than `string` or `any`. If a value should be used, then opt for the `enum` type which only allows a predefined set of strings.\n- Use escaping functions in `sap.base.security`. Relevant sanitizers include `encodeXML` and `encodeHTML`.\n- When using API with `apiVersion: 2` (Semantic Rendering), do not use `RenderManager.unsafeHtml` unless the control property `sanitizeContent` is set to `true`.\n- When using the now-deprecated older API with `RenderManager.write` or `RenderManager.writeAttribute`, use their respective counterparts `RenderManager.writeEscaped` and `RenderManager.writeAttributeEscaped` which sanitizes their rendered contents.\n\n### Preventing XSS Not Involving User Defined Control\n\nAn XSS attack vector can still exist even when no user-defined control is used. In this case, a model property or a control property act as an intermediate step when external data is passed in.\nIn this case, the UI5 application should not use the property as is, but should sanitize the contents before reading it. Such sanitization can take place in the controller or in the view declaration using expression bindings.\n\n## Example\n\n### Custom Control with Custom Rendering Method\n\nThis custom control `vulnerable.control.xss` calls `unsafeHtml` on a given `RenderManager` instance in its static renderer function. Since its `text` property is an unrestricted string type, it can point to a string with contents that can be interpreted as HTML. If it is the case, `unsafeHtml` will render the string, running a possibly embedded JavaScript code in it.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\"], function (Control) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"string\" } } },\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(oControl.getText()); // sink\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\nThis is the same custom control without the possibility of XSS using several means of sanitization: The property `text` is enforced to a non-string type, hence disallows unrestricted strings (This is espcially applicable if the expected input is a number anyways). Also, the `sap.base.security.encodeXML` function is used to escape HTML control characters.\n\n```javascript\nsap.ui.define([\"sap/ui/core/Control\", \"sap/base/security/encodeXML\"], function (Control, encodeXML) {\n return Control.extend(\"vulnerable.control.xss\", {\n metadata: { properties: { text: { type: \"int\" } } }, // constrain the type\n renderer: {\n apiVersion: 2,\n render: function (oRm, oControl) {\n oRm.openStart(\"div\", oControl);\n oRm.unsafeHtml(encodeXML(oControl.getText()); // encode using security functions\n oRm.close(\"div\");\n }\n }\n });\n})\n```\n\n### Library Control\n\nThis example contains only library controls that are not user-defined. The untrusted user input flows from `sap.m.Input` and directly flows out via `sap.ui.core.HTML` through the model property `input` as declared in the `onInit` method of the controller.\n\n``` xml\n\n \t \n \n\n```\n\n``` javascript\nsap.ui.define([\"sap/ui/core/mvc/Controller\", \"sap/ui/model/json/JSONModel\"],\n function (Controller, JSONModel) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function () {\n var oData = { input: null };\n var oModel = new JSONModel(oData);\n this.getView().setModel(oModel);\n },\n });\n },\n);\n```\n\nThe issue can be resolved by setting the `HTML` control's `sanitizeContent` attribute to true.\n\n``` xml\n\n \n \n\n```\n\n## References\n\n- OWASP: [DOM Based XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS).\n- SAP UI5 Documentation: [Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/91f0bd316f4d1014b6dd926db0e91070.html) in UI5.\n- SAP UI5 Documentation: [Prevention of Cross-site Scripting](https://sapui5.hana.ondemand.com/sdk/#/topic/4de64e2e191f4a7297d4fd2d1e233a2d.html) in UI5.\n- SAP UI5 Documentation: [API Documentation of sap.ui.core.RenderManager](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.RenderManager).\n- SAP UI5 Documentation: [Defining Control Properties](https://sapui5.hana.ondemand.com/sdk/#/topic/ac56d92162ed47ff858fdf1ce26c18c4.html).\n- SAP UI5 Documentation: [Expression Binding](https://sapui5.hana.ondemand.com/sdk/#/topic/daf6852a04b44d118963968a1239d2c0).\n- SAP UI5 API Reference: [`sap.ui.core.HTML`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.HTML%23methods/setSanitizeContent).\n- Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n- Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a UI5 View allows for\n a cross-site scripting vulnerability.","id":"js/ui5-xss","kind":"path-problem","name":"UI5 Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-path-injection","name":"js/ui5-path-injection","shortDescription":{"text":"UI5 Path Injection"},"fullDescription":{"text":"Constructing path from an uncontrolled remote source to be passed to a filesystem API allows for manipulation of the local filesystem."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n","markdown":"# Client-side path injection\n\nUI5 applications that access files using a dynamically configured path are vulnerable to injection attacks that allow an attacker to manipulate the file location.\n\n## Recommendation\n\n### Make path argument independent of the user input\n\nIf possible, do not parameterize the path on a user input. Either hardcode the path string in the source, or use only strings that are created within the application.\n\n### Keep an allow-list of safe paths\n\nKeep a strict allow-list of safe paths to load from or send requests to. Before loading a script from a location outside the application or making an API request to a location, check if the path is contained in the list of safe paths. Also, make sure that the allow-list is kept up to date.\n\n### Check the script into the repository or use package managers\n\nSince the URL of the script may be pointing to a web server vulnerable to being hijacked, it may be a good idea to check a stable version of the script into the repository to increase the degree of control. If not possible, use a trusted package manager such as `npm`.\n\n## Example\n\n### Including scripts from an untrusted domain\n\n``` javascript\nsap.ui.require([\n \"sap/ui/dom/includeScript\"\n ],\n function(includeScript) {\n includeScript(\"http://some.vulnerable.domain/some-script.js\");\n }\n);\n```\n\nIf the vulnerable domain is outside the organization and controlled by an untrusted third party, this may result in arbitrary code execution in the user's browser.\n\n### Using user input as a name of a file to be saved\n\nSuppose a controller is configured to receive a response from a server as follows.\n\n``` javascript\nsap.ui.define([\n \"sap/ui/core/mvc/Controller\",\n \"sap/ui/core/util/File\"\n ],\n function(Controller, File) {\n return Controller.extend(\"vulnerable.controller.app\", {\n onInit: function() {\n let oDataV2Model = this.getOwnerComponent().getModel(\"some-ODatav2-model\");\n this.getView().setModel(oDataV2Model);\n },\n \n onSomeEvent: function() {\n let remoteResponse = this.getView().getModel().getProperty(\"someProperty\");\n File.save(\"some-content\", remoteResponse, \"txt\", \"text/plain\", \"utf-8\");\n }\n });\n });\n```\n\nEven if the server which updates the OData V2 model is in a trusted domain such as within the organization, the server may still contain tainted information if the UI5 application in question is vulnerable to other security attacks, say XSS. This may allow an attacker to save a file in the victim's local filesystem.\n\n## References\n\n- Common Weakness Enumeration: [CWE-829](https://cwe.mitre.org/data/definitions/829.html).\n- Common Weakness Enumeration: [CWE-073](https://cwe.mitre.org/data/definitions/73.html).\n- SAP UI5 API Reference: [`sap.ui.core.util.File`](https://sapui5.hana.ondemand.com/sdk/#/api/sap.ui.core.util.File%23methods/sap.ui.core.util.File.save).\n- SAP UI5 API Reference: [`sap.ui.dom.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`sap.ui.dom.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeStylesheet).\n- SAP UI5 API Reference: [`jQuery.sap.includeScript`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript) and [`jQuery.sap.includeStyleSheet`](https://sapui5.hana.ondemand.com/sdk/#/api/module:sap/ui/dom/includeScript).\n"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-035"],"description":"Constructing path from an uncontrolled remote source to be passed\n to a filesystem API allows for manipulation of the local filesystem.","id":"js/ui5-path-injection","kind":"path-problem","name":"UI5 Path Injection","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/ui5-clickjacking","name":"js/ui5-clickjacking","shortDescription":{"text":"UI5 Clickjacking"},"fullDescription":{"text":"The absence of frame options allows for clickjacking."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n","markdown":"# Clickjacking\n\nUI5 applications that do not explicitly set the frame options to `deny` may be vulnerable to UI redress attacks (”clickjacking”). In these attacks, the vulnerable site is loaded in a frame on an attacker-controlled site which uses opaque or transparent layers to trick the user into unintentionally clicking a button or link on the vulnerable site.\n\n## Recommendation\n\nExplicitly set the frame options to `\"deny\"`, either through `window[\"sap-ui-config\"]`, or `data-sap-ui-frameOptions` attribute of the script tag where it sources the bootstrap script `\"sap-ui-core.js\"`:\n\n``` javascript\nwindow[\"sap-ui-config\"] = {\n frameOptions: \"deny\",\n ...\n};\n```\n\n``` javascript\nwindow[\"sap-ui-config\"].frameOptions = \"deny\";\n```\n\n``` html\n\n```\n\n## Example\n\n### Setting the Frame Options to `\"allow\"`\n\nThis UI5 application explicitly allows to be embedded in other applications.\n\n```javascript\n\n\n \n ...\n \n\n \n \n ...\n\n```\n\n### Not Setting the Frame Options to Anything\n\nThe default value of `window[\"sap-ui-config\"]` and `data-sap-ui-frameOptions` are both `\"allow\"`, which makes leaving it untouched allows the application to be embedded.\n\n## References\n* OWASP: [Clickjacking Defense Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html).\n* Mozilla: [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options).\n* SAP UI5 Documentation: [Frame Options](https://sapui5.hana.ondemand.com/sdk/#/topic/62d9c4d8f5ad49aa914624af9551beb7.html).\n* SAP UI5 Documentation: [Allowlist Service](https://sapui5.hana.ondemand.com/sdk/#/topic/d04a6d41480c4396af16b5d2b25509ec.html).\n* Common Weakness Enumeration: [CWE-451](https://cwe.mitre.org/data/definitions/451.html).\n"},"properties":{"tags":["security","external/cwe/cwe-451"],"description":"The absence of frame options allows for clickjacking.","id":"js/ui5-clickjacking","kind":"problem","name":"UI5 Clickjacking","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/ui5-unsafe-log-access","name":"js/ui5-unsafe-log-access","shortDescription":{"text":"Access to user-controlled UI5 Logs"},"fullDescription":{"text":"Log entries from user-controlled sources should not be further processed."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# Access to user-controlled UI5 Logs\n\nProcessing user-controlled log entries can lead to injection vulnerabilities, where an attacker can manipulate user input to affect the application excution.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where user-controlled log entries are accessed in a UI5 application. \n\n## Recommendation\n\nAvoid accessing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component retrieves log entries to further process them.\n```javascript\nlet message = Log.getLogEntries()[0].message; //access to user controlled logs\ndo_smth(message);\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Log entries from user-controlled sources should not be further processed.","id":"js/ui5-unsafe-log-access","kind":"path-problem","name":"Access to user-controlled UI5 Logs","precision":"medium","problem.severity":"warning","security-severity":"5"}},{"id":"js/ui5-log-injection-to-http","name":"js/ui5-log-injection-to-http","shortDescription":{"text":"UI5 Log injection in outbound network request"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n","markdown":"# UI5 Log injection in outbound network request\n\nSending user-controlled log data to a remote URL without further validation may lead to uncontrolled information exposure and to injection vulnerabilities. It may be an indication of malicious backdoor code that has been implanted into an otherwise trusted code base.\n\nUI5 applications can retrieve logs for further processing using `sap/base/Log.getLogEntries`, define custom listeners using `sap/base/Log.addLogListener` or directly display logs using the `sap/ui/vk/Notifications` control.\n\nThis query identifies instances where log entries from user input are forwarded to a remote URL. \n\n## Recommendation\n\nAvoid processing log entries that originate from user-controlled sources. Ensure that any log data is properly sanitized.\n\n## Example\n\nThe following example demonstrates a vulnerable code snippet:\n\n1. The UI5 application logs what the user submitted via the `sap.m.Input` control.\n```xml\n \n```\n```javascript\nvar input = oModel.getProperty(\"/input\");\njQuery.sap.log.debug(input); // user input is logged as is\n```\n2. A second component sends log entries to a remote URL without further validation.\n```javascript\nconst http = new XMLHttpRequest();\nconst url = \"https://some.remote.server/location\";\nhttp.open(\"POST\", url);\nhttp.send(Log.getLogEntries()[0].message); // log entry is forwarded to a remote URL\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP UI5 Documentation: [namespace `sap/base/Log`](https://sapui5.hana.ondemand.com/sdk/#api/module:sap/base/Log).\n"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"js/ui5-log-injection-to-http","kind":"path-problem","name":"UI5 Log injection in outbound network request","precision":"medium","problem.severity":"warning","security-severity":"6.5"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/ui5/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-ui5-models","semanticVersion":"0.6.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}},{"name":"codeql/javascript-all","semanticVersion":"1.1.4+561abced2df2733191d9ca05dd3935c19c165bef","locations":[{"uri":"file:///opt/hostedtoolcache/CodeQL/2.18.4/x64/codeql/qlpacks/codeql/javascript-all/1.1.4/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///opt/hostedtoolcache/CodeQL/2.18.4/x64/codeql/qlpacks/codeql/javascript-all/1.1.4/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-cap-queries","semanticVersion":"0.3.0+95725b3c8b07ea95d444399881c59e00cebec5fe","rules":[{"id":"js/cap-sensitive-log","name":"js/cap-sensitive-log","shortDescription":{"text":"Insertion of sensitive information into log files"},"fullDescription":{"text":"Writing sensitive information to log files can allow that information to be leaked to an attacker more easily."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n name : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n name @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n init() {\n LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations).","markdown":"# CAP Insertion of Sensitive Information into Log File\n\nIf sensitive information is written to a log entry using the CAP Node.js logging API, a malicious user may be able to gain access to user data.\n\nData annotated as `@PersonalData` should not be logged.\n\n## Recommendation\n\nCAP applications should not log sensitive information. Check CDS declarations for annotations before logging certain data types or fields.\n\n## Examples\n\nThis CAP service directly logs the sensitive information.\n\n```cds\nnamespace advanced_security.log_exposure.sample_entities;\n\nentity Sample {\n name : String(111);\n}\n\n// annotations for Data Privacy\nannotate Sample with\n@PersonalData : { DataSubjectRole : 'Sample', EntitySemantics : 'DataSubject' }\n{\n name @PersonalData.IsPotentiallySensitive;\n}\n```\n\n``` javascript\nimport cds from '@sap/cds'\nconst LOG = cds.log(\"logger\");\n\nconst { Sample } = cds.entities('advanced_security.log_exposure.sample_entities')\n\nclass SampleVulnService extends cds.ApplicationService {\n init() {\n LOG.info(\"Received: \", Sample.name); // CAP log exposure alert\n }\n}\n```\n\n## References\n\n- OWASP 2021: [Security Logging and Monitoring Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/).\n- OWASP: [Logging Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- OWASP: [User Privacy Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/User_Privacy_Protection_Cheat_Sheet.html).\n- SAP CAPire Documentation: [PersonalData Annotations](https://cap.cloud.sap/docs/guides/data-privacy/annotations)."},"properties":{"tags":["security","external/cwe/cwe-532"],"description":"Writing sensitive information to log files can allow that\n information to be leaked to an attacker more easily.","id":"js/cap-sensitive-log","kind":"path-problem","name":"Insertion of sensitive information into log files","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cap-non-prod-auth-strategy","name":"js/cap-non-prod-auth-strategy","shortDescription":{"text":"Non-production authentication strategy used"},"fullDescription":{"text":"Using non-production authentication strategies can lead to unwanted authentication behavior in production."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n },\n \"[deploy]\": {\n \"auth\": \"xsuaa\"\n }\n }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n \"cds\": {\n \"requires\": {\n \"auth\": {\n \"kind\": \"basic\",\n \"users\": {\n \"JohnDoe\": {\n \"password\": \"JohnDoesPassword\",\n \"roles\": [\"JohnDoesRole\"],\n \"attr\": {}\n },\n \"JaneDoe\": {\n \"password\": \"JaneDoesPassword\",\n \"roles\": [\"JaneDoesRole\"],\n \"attr\": {}\n }\n }\n }\n }\n }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n","markdown":"# Non-Production Authentication Strategy Used without Profiles\n\nUsing a non-production authentication strategy without setting up a distinct profile for development may pose allow unintended authentication and/or authorization if the application is deployed into production.\n\n## Recommendation\n\n### Isolate the use of development-level strategies to a development profile\n\nUse separate profiles for development and deployment and select one as needed. In this way, properties including authentication strategies can be substituted by changing a single command line option: `--profile`. For example, having the following section in the application's `package.json` states that the `\"dummy\"` authentication strategy must be used while `\"xsuaa\"`, a production-grade strategy, should be used when deployed:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n },\n \"[deploy]\": {\n \"auth\": \"xsuaa\"\n }\n }\n}\n```\n\nThe application can be now run in different modes depending on the `--profile` command line option:\n\n``` shell\n$ cds serve --profile dev # Runs the application in development profile with strategy \"dummy\"\n$ cds serve --profile deploy # Runs the application in development profile with strategy \"xsuaa\"\n```\n\n## Example\n\nThe following CAP application states that it uses `\"basic\"` authentication strategy along with mocked credentials. Using the pair of username and password, an attacker can gain access to certain assets by signing in to the application.\n\n``` json\n{\n \"cds\": {\n \"requires\": {\n \"auth\": {\n \"kind\": \"basic\",\n \"users\": {\n \"JohnDoe\": {\n \"password\": \"JohnDoesPassword\",\n \"roles\": [\"JohnDoesRole\"],\n \"attr\": {}\n },\n \"JaneDoe\": {\n \"password\": \"JaneDoesPassword\",\n \"roles\": [\"JaneDoesRole\"],\n \"attr\": {}\n }\n }\n }\n }\n }\n}\n```\n\n## References\n\n- Common Weakness Enumeration: [CWE-288](https://cwe.mitre.org/data/definitions/288.html).\n- Common Weakness Enumeration: [CWE-798](https://cwe.mitre.org/data/definitions/798.html).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n"},"properties":{"tags":["security"],"description":"Using non-production authentication strategies can lead to unwanted authentication behavior in production.","id":"js/cap-non-prod-auth-strategy","kind":"problem","name":"Non-production authentication strategy used","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-default-user-is-privileged","name":"js/cap-default-user-is-privileged","shortDescription":{"text":"Default user is privileged"},"fullDescription":{"text":"Overriding the default user to the privileged user allows for authentication bypass."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n }\n }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n","markdown":"# Default User is overwritten as privileged\n\nUsers that cannot be verified as authenticated are represented as `cds.User.default` internally. Setting this property to `cds.User.Privileged` may result in providing protected assets to unauthorized users.\n\n## Recommendation\n\n### Set up a development profile that uses non-production authentication\n\nOverwriting `cds.User.default` as `cds.User.Privileged` for testing purposes is not recommended as such code may easily slip through production.\n\nInstead, set up a development profile and opt in to use a non-production strategy such as `\"basic\"`, `\"dummy\"`, or `\"mocked\"` during its use. This can be done in the file `package.json` in the root folder of the CAP application:\n\n``` json\n{\n \"requires\": {\n \"[dev]\": {\n \"auth\": \"dummy\"\n }\n }\n}\n```\n\nSetting `\"dummy\"` as the development authentication strategy has the effect of disabling `@requires` and `@restrict` annotations of CDS definitions that provides authorization. The application during development then can be run and tested with the `--profile dev` option.\n\n```shell\ncds serve --profile dev\n```\n\n## Example\n\nSetting `cds.User.default` to `cds.User.Privileged` may happen anywhere in the application. In the following example, the `server.js` file provides the top-level definition of a CAP application and overwrites the `default` user property with the `Privileged` class.\n\n``` javascript\nconst cds = require(\"@sap/cds\");\nconst app = require(\"express\")();\n\n/*\n * Antipattern: `cds.User.default` is overwritten to `cds.User.Privileged`\n */\ncds.User.default = cdsUser.Privileged;\n\ncds.serve(\"all\").in(app);\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.default](https://cap.cloud.sap/docs/node.js/authentication#default-user).\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [Authentication Strategies](https://cap.cloud.sap/docs/node.js/authentication#strategies).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n"},"properties":{"tags":["security"],"description":"Overriding the default user to the privileged user allows for authentication bypass.","id":"js/cap-default-user-is-privileged","kind":"problem","name":"Default user is privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-unnecessarily-granted-privileged-access-rights","name":"js/cap-unnecessarily-granted-privileged-access-rights","shortDescription":{"text":"Access rights to an entity is unnecessarily elevated to privileged"},"fullDescription":{"text":"An entity requiring authorization is being accessed with privileged rights."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n const Service2 = await cds.connect.to(\"Service2\");\n const { Service2Entity } = Service2.entities;\n return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n tx.run(\n SELECT.from(Service2Entity) // Declared in service2.cds\n .where`Attribute4=${req.data.messageToPass}`,\n ),\n );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n /* Read access only to users with access level greater than 2. */\n @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n entity Service2Entity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n","markdown":"# Access rights to an entity is unnecessarily elevated to privileged\n\nThe privileged user `cds.User.Privileged` is used to access an entity that requires authorization. If the application does not verify the actual user rights, it may expose protected entities to unauthorized users.\n\nThis is especially important when the accessed entity belongs to a remote service. By default, when using a production-grade authentication strategy all CAP endpoints are authenticated. However, if the entity is outside the application, there is no guarantee that the user is authenticated in the remote service.\n\n## Recommendations\n\n### Avoid using `cds.User.Privileged` when accessing an access-controlled entity\n\nAny entity that requires authorization should be accessed within the context of the authenticated user. When using a transaction, prefer using `cds.User` as the `user` attribute of the option argument to the call of `cds.ApplicationService.tx()` in order to check the required access rights of the entity against that of the user.\n\n## Examples\n\nThe following service, named Service1 and implemented in the file service1.js, is accessing an entity that belongs to another service named Service2 and defined in the file service2.cds. The entity, Service2Entity, demands that the user have level greater than 2.\n\n### `service1.js`\n\n``` javascript\nthis.on(\"action1\", async (req) => {\n const Service2 = await cds.connect.to(\"Service2\");\n const { Service2Entity } = Service2.entities;\n return this.tx({ user: new cds.User.Privileged(\"\") }, (tx) =>\n tx.run(\n SELECT.from(Service2Entity) // Declared in service2.cds\n .where`Attribute4=${req.data.messageToPass}`,\n ),\n );\n});\n```\n\n### `service2.cds`\n\n``` cds\nservice Service2 @(path: 'service-2') {\n /* Read access only to users with access level greater than 2. */\n @(restrict: [ { grant: 'READ', to: '$user.level > 2' } ])\n entity Service2Entity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [cds.User.Privileged](https://cap.cloud.sap/docs/node.js/authentication#privileged-user).\n- SAP CAPire Documentation: [cds.tx()](https://cap.cloud.sap/docs/node.js/cds-tx#srv-tx-ctx).\n- Common Weakness Enumeration: [CWE-250](https://cwe.mitre.org/data/definitions/250.html).\n- Common Weakness Enumeration: [CWE-266](https://cwe.mitre.org/data/definitions/266.html).\n"},"properties":{"tags":["security"],"description":"An entity requiring authorization is being accessed with privileged rights.","id":"js/cap-unnecessarily-granted-privileged-access-rights","kind":"problem","name":"Access rights to an entity is unnecessarily elevated to privileged","precision":"high","problem.severity":"error","security-severity":"6"}},{"id":"js/cap-entity-exposed-without-authentication","name":"js/cap-entity-exposed-without-authentication","shortDescription":{"text":"Entity exposed without authentication"},"fullDescription":{"text":"Entities exposed to external protocols should require an CDS-based or JS-based access control."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n /* Do something */\n } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n init() {\n this.on(\"READ\", \"SomeService\", (req) => { })\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# CAP Definitions Exposed without Access Controls\n\nAlthough using a production-level authentication strategy such as `jwt` ensures that all entities and services require the user to be authenticated, this does not guarantee any further authorization. Furthermore, the lack of required authentication or authorization may imply a gap in the design of the system.\n\n## Recommendation\n\n### Use CDS-based authorization\n\nCDL provides two annotations to declare access controls `@requires` and `@restrict` with the latter providing more granularity than the former. For example, to check if a request is being made by an authenticated user to the CDL entity or service, annotate it with `@requires: 'authenticated-user'`. On the other hand, if it needs to be read only via a certain group of users where the user has level greater than 2, use `@restrict: { grant: 'READ', to: 'SomeUser', where: { $user.level > 2 } }` (note the leading `$`).\n\n#### Check the original CDS entity it is derived from\n\nCDS entities may be derived from other entities by means of selection and projection. Derived definitions inherit access control conditions and optionally override them. In order to accurately determine what authorization an entity requires, the access control of the parent entity should be transitively inspected.\n\n### Enforce authorization with JavaScript\n\nAccess control may be enforced when a request handler for the relevant entity or service is registered. Both `cds.Service.before` and `cds.Service.on` may be used for enforcement. For example, to restrict writing to and updating an entity to a user satisfying certain requirements, either one of the below handler registrations may be used:\n\n``` javascript\n/**\n * Before serving a request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.before([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n (req.user.is(\"SomeRole\") && req.user.attr.level > 3) || req.reject(403);\n});\n\n/**\n * On request to access SomeEntity, check if the request is coming from a user\n * with SomeRole and level greater than 3.\n */\nthis.on([\"WRITE\", \"UPDATE\"], \"SomeEntity\", (req) => {\n if (req.user.is(\"SomeRole\") && req.user.attr.level > 3) {\n /* Do something */\n } else req.reject(403);\n});\n```\n\n## Examples\n\nThe following CDS definition and its JavaScript implementation imposes no authorization on `SomeEntity`. Note that the `OriginalEntity` from which `DerivedEntity` derives from does not control the access either.\n\n### db/schema.cds\n\n``` cap-cds\nnamespace sample_namespace.sample_entities;\n\nentity OriginalEntity {\n Attribute1 : String(100);\n Attribute2 : String(100)\n}\n```\n\n### srv/service1.cds\n\n``` cap-cds\nusing { sample_namespace.sample_entities as db_schema } from '../db/schema';\n\nservice SomeService {\n entity DerivedEntity as projection on db_schema.OriginalEntity excluding { Attribute2 }\n}\n```\n\n### srv/service1.js\n\n``` javascript\n\nconst cds = require(\"@sap/cds\");\n\nmodule.exports = class Service1 extends cds.ApplicationService {\n init() {\n this.on(\"READ\", \"SomeService\", (req) => { })\n }\n}\n```\n\n## References\n\n- SAP CAPire Documentation: [Authorization Enforcement](https://cap.cloud.sap/docs/node.js/authentication#enforcement).\n- SAP CAPire Documentation: [@restrict](https://cap.cloud.sap/docs/guides/security/authorization#restrict-annotation).\n- SAP CAPire Documentation:\n[@requires](https://cap.cloud.sap/docs/guides/security/authorization#requires).\n- SAP CAPire Documentation: [Protecting Certain Entries](https://cap.cloud.sap/docs/cds/common#protecting-certain-entries).\n- SAP CAPire Documentation: [Inheritance of Restrictions](https://cap.cloud.sap/docs/guides/security/authorization#inheritance-of-restrictions).\n- SAP CAPire Documentation: [Authentication Enforced in Production](https://cap.cloud.sap/docs/node.js/authentication#authentication-enforced-in-production).\n- Common Weakness Enumeration: [CWE-862](https://cwe.mitre.org/data/definitions/862.html).\n- Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security"],"description":"Entities exposed to external protocols should require an\n CDS-based or JS-based access control.","id":"js/cap-entity-exposed-without-authentication","kind":"problem","name":"Entity exposed without authentication","precision":"high","problem.severity":"warning","security-severity":"6"}},{"id":"js/cap-sql-injection","name":"js/cap-sql-injection","shortDescription":{"text":"CQL query built from user-controlled sources"},"fullDescription":{"text":"Building a CQL query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CQL query built from user-controlled sources\n\nIf a database query is built from user-provided data without sufficient sanitization, a malicious user may be able to run malicious database queries.\n\n## Recommendation\n\nCAP's intrinsic data querying engine is immune with regards to SQL injections that are introduced by query parameter values that are derived from malicious user input. CQL statements are transformed into prepared statements that are executed in SQL databases such as SAP HANA. \nInjections are still possible even via CQL when the query structure (e.g. target entity, columns etc.) is based on user input.\n\n## Examples\n\nThis CAP application uses user submitted input as entity and column in a CQL query without any validation.\n\n``` javascript\nconst entity = \nconst column = \nSELECT.from(entity).columns(column)\n```\n\n## References\n\n- OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injectionn).\n- OWASP: [SQL Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building a CQL query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/cap-sql-injection","kind":"path-problem","name":"CQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/cap-log-injection","name":"js/cap-log-injection","shortDescription":{"text":"CAP Log injection"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n","markdown":"# CAP Log Injection\n\nIf unsanitized user input is written to a log entry using the CAP Node.js logging API, a malicious user may be able to forge new log entries.\n\nCAP Node.js offers a CLRF-safe logging API that should be used for application log entries that are logged as plaintext. If the entry is interpreted as HTML, then arbitrary HTML code my be included to forge log entries.\n\n## Recommendation\n\nCAP applications need to care for escaping user data that is used as input parameter for application logging. It's recommended to make use of an existing Encoder such as OWASP ESAPI.\n\n## Examples\n\nThis CAP service directly logs what the user submitted via the `req` request.\n\n``` javascript\nimport cds from '@sap/cds'\nconst { Books } = cds.entities ('sap.capire.bookshop')\n\nclass SampleVulnService extends cds.ApplicationService { init(){\n this.on ('submitOrder', async req => {\n const {book,quantity} = req.data\n const LOG = cds.log(\"nodejs\");\n LOG.info(\"test\" + book); // Log injection alert\n })\n\n return super.init()\n}}\n```\n\n## References\n\n- OWASP: [Log Injection](https://owasp.org/www-community/attacks/Log_Injection).\n- OWASP: [Log Injection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html).\n- SAP CAPire Documentation: [Security Aspects](https://cap.cloud.sap/docs/guides/security/aspects#common-injection-attacks).\n"},"properties":{"tags":["security"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"js/cap-log-injection","kind":"path-problem","name":"CAP Log injection","precision":"medium","problem.severity":"error","security-severity":"6.1"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-queries","semanticVersion":"0.1.0+95725b3c8b07ea95d444399881c59e00cebec5fe","rules":[{"id":"js/xsjs-disabled-csrf-protection","name":"js/xsjs-disabled-csrf-protection","shortDescription":{"text":"Disabled XSJS CSRF protection"},"fullDescription":{"text":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Disabled XSJS CSRF protection\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. \n- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. \n- In `XS Classic` CSRF protection should be enabled explicitly. \n\n## Example\n\nThe following `xs-app.json` fragment enables CSRF protection in XSJS.\n\n```json\n\"routes\": [\n {\n \"source\": \"/bad/(.*)\",\n \"destination\": \"srv_api\",\n \"csrfProtection\": true,\n ...\n }\n]\n ...\n }\n]\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n","markdown":"# Disabled XSJS CSRF protection\n\nA web server that receives a request from a client without verifying that it was intentionally sent might be vulnerable to Cross Site Request Forgery (CSRF). An attacker can trick a client into making an unintended request to the web server that will be treated as an authentic request. This can be done via a URL, image load, XMLHttpRequest, etc. and can result in exposure of data or unintended code execution.\n\n## Recommendation\n\nSAP’s recommendation is to use CSRF protection for any request that could be processed by a browser client by normal users. \n- In `XS Advanced` CSRF protection is enabled by default and should not be disabled. \n- In `XS Classic` CSRF protection should be enabled explicitly. \n\n## Example\n\nThe following `xs-app.json` fragment enables CSRF protection in XSJS.\n\n```json\n\"routes\": [\n {\n \"source\": \"/bad/(.*)\",\n \"destination\": \"srv_api\",\n \"csrfProtection\": true,\n ...\n }\n]\n ...\n }\n]\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/e8a6bc904c0c48a182288604f467e84a.html).\n* OWASP: [Cross-Site Request Forgery (CSRF)](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)).\n* Common Weakness Enumeration: [CWE-352](https://cwe.mitre.org/data/definitions/352.html).\n"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling CSRF protection makes the application vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"js/xsjs-disabled-csrf-protection","kind":"problem","name":"Disabled XSJS CSRF protection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/xsjs-zip-slip","name":"js/xsjs-zip-slip","shortDescription":{"text":"XSJS Zip Slip"},"fullDescription":{"text":"Saving an entry of a zip archive into a file with its stated path allows for a path traversal and writing to an arbitrary location."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n if (targetFilePath.indexOf(targetFolderName) === 0) {\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = targetFolderName + \"/\" + entryPath;\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n","markdown":"# Zip Slip\n\nA zip archive received from a remote location may contain arbitrary paths which, when translated to an absolute path, may escape the directory where it is extracted. Such paths may include one or more `../` to traverse the directory tree upwards to write to an arbitrary location, such as the root directory (`/`) or a sensitive path like `/usr/local/`. A sophisticated attack may also attempt to overwrite an existing file by making the filename identical as that of the target file.\n\n## Recommendation\n\nValidate the path of each zip entry before writing them to a file. Several different tactics may be used to prevent the path traversal by one or more of `../` occuring in a zip entry's path.\n\n### Check if the path string contains `../`\n\nA naive but effective way to validate the path of a zip entry is to check if its path, converted to string, contains any occurrences of `../`. If a path does have one, then it can be suspected that the creator of the zip archive is attempting a path traversal attack.\n\n### Resolve the path and check if the target directory is its prefix \n\nA more sophisticated way is to use a JavaScript library function that can be used to check if a substring is a prefix of a string. For example, the following XSJS application uses `String.indexOf(substring)` to check if the name of the directory is indeed the directory resolved by `path.join(prefix, suffix)`. If the absolute path obtained by the `join` function does not start with the target folder's name, the `entryPath` contains bits such as `../` that traverses the path.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = require(\"path\").join(targetFolderName, entryPath)\n if (targetFilePath.indexOf(targetFolderName) === 0) {\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n }\n}\n```\n\n### Example\n\nThis XSJS application simply appends the path of each entry to a target directory name and a separator then saves it to a file with the concatenated path, thereby skipping any validation on it.\n\n``` javascript\nvar zipArchive = new $.util.Zip(requestBody.asArrayBuffer());\nvar targetFolderName = \"unzipped\";\n\nfor (var entryPath in zipArchive) {\n var targetFilePath = targetFolderName + \"/\" + entryPath;\n require(\"fs\").createWriteStream(targetFilePath).write(zip[entryPath]);\n}\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* OWASP: [Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal).\n* SAP XSJS Documentation: [$.util.Zip](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.util.Zip.html).\n* Common Weakness Enumeration: [CWE-23](https://cwe.mitre.org/data/definitions/23.html).\n* Common Weakness Enumeration: [CWE-59](https://cwe.mitre.org/data/definitions/59.html).\n"},"properties":{"tags":["security"],"description":"Saving an entry of a zip archive into a file with its stated path\n allows for a path traversal and writing to an arbitrary location.","id":"js/xsjs-zip-slip","kind":"path-problem","name":"XSJS Zip Slip","precision":"medium","problem.severity":"error","security-severity":"7.5"}},{"id":"js/xsjs-reflected-xss","name":"js/xsjs-reflected-xss","shortDescription":{"text":"XSJS Reflected XSS"},"fullDescription":{"text":"Including uncontrolled value into a response body and setting it to a scriptable MIME type allows for cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as ``. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"
\" + clientData + \"
\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n","markdown":"# Reflected Cross-site Scripting\n\nIncluding a text, received from a client browser typically through an XSJS request parameter, to be rendered as HTML in a request body may execute arbitrary JavaScript code on the client.\n\n## Recommendation\n\nThe XSJS application should always validate or sanitize the submitted string from a client before including it into a response body to be rendered in a client browser.\n\n### Validate the input string\n\nValidate the submitted input by looking for a sensitive HTML tag such as ``. The pattern may be encoded to a regular expression and matched against the input; If there is a match, then the XSJS application may decide to abort the process and instead return an HTTP code stating that the application rejected the request (e.g. `$.net.FORBIDDEN`). XSJS does not provide a function to reliably perform the above, therefore using a third-party library is recommended.\n\n### Sanitize the input string\n\n#### Server-side sanitization\n\nThe XSJS application may instead allow any user input, but sanitize it before it integrates it into the response body. This is achieved by escaping special characters that are treated as part of the HTML syntax, such as `\"`, `&`, `'`, `<`, and `>`. Since XSJS does not provide a function to escape these, using a third-party library is recommended.\n\n#### Client-side sanitization\n\nAlternatively, if SAP UI5 is used on the frontend, there are client-side escaping mechanisms such as `sap.base.security.encodeXML` and `sap.base.security.encodeHTML`. If `sap.ui.core.HTML` is used in the frontend view, consider setting its `sanitizeContent` property explicitly to `true`, since its default value is `false`.\n\n## Example\n\nThe following XSJS application sets the response body directly to a string received from a user without any validation or sanitization. The header's content type is set as an HTML document, which allows for any embedded JavaScript to be run in the request body. Note that even if `clientData` was not enclosed in a `div`, the vulnerability would still exist.\n\n``` javascript\nlet clientData = requestParameters.get(\"someParameter\");\n$.response.contentType = \"text/html\";\n$.response.setBody(\"
\" + clientData + \"
\");\n$.response.status = $.net.http.OK;\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Cross-Site Scripting\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/0e1c9fff826a4583be715386578fffc7.html).\n* OWASP: [Types of Cross-site Scripting](https://owasp.org/www-community/Types_of_Cross-Site_Scripting).\n* OWASP: [Cross Site Scripting Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n\n"},"properties":{"tags":["security"],"description":"Including uncontrolled value into a response body and setting it to\n a scriptable MIME type allows for cross-site scripting vulnerability.","id":"js/xsjs-reflected-xss","kind":"path-problem","name":"XSJS Reflected XSS","precision":"medium","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xsjs-broken-authentication","name":"js/xsjs-broken-authentication","shortDescription":{"text":"Broken XSJS authentication"},"fullDescription":{"text":"Disabling XSJS authentication makes the application vulnerable to unauthorized access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"help":{"text":"# Broken XSJS authentication\n\nIf you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies). \n- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. \n- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.\n\n## Example\n\nThe following `xs-app.json` fragment shows disabled XSJS authentication.\n\n```json\n{\n \"welcomeFile\": \"index.html\",\n \"authenticationMethod\": \"none\",\n ...\n} \n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)\n* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)\n* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n","markdown":"# Broken XSJS authentication\n\nIf you choose to use server-side JavaScript to write your application code, you need to bear in mind the potential for (and risk of) attack against authentication infrastructure. Leaks or flaws in the authentication or session management functions allow attackers to impersonate users and gain access to unauthorized systems and data.\n\n## Recommendation\n\nUse the built-in SAP HANA XS authentication mechanism and session management (cookies). \n- In `XS Advanced` authentication is enabled by default, the `authenticationMethod` property indicates which authentication will be applied. If set to `none` than all routes are not protected. \n- In `XS Classic` use the `authentication` keyword in the application's `.xsaccess` file to enable authentication and set it according to the method you want implement (`LogonTicket`, `Form`, or `Basic`) to ensure that all objects in the application path are available only to authenticated users.\n\n## Example\n\nThe following `xs-app.json` fragment shows disabled XSJS authentication.\n\n```json\n{\n \"welcomeFile\": \"index.html\",\n \"authenticationMethod\": \"none\",\n ...\n} \n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/2040c1b7e478448cb9904c55ac06cac8.html).\n* XS Advanced: [Application Router Configuration](https://help.sap.com/docs/SAP_HANA_PLATFORM/4505d0bdaf4948449b7f7379d24d0f0d/5f77e58ec01b46f6b64ee1e2afe3ead7.html#authenticationmethod)\n* XS Classic: [Authentication](https://help.sap.com/docs/SAP_HANA_PLATFORM/b3d0daf2a98e49ada00bf31b7ca7a42e/a9fc5c220d744180850996e2f5d34d6c.html?version=2.0.03&locale=en-US#authentication)\n* Common Weakness Enumeration: [CWE-306](https://cwe.mitre.org/data/definitions/306.html).\n"},"properties":{"tags":["security","external/cwe/cwe-306"],"description":"Disabling XSJS authentication makes the application vulnerable to unauthorized access.","id":"js/xsjs-broken-authentication","kind":"problem","name":"Broken XSJS authentication","precision":"medium","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/xsjs-url-redirect","name":"js/xsjs-url-redirect","shortDescription":{"text":"XSJS URL Redirect"},"fullDescription":{"text":"Setting the `location` response header to an uncontrolled value allows for redirection to an arbitrary URL."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n","markdown":"# URL Redirect\n\nAn HTTP response sent by an XSJS server whose value of the `location` header is dependent on a user input can redirect the client to an arbitrary location on the web by a malicious actor. For example, the redirected URL may point to a carefully imitated webpage of a genuine one, thus may lure a victim to submit its sign-in credentials.\n\n## Recommendation\n\nAvoid setting the entirety of URL or the domain part of it, which is obtained in any way from an external user, to the `location` header value, to keep redirection within the organization's domain. The URL to redirect the user to may be safely restricted by following one or more of the below strategies.\n\n### Redirect to a URL from an internal allow-list\n\nSelect the URL from a predefined allow-list that is kept internal. It may be shared across organizations, but should be kept confidential to any external actors.\n\n### Hardcode the domain part of the URL\n\nIf the URL to redirect the user to needs to be dependent upon a remote value, consider parameterizing only the request parameter portion and hardcode the rest of it, including the domain part. This way the redirection is kept within the organization.\n\n### Use a server-side template engine\n\nThere can be a single URL to which all redirection of the same type can happen where the redirected page can be customized to the customer with the help from a template engine. The details of the page can be filled from the server-side, not the client side through a request parameter. This way the URL does not need to be parameterized in any way while also filling the need for a customized redirect page.\n\n## Example\n\nThe following XSJS application sets the entire value of the location of its response to some URL retrieved from a request parameter.\n\n``` javascript\nlet someParameterValue = requestParameters.get(\"someParameter\");\n$.response.status = $.net.http.OK;\n$.response.headers.set(\"location\", someParameterValue);\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Invalid Redirection](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/8c5ec75c27f543cb8b4c65c337b285ae.html).\n* Mozilla: [Location](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location).\n* OWASP: [XSS Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html).\n* Common Weakness Enumeration: [CWE-79](https://cwe.mitre.org/data/definitions/79.html).\n* Common Weakness Enumeration: [CWE-116](https://cwe.mitre.org/data/definitions/116.html).\n* Common Weakness Enumeration: [CWE-601](https://cwe.mitre.org/data/definitions/601.html).\n* SAP XSJS Documentation: [$.web.WebRequest](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebRequest.html).\n* SAP XSJS Documentation: [$.web.WebResponse](https://help.sap.com/doc/3de842783af24336b6305a3c0223a369/2.0.03/en-US/$.web.WebResponse.html).\n"},"properties":{"tags":["security"],"description":"Setting the `location` response header to an uncontrolled value\n allows for redirection to an arbitrary URL.","id":"js/xsjs-url-redirect","kind":"path-problem","name":"XSJS URL Redirect","precision":"medium","problem.severity":"error","security-severity":"6.1"}},{"id":"js/xsjs-sql-injection","name":"js/xsjs-sql-injection","shortDescription":{"text":"XSJS SQL injection"},"fullDescription":{"text":"Directly concatenating an uncontrolled value with an SQL query allows for an SQL injection vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"help":{"text":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n","markdown":"# SQL Injection\n\nParameterizing an SQL statement in an unsafe way by directly concatenating the parameter to the statement body may allow arbitrary SQL code fragments to be included to the statement, resulting in possibly destructive behavior.\n\n## Recommendation\n\n### Use XSJS APIs that prepares SQL statements\n\nThere are two versions of API to communicate with SAP HANA, and both APIs provide means of preparing SQL statements that not only facilitates code reuse but also protects the parameterize statement from SQL injections.\n\nThese functions take as first argument an SQL string with placeholders represented as a question mark surrounded with parentheses (`(?)`), and the rest of the arguments consist of JavaScript expressions whose values are filled into the position of the respective placeholders.\n\n#### Using the older API (`$.db`)\n\nIf you are using the older API that belongs to `$.db`, consider replacing string concatentation with `$.db.executeQuery`. For example, the following XSJS application substitutes the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query, someParameterValue1, someParameterValue2);\n```\n\n#### Using the newer API (`$.hdb`)\n\nIf you are using the newer API that belongs to `$.hdb`, consider replacing string concatentation with `$.hdb.Connection.prepareStatement` followed by `$.db.PreparedStatement.executeUpdate`. For example, the following XSJS application substitues the value of `someParameterValue1` and `someParameterValue2` into the position of the first and second placeholder positions, respectively. After preparation, the application executes the prepared statement and then commits it to the SAP HANA database.\n\n``` javascript\nlet query = \"INSERT INTO (?) (COL1) VALUES (?)\";\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query, someParameterValue1, someParameterValue2);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n## Example\n\nEach of the following XSJS applications directly concatenates the values of two request paremeters with fragments of an SQL query and executes it.\n\n#### Using the older API (`$.db`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \".ENTITY (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\nlet preparedStatement = dbConnection.prepareStatement(query);\npreparedStatement.executeUpdate();\ndbConnection.commit();\n```\n\n#### Using the newer API (`$.hdb`)\n\n``` javascript\nlet someParameterValue1 = JSON.parse(requestParameters.get(\"someParameter1\"));\nlet someParameterValue2 = JSON.parse(requestParameters.get(\"someParameter2\"));\nlet query = \"INSERT INTO \" + someParameterValue1 + \" (COL1) VALUES (\" + someParameterValue2 + \")\";\n\nlet dbConnection = $.db.getConnection();\ndbConnection.executeQuery(query);\ndbConnection.commit();\n```\n\n## References\n\n* SAP: [Server-Side JavaScript Security Considerations](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/b5e65421b48c48fa87312a6023f4c414.html).\n* SAP: [Server-Side JavaScript: Injection Flaws\n](https://help.sap.com/docs/SAP_HANA_PLATFORM/d89d4595fae647eabc14002c0340a999/3e9a0491d2af4b908081fbbee12bc8ba.html).\n* OWASP: [SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).\n* Common Weakness Enumeration: [CWE-89](https://cwe.mitre.org/data/definitions/89.html).\n* Common Weakness Enumeration: [CWE-943](https://cwe.mitre.org/data/definitions/943.html).\n"},"properties":{"tags":["security"],"description":"Directly concatenating an uncontrolled value with an SQL query allows\n for an SQL injection vulnerability.","id":"js/xsjs-sql-injection","kind":"path-problem","name":"XSJS SQL injection","precision":"medium","problem.severity":"error","security-severity":"8.8"}}],"locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/xsjs/src/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"advanced-security/javascript-sap-xsjs-models","semanticVersion":"0.1.0","locations":[{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///home/runner/work/codeql-sap-js/codeql-sap-js/.github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}],"properties":{"isCodeQLModelPack":true}}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47},"region":{"startLine":1,"endColumn":2}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds with error Error: Unexpected token"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48},"region":{"startLine":1,"startColumn":2,"endColumn":3}}}],"message":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"},"level":"error","descriptor":{"id":"js/diagnostics/extraction-errors","index":0,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":"Extraction failed in /home/runner/work/codeql-sap-js/codeql-sap-js/javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds with error Error: Expected u found a"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":65}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":66}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":67}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":68}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":69}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":70}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":71}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":73}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":75}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds.json","uriBaseId":"%SRCROOT%","index":77}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":79}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":80}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":82}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":84}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":86}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":87}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":89}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":91}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":92}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":94}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":96}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":98}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":100}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":101}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":103}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":105}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":106}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":108}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":109}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":112}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":114}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":116}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":119}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":121}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":122}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":126}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":128}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":130}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":133}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":135}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":137}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":138}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":140}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":142}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":144}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":145}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":148}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":149}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":151}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":152}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":154}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":156}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":158}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":160}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":161}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":163}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":165}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":166}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":168}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":170}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds.json","uriBaseId":"%SRCROOT%","index":171}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":174}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":175}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":176}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":177}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":178}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.html","uriBaseId":"%SRCROOT%","index":180}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.json","uriBaseId":"%SRCROOT%","index":181}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.xml","uriBaseId":"%SRCROOT%","index":183}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":185}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":186}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":187}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":188}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":189}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":190}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":191}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":192}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":193}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":196}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":197}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":198}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":199}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":200}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":201}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":204}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":206}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":208}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":209}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":210}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":213}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":215}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":217}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":218}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":219}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":220}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":223}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":225}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":226}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":227}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":230}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":232}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":233}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":234}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":235}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":236}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":239}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":241}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":242}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":243}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":244}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":245}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":247}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":249}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":251}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":252}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":253}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":255}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":258}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":261}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":262}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":265}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":267}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":268}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":269}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":270}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":272}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":274}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":276}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":278}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":279}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":280}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":283}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":285}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":287}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":288}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":289}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":291}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":293}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":295}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":296}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":297}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":298}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":303}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":304}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":310}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":313}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":317}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":320}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":321}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":322}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":323}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":326}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":328}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":330}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":331}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":332}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":335}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":337}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":339}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":340}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":341}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":344}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":346}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":348}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":349}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":350}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":353}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":355}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":356}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":357}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":358}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":359}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":362}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":364}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":365}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":366}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":367}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":368}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":370}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":372}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":374}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":375}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":376}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":378}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":380}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":382}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":383}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":384}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":386}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":388}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":390}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":391}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":392}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":394}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":396}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":397}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":398}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":399}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":400}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":402}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":405}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":407}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":408}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":409}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":411}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":413}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":415}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":416}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":417}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":422}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":424}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":426}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":427}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":428}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":430}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":432}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":434}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":435}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":436}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":438}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":440}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":442}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":443}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":444}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":448}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":450}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":452}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":453}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":454}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":458}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":460}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":462}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":463}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":465}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":466}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":468}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":470}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":471}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":472}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":473}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":474}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":475}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":477}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":478}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":485}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":486}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":487}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":488}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/qlpack.yml","uriBaseId":"%SRCROOT%","index":489}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1,"toolComponent":{"index":1}},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/javascript","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":490}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cli/expected-extracted-files/python","index":1},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"none","timeUtc":"2024-09-19T08:44:27.830+00:00","descriptor":{"id":"codeql-action/zstd-availability","index":2},"properties":{"attributes":{"available":true,"version":{"type":"gnu","version":"1.34"}},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":".github/codeql/codeql-config.yaml","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/ui5/ext/ext/ui5.model.yml","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":".github/codeql/extensions/javascript/frameworks/xsjs/ext/ext/xsjs.model.yml","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/additional-sources.model.yml","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":".github/codeql/extensions/javascript/heuristic-models/ext/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":".github/workflows/code_scanning.yml","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":".github/workflows/run-codeql-unit-tests-javascript.yml","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"codeql-workspace.yml","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"javascript/frameworks/cap/ext/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"javascript/frameworks/cap/ext/qlpack.yml","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"javascript/frameworks/cap/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":64}},{"location":{"uri":"javascript/frameworks/cap/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":65}},{"location":{"uri":"javascript/frameworks/cap/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":66}},{"location":{"uri":"javascript/frameworks/cap/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":67}},{"location":{"uri":"javascript/frameworks/cap/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":68}},{"location":{"uri":"javascript/frameworks/cap/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":69}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":70}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/package.json","uriBaseId":"%SRCROOT%","index":71}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/server.js","uriBaseId":"%SRCROOT%","index":72}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":73}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":74}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":75}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":76}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.cds.json","uriBaseId":"%SRCROOT%","index":77}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-cds-authz/srv/service3.js","uriBaseId":"%SRCROOT%","index":78}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":79}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/package.json","uriBaseId":"%SRCROOT%","index":80}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/server.js","uriBaseId":"%SRCROOT%","index":81}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":82}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":83}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":84}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":85}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":86}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/package.json","uriBaseId":"%SRCROOT%","index":87}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/server.js","uriBaseId":"%SRCROOT%","index":88}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":89}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service1.js","uriBaseId":"%SRCROOT%","index":90}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":91}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":92}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-js-authz-cds-serve/srv/service2.js","uriBaseId":"%SRCROOT%","index":93}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/package.json","uriBaseId":"%SRCROOT%","index":94}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/server.js","uriBaseId":"%SRCROOT%","index":95}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":96}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service1.js","uriBaseId":"%SRCROOT%","index":97}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":98}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/entities-with-no-authz/entities-exposed-with-no-authz/srv/service2.js","uriBaseId":"%SRCROOT%","index":99}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":100}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/package.json","uriBaseId":"%SRCROOT%","index":101}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":103}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":105}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":106}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package-lock.json","uriBaseId":"%SRCROOT%","index":108}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/package.json","uriBaseId":"%SRCROOT%","index":109}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/server.js","uriBaseId":"%SRCROOT%","index":110}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/privileged-user.js","uriBaseId":"%SRCROOT%","index":111}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":112}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":114}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":116}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/server.js","uriBaseId":"%SRCROOT%","index":118}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":119}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":120}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":121}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":122}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":123}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/server.js","uriBaseId":"%SRCROOT%","index":125}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":126}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":127}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":128}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":129}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":130}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/server.js","uriBaseId":"%SRCROOT%","index":132}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":133}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service1.js","uriBaseId":"%SRCROOT%","index":134}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":135}},{"location":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/srv/service2.js","uriBaseId":"%SRCROOT%","index":136}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":137}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/package.json","uriBaseId":"%SRCROOT%","index":138}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/server.js","uriBaseId":"%SRCROOT%","index":139}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":140}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service1.js","uriBaseId":"%SRCROOT%","index":141}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":142}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-not-depending-on-request/srv/service2.js","uriBaseId":"%SRCROOT%","index":143}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":144}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":145}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":146}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":147}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":148}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":149}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-complete-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":150}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":151}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":152}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":153}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":154}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":155}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":156}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":158}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":159}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":160}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":161}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":163}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/db/schema.cds.json","uriBaseId":"%SRCROOT%","index":165}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/package.json","uriBaseId":"%SRCROOT%","index":166}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/server.js","uriBaseId":"%SRCROOT%","index":167}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.cds.json","uriBaseId":"%SRCROOT%","index":168}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.cds.json","uriBaseId":"%SRCROOT%","index":170}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds.json","uriBaseId":"%SRCROOT%","index":171}},{"location":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172}},{"location":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173}},{"location":{"uri":"javascript/frameworks/ui5/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":174}},{"location":{"uri":"javascript/frameworks/ui5/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":175}},{"location":{"uri":"javascript/frameworks/ui5/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":176}},{"location":{"uri":"javascript/frameworks/ui5/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":177}},{"location":{"uri":"javascript/frameworks/ui5/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":178}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/BindingStringParser/test.js","uriBaseId":"%SRCROOT%","index":179}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.html","uriBaseId":"%SRCROOT%","index":180}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.json","uriBaseId":"%SRCROOT%","index":181}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.js","uriBaseId":"%SRCROOT%","index":182}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/Bindings/test.xml","uriBaseId":"%SRCROOT%","index":183}},{"location":{"uri":"javascript/frameworks/ui5/test/lib/JsonParser/test.js","uriBaseId":"%SRCROOT%","index":184}},{"location":{"uri":"javascript/frameworks/ui5/test/models/attachDisplay_detachDisplay/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":185}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/binding1.xml","uriBaseId":"%SRCROOT%","index":186}},{"location":{"uri":"javascript/frameworks/ui5/test/models/multiple_models/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":187}},{"location":{"uri":"javascript/frameworks/ui5/test/models/binding_path/bindingComposite.xml","uriBaseId":"%SRCROOT%","index":188}},{"location":{"uri":"javascript/frameworks/ui5/test/models/property_getter_setter/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":189}},{"location":{"uri":"javascript/frameworks/ui5/test/models/sink/sink1.xml","uriBaseId":"%SRCROOT%","index":190}},{"location":{"uri":"javascript/frameworks/ui5/test/models/source/source1.xml","uriBaseId":"%SRCROOT%","index":191}},{"location":{"uri":"javascript/frameworks/ui5/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":192}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":193}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":196}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/index.html","uriBaseId":"%SRCROOT%","index":197}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-deny-all/ui5.yaml","uriBaseId":"%SRCROOT%","index":198}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":199}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":200}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":201}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":204}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":205}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":206}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":208}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":209}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":210}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":213}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":214}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":215}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":217}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":218}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":219}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":220}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":222}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":223}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":225}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":226}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":227}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":228}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":229}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":230}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":231}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":232}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":233}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":234}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":235}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":236}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":237}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":238}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":239}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":240}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":241}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package-lock.json","uriBaseId":"%SRCROOT%","index":242}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/package.json","uriBaseId":"%SRCROOT%","index":243}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":244}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/ui5.yaml","uriBaseId":"%SRCROOT%","index":245}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.html","uriBaseId":"%SRCROOT%","index":247}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/index.js","uriBaseId":"%SRCROOT%","index":248}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":249}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package-lock.json","uriBaseId":"%SRCROOT%","index":251}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/package.json","uriBaseId":"%SRCROOT%","index":252}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/ui5.yaml","uriBaseId":"%SRCROOT%","index":253}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.html","uriBaseId":"%SRCROOT%","index":255}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/index.js","uriBaseId":"%SRCROOT%","index":256}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":258}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":261}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":262}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":263}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":264}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":265}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":266}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":267}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":268}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":269}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":270}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":272}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":274}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":275}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":276}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":278}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":279}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":280}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":283}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":284}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":285}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":287}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":288}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":289}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":291}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":292}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":293}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/.eslintrc.json","uriBaseId":"%SRCROOT%","index":295}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package-lock.json","uriBaseId":"%SRCROOT%","index":296}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/package.json","uriBaseId":"%SRCROOT%","index":297}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/ui5.yaml","uriBaseId":"%SRCROOT%","index":298}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/Component.js","uriBaseId":"%SRCROOT%","index":299}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":303}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/model/todoitems.json","uriBaseId":"%SRCROOT%","index":304}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/AllJourneys.js","uriBaseId":"%SRCROOT%","index":305}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/FilterJourney.js","uriBaseId":"%SRCROOT%","index":306}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/SearchJourney.js","uriBaseId":"%SRCROOT%","index":307}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/TodoListJourney.js","uriBaseId":"%SRCROOT%","index":308}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/arrangements/Startup.js","uriBaseId":"%SRCROOT%","index":309}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.html","uriBaseId":"%SRCROOT%","index":310}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/opaTests.qunit.js","uriBaseId":"%SRCROOT%","index":311}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/integration/pages/App.js","uriBaseId":"%SRCROOT%","index":312}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.html","uriBaseId":"%SRCROOT%","index":313}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/testsuite.qunit.js","uriBaseId":"%SRCROOT%","index":314}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/AllTests.js","uriBaseId":"%SRCROOT%","index":315}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/controller/App.controller.js","uriBaseId":"%SRCROOT%","index":316}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.html","uriBaseId":"%SRCROOT%","index":317}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/test/unit/unitTests.qunit.js","uriBaseId":"%SRCROOT%","index":318}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/util/Helper.js","uriBaseId":"%SRCROOT%","index":319}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/view/App.view.xml","uriBaseId":"%SRCROOT%","index":320}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package-lock.json","uriBaseId":"%SRCROOT%","index":321}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/package.json","uriBaseId":"%SRCROOT%","index":322}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/ui5.yaml","uriBaseId":"%SRCROOT%","index":323}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.html","uriBaseId":"%SRCROOT%","index":326}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/index.js","uriBaseId":"%SRCROOT%","index":327}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":328}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package-lock.json","uriBaseId":"%SRCROOT%","index":330}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/package.json","uriBaseId":"%SRCROOT%","index":331}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/ui5.yaml","uriBaseId":"%SRCROOT%","index":332}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.html","uriBaseId":"%SRCROOT%","index":335}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/index.js","uriBaseId":"%SRCROOT%","index":336}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":337}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package-lock.json","uriBaseId":"%SRCROOT%","index":339}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/package.json","uriBaseId":"%SRCROOT%","index":340}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/ui5.yaml","uriBaseId":"%SRCROOT%","index":341}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.html","uriBaseId":"%SRCROOT%","index":344}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/index.js","uriBaseId":"%SRCROOT%","index":345}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":346}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":348}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/package.json","uriBaseId":"%SRCROOT%","index":349}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":350}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":351}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":352}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":353}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":354}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":355}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":356}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package-lock.json","uriBaseId":"%SRCROOT%","index":357}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/package.json","uriBaseId":"%SRCROOT%","index":358}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/ui5.yaml","uriBaseId":"%SRCROOT%","index":359}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":360}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":361}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.html","uriBaseId":"%SRCROOT%","index":362}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/index.js","uriBaseId":"%SRCROOT%","index":363}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":364}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":365}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package-lock.json","uriBaseId":"%SRCROOT%","index":366}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/package.json","uriBaseId":"%SRCROOT%","index":367}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/ui5.yaml","uriBaseId":"%SRCROOT%","index":368}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.html","uriBaseId":"%SRCROOT%","index":370}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/index.js","uriBaseId":"%SRCROOT%","index":371}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":372}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package-lock.json","uriBaseId":"%SRCROOT%","index":374}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/package.json","uriBaseId":"%SRCROOT%","index":375}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":376}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":378}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":379}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":380}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package-lock.json","uriBaseId":"%SRCROOT%","index":382}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/package.json","uriBaseId":"%SRCROOT%","index":383}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/ui5.yaml","uriBaseId":"%SRCROOT%","index":384}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.html","uriBaseId":"%SRCROOT%","index":386}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/index.js","uriBaseId":"%SRCROOT%","index":387}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":388}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package-lock.json","uriBaseId":"%SRCROOT%","index":390}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/package.json","uriBaseId":"%SRCROOT%","index":391}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/ui5.yaml","uriBaseId":"%SRCROOT%","index":392}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":393}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.html","uriBaseId":"%SRCROOT%","index":394}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/index.js","uriBaseId":"%SRCROOT%","index":395}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":396}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-oneway/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":397}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package-lock.json","uriBaseId":"%SRCROOT%","index":398}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/package.json","uriBaseId":"%SRCROOT%","index":399}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/ui5.yaml","uriBaseId":"%SRCROOT%","index":400}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/model.json","uriBaseId":"%SRCROOT%","index":402}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.html","uriBaseId":"%SRCROOT%","index":403}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/index.js","uriBaseId":"%SRCROOT%","index":404}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":405}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package-lock.json","uriBaseId":"%SRCROOT%","index":407}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/package.json","uriBaseId":"%SRCROOT%","index":408}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":409}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":411}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":412}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":413}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package-lock.json","uriBaseId":"%SRCROOT%","index":415}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/package.json","uriBaseId":"%SRCROOT%","index":416}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":417}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":418}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":422}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":423}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":424}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package-lock.json","uriBaseId":"%SRCROOT%","index":426}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/package.json","uriBaseId":"%SRCROOT%","index":427}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":428}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":430}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":431}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":432}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package-lock.json","uriBaseId":"%SRCROOT%","index":434}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/package.json","uriBaseId":"%SRCROOT%","index":435}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/ui5.yaml","uriBaseId":"%SRCROOT%","index":436}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.html","uriBaseId":"%SRCROOT%","index":438}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/index.js","uriBaseId":"%SRCROOT%","index":439}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":440}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package-lock.json","uriBaseId":"%SRCROOT%","index":442}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/package.json","uriBaseId":"%SRCROOT%","index":443}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/ui5.yaml","uriBaseId":"%SRCROOT%","index":444}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.html","uriBaseId":"%SRCROOT%","index":448}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/index.js","uriBaseId":"%SRCROOT%","index":449}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":450}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package-lock.json","uriBaseId":"%SRCROOT%","index":452}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/package.json","uriBaseId":"%SRCROOT%","index":453}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/ui5.yaml","uriBaseId":"%SRCROOT%","index":454}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.html","uriBaseId":"%SRCROOT%","index":458}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/index.js","uriBaseId":"%SRCROOT%","index":459}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":460}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package-lock.json","uriBaseId":"%SRCROOT%","index":462}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/package.json","uriBaseId":"%SRCROOT%","index":463}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.html","uriBaseId":"%SRCROOT%","index":465}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/ui5.yaml","uriBaseId":"%SRCROOT%","index":466}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/index.js","uriBaseId":"%SRCROOT%","index":467}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/manifest.json","uriBaseId":"%SRCROOT%","index":468}},{"location":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469}},{"location":{"uri":"javascript/frameworks/xsjs/lib/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":470}},{"location":{"uri":"javascript/frameworks/xsjs/lib/qlpack.yml","uriBaseId":"%SRCROOT%","index":471}},{"location":{"uri":"javascript/frameworks/xsjs/src/qlpack.yml","uriBaseId":"%SRCROOT%","index":472}},{"location":{"uri":"javascript/frameworks/xsjs/src/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":473}},{"location":{"uri":"javascript/frameworks/xsjs/test/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":474}},{"location":{"uri":"javascript/frameworks/xsjs/test/qlpack.yml","uriBaseId":"%SRCROOT%","index":475}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/.xsaccess","uriBaseId":"%SRCROOT%","index":477}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/service.xsjs","uriBaseId":"%SRCROOT%","index":478}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483}},{"location":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484}},{"location":{"uri":"javascript/heuristic-models/tests/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":485}},{"location":{"uri":"javascript/heuristic-models/tests/qlpack.yml","uriBaseId":"%SRCROOT%","index":486}},{"location":{"uri":"qlt.conf.json","uriBaseId":"%SRCROOT%","index":487}},{"location":{"uri":"scripts/codeql-pack.lock.yml","uriBaseId":"%SRCROOT%","index":488}},{"location":{"uri":"scripts/qlpack.yml","uriBaseId":"%SRCROOT%","index":489}},{"location":{"uri":"scripts/CreateTestsFromYaml.py","uriBaseId":"%SRCROOT%","index":490}}],"results":[{"ruleId":"js/missing-rate-limiting","rule":{"id":"js/missing-rate-limiting","index":24,"toolComponent":{"index":1}},"message":{"text":"This route handler performs [a database access](1), but is not rate-limited."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":40,"startColumn":25,"endLine":44,"endColumn":8}}}],"partialFingerprints":{"primaryLocationLineHash":"ac6d3bdd3d52ea9b:1","primaryLocationStartColumnFingerprint":"18"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":9,"endLine":43,"endColumn":11}},"message":{"text":"a database access"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"6311a9ed7e4091a4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":4,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"8e517fc6fdf32a1a:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":11,"startColumn":20,"endColumn":25}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"c51cf11a085c01f4:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":19,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xss","rule":{"id":"js/xss","index":29,"toolComponent":{"index":1}},"message":{"text":"Cross-site scripting vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"e309bf8540256a05:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":26,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":27,"startColumn":20,"endColumn":26}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":25,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/sql-injection","rule":{"id":"js/sql-injection","index":62,"toolComponent":{"index":1}},"message":{"text":"This query string depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"4fc3122b51f477a1:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"req2.params.category"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":41,"startColumn":20,"endColumn":40}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":19,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"ccc6f77c65eccb45:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":32,"endColumn":36}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":26,"startColumn":19,"endColumn":36}},"message":{"text":"\"console:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":7,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":6,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":18,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"be9a18716e55d497:2","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":9,"endColumn":37}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":24}},"message":{"text":"q.query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":17,"endColumn":33}},"message":{"text":"q.query.username"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":14,"startColumn":9,"endColumn":33}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":34,"endColumn":39}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":15,"startColumn":18,"endColumn":41}},"message":{"text":"`[INFO] ... value}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":13,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":18,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"e197b363f9dc3962:1","primaryLocationStartColumnFingerprint":"13"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"req.url"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":13,"endColumn":37}},"message":{"text":"url.par ... , true)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":9,"endColumn":37}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":18}},"message":{"text":"q"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":24}},"message":{"text":"q.query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":17,"endColumn":33}},"message":{"text":"q.query.username"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":22,"startColumn":9,"endColumn":33}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":23,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":34,"endColumn":40}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":24,"startColumn":18,"endColumn":42}},"message":{"text":"`[INFO] ... alue1}`"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/avoid-duplicate-alerts/LogInjectionTest.js","uriBaseId":"%SRCROOT%","index":3},"region":{"startLine":21,"startColumn":23,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/log-injection","rule":{"id":"js/log-injection","index":95,"toolComponent":{"index":1}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"45280b24f3d81287:1","primaryLocationStartColumnFingerprint":"12"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"req.responseText"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"req.responseText"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/heuristic-models/tests/Sources/test.js","uriBaseId":"%SRCROOT%","index":4},"region":{"startLine":5,"startColumn":17,"endColumn":33}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":17,"startColumn":27,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"41899ff1a967017d:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":202},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":203},"region":{"startLine":17,"startColumn":27,"endColumn":45}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":207},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":23,"startColumn":27,"endColumn":39}}}],"partialFingerprints":{"primaryLocationLineHash":"9afa5fd07ee36af6:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":211},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":15,"startColumn":21,"endColumn":47}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":17,"startColumn":21,"endColumn":60}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":212},"region":{"startLine":23,"startColumn":27,"endColumn":39}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":216},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-formula-injection","rule":{"id":"js/ui5-formula-injection","index":0,"toolComponent":{"index":3}},"message":{"text":"The content of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":16,"startColumn":23,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"e701acdf85af03b4:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":16,"startColumn":23,"endColumn":51}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"3bb21c52eb38cf8:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":37}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":16,"startColumn":31,"endColumn":45}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"92dbc37bdafc7694:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"jQuery. ... param\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":9,"endColumn":51}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":5,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":3,"startColumn":17,"endColumn":51}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"faa1832c387d2ee5:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":12,"startColumn":27,"endColumn":32}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":10,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"8291f53a2e235d15:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"documen ... .search"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":9,"endColumn":41}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":39,"endColumn":44}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":18,"endColumn":45}},"message":{"text":"jQuery. ... (value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":18,"startColumn":9,"endColumn":45}},"message":{"text":"value1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":20,"startColumn":27,"endColumn":33}},"message":{"text":"value1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/avoid-duplicate-alerts/XssTest.js","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":17,"startColumn":17,"endColumn":41}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"63ace7b071639814:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"oSearch ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":11,"endColumn":48}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":27,"startColumn":34,"endColumn":45}},"message":{"text":"searchValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":17,"startColumn":13,"endColumn":31}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":133,"startColumn":8,"endColumn":27}},"message":{"text":"oControl.getTitle()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controls/Book.js","uriBaseId":"%SRCROOT%","index":301},"region":{"startLine":132,"startColumn":7,"endLine":134,"endColumn":16}},"message":{"text":"\"
T ...
\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/controller/App.Controller.js","uriBaseId":"%SRCROOT%","index":300},"region":{"startLine":23,"startColumn":25,"endColumn":48}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":14,"startColumn":23,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"fc87b07640e9d85:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":325},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":324},"region":{"startLine":14,"startColumn":23,"endColumn":41}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api1/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":329},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":14,"startColumn":32,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5eac262ae765:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":334},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":333},"region":{"startLine":14,"startColumn":32,"endColumn":50}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-api2/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":338},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":14,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"352d5ec8b0c3bb0d:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":343},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":7,"startColumn":19,"endColumn":37}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":342},"region":{"startLine":14,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-custom-control-jquery/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":347},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":27,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"8ceecee7055f4fa2:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"oInput.getValue()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":17,"endColumn":42}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":27,"startColumn":36,"endColumn":41}},"message":{"text":"value"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":26,"startColumn":25,"endColumn":42}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":421},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssBase.js","uriBaseId":"%SRCROOT%","index":419},"region":{"startLine":5,"startColumn":15,"endColumn":33}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":420},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-indirect-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":425},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":447},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":446},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/control/renderer.js","uriBaseId":"%SRCROOT%","index":445},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":451},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456},"region":{"startLine":8,"startColumn":28,"endColumn":46}}}],"partialFingerprints":{"primaryLocationLineHash":"353ad97f4bff4eae:1","primaryLocationStartColumnFingerprint":"15"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":457},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":455},"region":{"startLine":7,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/control/xssRenderer.js","uriBaseId":"%SRCROOT%","index":456},"region":{"startLine":8,"startColumn":28,"endColumn":46}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-separate-renderer-byname/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":461},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":21,"startColumn":22,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"5d5122f6c75b5d01:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"/input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":429},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":21,"startColumn":22,"endColumn":32}},"message":{"text":"/input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-js-view/webapp/view/app.view.js","uriBaseId":"%SRCROOT%","index":433},"region":{"startLine":18,"startColumn":20,"endColumn":30}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":13,"startColumn":15,"endColumn":25}}}],"partialFingerprints":{"primaryLocationLineHash":"c18df3aa119b40dc:1","primaryLocationStartColumnFingerprint":"11"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"\"value\": \"{/input}\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":437},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":13,"startColumn":15,"endColumn":25}},"message":{"text":"\"content\": \"{/input}\""}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-json-view/webapp/view/app.view.json","uriBaseId":"%SRCROOT%","index":441},"region":{"startLine":9,"startColumn":13,"endColumn":23}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":8,"startColumn":5,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"74b35e217af6aa05:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":221},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":8,"startColumn":5,"endColumn":50}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5FormulaInjection/formula-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":224},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"9caa0f252fbe2993:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":31,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":9,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":9,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":10,"startColumn":44,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":32,"startColumn":17,"endColumn":30}},"message":{"text":"output1: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":9,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output1}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":17,"startColumn":5,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"2963bbd458e69924:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"oEvent. ... Value()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":17,"endColumn":60}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":19,"startColumn":44,"endColumn":55}},"message":{"text":"sInputValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":34,"startColumn":17,"endColumn":30}},"message":{"text":"output3: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":373},"region":{"startLine":17,"startColumn":5,"endColumn":40}},"message":{"text":"content={/output3}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-event-handlers/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":369},"region":{"startLine":18,"startColumn":31,"endColumn":60}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":377},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":381},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"1406455ac263a2d9:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":12,"startColumn":26,"endColumn":46}},"message":{"text":"new JSONModel(oData)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":15,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":16,"startColumn":43,"endColumn":48}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":385},"region":{"startLine":10,"startColumn":17,"endColumn":29}},"message":{"text":"output: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":8,"startColumn":5,"endColumn":38}},"message":{"text":"content={/output}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":389},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":8,"startColumn":5,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"97b29ed20ac04ff0:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":401},"region":{"startLine":8,"startColumn":40,"endColumn":63}},"message":{"text":"\"contro ... l.json\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":8,"startColumn":5,"endColumn":37}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-external-model/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":406},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":8,"startColumn":11,"endColumn":34}}}],"partialFingerprints":{"primaryLocationLineHash":"5edd24be658b61a4:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"data-value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":410},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":8,"startColumn":11,"endColumn":34}},"message":{"text":"data-content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-html-view/webapp/view/app.view.html","uriBaseId":"%SRCROOT%","index":414},"region":{"startLine":5,"startColumn":11,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-xss","rule":{"id":"js/ui5-xss","index":1,"toolComponent":{"index":3}},"message":{"text":"XSS vulnerability due to [user-provided value](1).\nXSS vulnerability due to [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"6e0d8f690e30e24a:1","primaryLocationStartColumnFingerprint":"0"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":464},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":22,"startColumn":5,"endColumn":38}},"message":{"text":"content={/input}"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":8,"startColumn":5,"endLine":10,"endColumn":27}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-webc-control/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":469},"region":{"startLine":15,"startColumn":5,"endLine":18,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":17,"startColumn":43,"endColumn":61}}}],"partialFingerprints":{"primaryLocationLineHash":"68e5ff83e2198ff5:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":273},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":8,"startColumn":23,"endColumn":38}},"message":{"text":"{ type: \"int\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":271},"region":{"startLine":17,"startColumn":43,"endColumn":61}},"message":{"text":"oControl.getText()"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-property-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":277},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":23,"startColumn":43,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"b79de9dff4d8f842:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":282},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":9,"startColumn":23,"endColumn":41}},"message":{"text":"{ type: \"string\" }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":15,"startColumn":29,"endColumn":47}},"message":{"text":"oControl.getText()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":15,"startColumn":21,"endColumn":47}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":53,"endColumn":58}},"message":{"text":"value"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":46,"endColumn":59}},"message":{"text":"String(value)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":36,"endColumn":60}},"message":{"text":"encodeX ... value))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":17,"startColumn":21,"endColumn":60}},"message":{"text":"xssSanitized"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/control/xss.js","uriBaseId":"%SRCROOT%","index":281},"region":{"startLine":23,"startColumn":43,"endColumn":55}},"message":{"text":"xssSanitized"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-custom-control-sanitized/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":286},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-path-injection","rule":{"id":"js/ui5-path-injection","index":2,"toolComponent":{"index":3}},"message":{"text":"The path of a saved file depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":16,"startColumn":39,"endColumn":67}}}],"partialFingerprints":{"primaryLocationLineHash":"de27f6d546a116e8:1","primaryLocationStartColumnFingerprint":"26"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":10,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":290},"region":{"startLine":16,"startColumn":39,"endColumn":67}},"message":{"text":"oModel. ... input')"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5PathInjection/path-html-control-df/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":294},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to window\\[ ... onfig\"\\] being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":9,"startColumn":9,"endColumn":32}}}],"partialFingerprints":{"primaryLocationLineHash":"6152b8f74a1abdf5:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to data-sap-ui-frameOptions=allow being set to `allow`."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-allow-all/index.html","uriBaseId":"%SRCROOT%","index":194},"region":{"startLine":28,"startColumn":34,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"b01bd23ca3666824:1","primaryLocationStartColumnFingerprint":"25"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Clickjacking/clickjacking-default-all/index.html","uriBaseId":"%SRCROOT%","index":195},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"7fe81114896a63c:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-clickjacking","rule":{"id":"js/ui5-clickjacking","index":3,"toolComponent":{"index":3}},"message":{"text":"Possible clickjacking vulnerability due to missing frame options."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5Xss/xss-book-example/webapp/index.html","uriBaseId":"%SRCROOT%","index":302},"region":{"startLine":2,"endColumn":16}}}],"partialFingerprints":{"primaryLocationLineHash":"df700c15dad274b2:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":5,"startColumn":9,"endLine":24,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"fad475448f62563d:1","primaryLocationStartColumnFingerprint":"-139"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":9,"startColumn":17,"endColumn":28}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":15,"startColumn":25,"endColumn":53}},"message":{"text":"oModel. ... input')"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":15,"startColumn":17,"endColumn":53}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":246},"region":{"startLine":17,"startColumn":34,"endColumn":39}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-notifications/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":250},"region":{"startLine":6,"startColumn":5,"endLine":8,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"20e0edf06769f248:1","primaryLocationStartColumnFingerprint":"14"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-unsafe-log-access","rule":{"id":"js/ui5-unsafe-log-access","index":4,"toolComponent":{"index":3}},"message":{"text":"Accessed log entries depend on [user-provided data](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"e10e4681e4f3a5f2:1","primaryLocationStartColumnFingerprint":"22"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided data"}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":5,"toolComponent":{"index":3}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":11,"startColumn":19,"endColumn":26}}}],"partialFingerprints":{"primaryLocationLineHash":"83472515fe67207a:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":42}},"message":{"text":"Log.getLogEntries()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":45}},"message":{"text":"Log.get ... es()[0]"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":23,"endColumn":53}},"message":{"text":"Log.get ... message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":7,"startColumn":13,"endColumn":53}},"message":{"text":"message"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/LogEntriesToHttp.js","uriBaseId":"%SRCROOT%","index":259},"region":{"startLine":11,"startColumn":19,"endColumn":26}},"message":{"text":"message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}}]},{"ruleId":"js/ui5-log-injection-to-http","rule":{"id":"js/ui5-log-injection-to-http","index":5,"toolComponent":{"index":3}},"message":{"text":"Outbound network request depends on [user-provided](1) log data."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":33}}}],"partialFingerprints":{"primaryLocationLineHash":"84768bf2b1d6e5a5:1","primaryLocationStartColumnFingerprint":"10"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"value={/input}"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":8,"startColumn":11,"endColumn":22}},"message":{"text":"input: null"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":21,"endColumn":49}},"message":{"text":"oModel. ... input\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":14,"startColumn":13,"endColumn":49}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/controller/app.controller.js","uriBaseId":"%SRCROOT%","index":254},"region":{"startLine":15,"startColumn":30,"endColumn":35}},"message":{"text":"input"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":9,"startColumn":29,"endColumn":35}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":25}},"message":{"text":"oEvent"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/utils/CustomLogListener.js","uriBaseId":"%SRCROOT%","index":257},"region":{"startLine":13,"startColumn":19,"endColumn":33}},"message":{"text":"oEvent.message"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/ui5/test/queries/UI5LogInjection/log-entry-flows-to-sinks/webapp/view/app.view.xml","uriBaseId":"%SRCROOT%","index":260},"region":{"startLine":5,"startColumn":5,"endLine":7,"endColumn":29}},"message":{"text":"user-provided"}}]},{"ruleId":"js/cap-sensitive-log","rule":{"id":"js/cap-sensitive-log","index":0,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on the [name](1) field which is annotated as potentially sensitive."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"c2d27f652a20308e:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}},"message":{"text":"Sample.name"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.js","uriBaseId":"%SRCROOT%","index":172},"region":{"startLine":9,"startColumn":32,"endColumn":43}},"message":{"text":"Sample.name"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/sensitive-exposure/sensitive-exposure.cds","uriBaseId":"%SRCROOT%","index":48},"region":{"startLine":4,"startColumn":5,"endLine":5,"endColumn":2}},"message":{"text":"name"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Current authentication strategy contains [credentials of mocked users](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}}}],"partialFingerprints":{"primaryLocationLineHash":"189356aa691178ee:1","primaryLocationStartColumnFingerprint":"9"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":17,"startColumn":18,"endLine":32,"endColumn":10}},"message":{"text":"credentials of mocked users"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [basic](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":16,"startColumn":17,"endColumn":24}}}],"partialFingerprints":{"primaryLocationLineHash":"8ec70b5c261c793b:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/basic-authentication/package.json","uriBaseId":"%SRCROOT%","index":117},"region":{"startLine":16,"startColumn":17,"endColumn":24}},"message":{"text":"basic"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [dummy](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124},"region":{"startLine":15,"startColumn":15,"endColumn":22}}}],"partialFingerprints":{"primaryLocationLineHash":"2a27bf058be4572:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/dummy-authentication/package.json","uriBaseId":"%SRCROOT%","index":124},"region":{"startLine":15,"startColumn":15,"endColumn":22}},"message":{"text":"dummy"}}]},{"ruleId":"js/cap-non-prod-auth-strategy","rule":{"id":"js/cap-non-prod-auth-strategy","index":1,"toolComponent":{"index":6}},"message":{"text":"Non-production authentication strategy [mocked](1) is used."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":21,"startColumn":15,"endColumn":23}}}],"partialFingerprints":{"primaryLocationLineHash":"2af5230c91e6a4cd:1","primaryLocationStartColumnFingerprint":"8"},"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/nonprod-authn-strategy/mocked-authentication/package.json","uriBaseId":"%SRCROOT%","index":131},"region":{"startLine":21,"startColumn":15,"endColumn":23}},"message":{"text":"mocked"}}]},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/server.js","uriBaseId":"%SRCROOT%","index":102},"region":{"startLine":8,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"b6ec748aef5ccec4:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service1.js","uriBaseId":"%SRCROOT%","index":104},"region":{"startLine":14,"startColumn":7,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"2c0c554bf5b5f7d:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-default-user-is-privileged","rule":{"id":"js/cap-default-user-is-privileged","index":2,"toolComponent":{"index":6}},"message":{"text":"The default user is being overridden to a privileged user."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/default-is-privileged/srv/service2.js","uriBaseId":"%SRCROOT%","index":107},"region":{"startLine":12,"startColumn":5,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"ee143e9aad9c9a16:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":18,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"62915c8622048073:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":33,"startColumn":24,"endColumn":50}}}],"partialFingerprints":{"primaryLocationLineHash":"8c5c989d244a1f09:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":50,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"faab9436420ec8fd:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":67,"startColumn":25,"endColumn":40}}}],"partialFingerprints":{"primaryLocationLineHash":"8eb12b95cf4128eb:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that may require authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.js","uriBaseId":"%SRCROOT%","index":113},"region":{"startLine":83,"startColumn":24,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"9343d25bdd5ba748:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115},"region":{"startLine":18,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:1","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-unnecessarily-granted-privileged-access-rights","rule":{"id":"js/cap-unnecessarily-granted-privileged-access-rights","index":3,"toolComponent":{"index":6}},"message":{"text":"This entity is accessed with unnecessarily privileged rights that requires authorization."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.js","uriBaseId":"%SRCROOT%","index":115},"region":{"startLine":35,"startColumn":21,"endColumn":38}}}],"partialFingerprints":{"primaryLocationLineHash":"383e73b4014710f9:2","primaryLocationStartColumnFingerprint":"12"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS entity `Service1.Service1Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":6,"startColumn":10,"endLine":7,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"3984db8d11cdcda4:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send2` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":18,"startColumn":10,"endLine":19,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"28b66b32406f07ba:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send3` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":23,"startColumn":10,"endLine":24,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"a5382f0f9fda534:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send4` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":28,"startColumn":10,"endLine":29,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"ebf09aafb38c42ae:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service1.send5` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service1.cds","uriBaseId":"%SRCROOT%","index":22},"region":{"startLine":33,"startColumn":10,"endLine":34,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"65cd9b8a9955401b:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS entity `Service2.Service2Entity1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":6,"startColumn":10,"endLine":7,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b02237ac8be3c990:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-entity-exposed-without-authentication","rule":{"id":"js/cap-entity-exposed-without-authentication","index":4,"toolComponent":{"index":6}},"message":{"text":"The CDS action `Service2.send1` is exposed without any authentication."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/bad-authn-authz/misused-privileged-user/unnecessarily-granted-privileged-access-rights/srv/service2.cds","uriBaseId":"%SRCROOT%","index":23},"region":{"startLine":13,"startColumn":10,"endLine":14,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"d2bdf8ef231dddd1:1","primaryLocationStartColumnFingerprint":"7"}},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":36,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"e5ae8639cd6967fb:1","primaryLocationStartColumnFingerprint":"29"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":50,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":44,"endColumn":56}},"message":{"text":"`ID=${book}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":19,"endColumn":57}},"message":{"text":"SELECT. ... book}`)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":12,"startColumn":11,"endColumn":57}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":36,"endColumn":41}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":27,"endColumn":65}}}],"partialFingerprints":{"primaryLocationLineHash":"b41554298e90b620:1","primaryLocationStartColumnFingerprint":"20"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":58,"endColumn":62}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":52,"endColumn":64}},"message":{"text":"`ID=${book}`"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":15,"startColumn":27,"endColumn":65}},"message":{"text":"SELECT. ... book}`)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":18,"startColumn":37,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"967d7be3edc97a9e:1","primaryLocationStartColumnFingerprint":"30"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":53,"endColumn":57}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":45,"endColumn":57}},"message":{"text":"'ID=' + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":20,"endColumn":58}},"message":{"text":"SELECT. ... + book)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":17,"startColumn":11,"endColumn":58}},"message":{"text":"query2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":18,"startColumn":37,"endColumn":43}},"message":{"text":"query2"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":27,"endColumn":65}}}],"partialFingerprints":{"primaryLocationLineHash":"1c132adaa6986472:1","primaryLocationStartColumnFingerprint":"20"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":60,"endColumn":64}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":52,"endColumn":64}},"message":{"text":"'ID=' + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":20,"startColumn":27,"endColumn":65}},"message":{"text":"SELECT. ... + book)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28,"startColumn":39,"endColumn":42}}}],"partialFingerprints":{"primaryLocationLineHash":"144d55d233768c80:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":59,"endColumn":63}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":17,"endColumn":63}},"message":{"text":"CQL`SEL ... + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":27,"startColumn":11,"endColumn":63}},"message":{"text":"cqn"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28,"startColumn":39,"endColumn":42}},"message":{"text":"cqn"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-sql-injection","rule":{"id":"js/cap-sql-injection","index":5,"toolComponent":{"index":6}},"message":{"text":"This query depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":31,"startColumn":39,"endColumn":43}}}],"partialFingerprints":{"primaryLocationLineHash":"1cd6f1adc2ef8f7c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":56,"endColumn":60}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":32,"endColumn":60}},"message":{"text":"`SELECT ... + book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":18,"endColumn":61}},"message":{"text":"cds.par ... + book)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":30,"startColumn":11,"endColumn":61}},"message":{"text":"cqn1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":31,"startColumn":39,"endColumn":43}},"message":{"text":"cqn1"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/cqlinjection/cqlinjection.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":16,"endColumn":29}}}],"partialFingerprints":{"primaryLocationLineHash":"eae426bf8fad0192:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":34,"endColumn":37}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":34,"endColumn":42}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":8,"startColumn":13,"endColumn":42}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":25,"endColumn":29}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":11,"startColumn":16,"endColumn":29}},"message":{"text":"\"CAP:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":7,"startColumn":34,"endColumn":37}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":47,"endColumn":48}}}],"partialFingerprints":{"primaryLocationLineHash":"e05b39891dddd161:1","primaryLocationStartColumnFingerprint":"40"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":24,"endColumn":27}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":17,"endColumn":20}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":17,"endColumn":25}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":13,"endColumn":25}},"message":{"text":"$"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":18,"startColumn":47,"endColumn":48}},"message":{"text":"$"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":15,"startColumn":24,"endColumn":27}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":16,"endColumn":29}}}],"partialFingerprints":{"primaryLocationLineHash":"4dc77ce4a9b7031e:1","primaryLocationStartColumnFingerprint":"9"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"req2.params.category"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":31}},"message":{"text":"{ book, quantity }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":15,"endColumn":19}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":13,"endColumn":54}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":25,"endColumn":29}},"message":{"text":"book"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":25,"startColumn":16,"endColumn":29}},"message":{"text":"\"CAP:\" + book"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-single-file/loginjection.js","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":23,"startColumn":34,"endColumn":54}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service1-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":157},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":39,"endColumn":42}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":7,"startColumn":19,"endColumn":47}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":164},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-with-service2-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":162},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/cap-log-injection","rule":{"id":"js/cap-log-injection","index":6,"toolComponent":{"index":6}},"message":{"text":"Log entry depends on a [user-provided value](1).\nLog entry depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}}}],"partialFingerprints":{"primaryLocationLineHash":"7c291d40b7c61d4f:1","primaryLocationStartColumnFingerprint":"23"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":39,"endColumn":42}},"message":{"text":"req"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":39,"endColumn":47}},"message":{"text":"req.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":19,"endColumn":36}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":21,"endColumn":34}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":7,"startColumn":19,"endColumn":47}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":9,"startColumn":38,"endColumn":51}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":9,"startColumn":36,"endColumn":53}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":38}},"message":{"text":"msg"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":35,"endColumn":43}},"message":{"text":"msg.data"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":32}},"message":{"text":"{ messageToPass }"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":17,"endColumn":30}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":7,"startColumn":15,"endColumn":43}},"message":{"text":"messageToPass"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":9,"startColumn":32,"endColumn":45}},"message":{"text":"messageToPass"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service1.js","uriBaseId":"%SRCROOT%","index":169},"region":{"startLine":6,"startColumn":33,"endColumn":36}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/cap/test/queries/loginjection/log-injection-without-protocol-none/srv/service2.js","uriBaseId":"%SRCROOT%","index":173},"region":{"startLine":6,"startColumn":29,"endColumn":32}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":0,"toolComponent":{"index":7}},"message":{"text":"CSRF protection is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"c1675fd626f895bf:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-disabled-csrf-protection","rule":{"id":"js/xsjs-disabled-csrf-protection","index":0,"toolComponent":{"index":7}},"message":{"text":"CSRF protection should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":14,"startColumn":31,"endColumn":36}}}],"partialFingerprints":{"primaryLocationLineHash":"c66a379bed25dd74:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-zip-slip","rule":{"id":"js/xsjs-zip-slip","index":1,"toolComponent":{"index":7}},"message":{"text":"The path of [this zip file](1) being saved depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"54d432c04bb48c9c:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":35,"endColumn":62}},"message":{"text":"request ... uffer()"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":20,"endColumn":63}},"message":{"text":"new $.u ... ffer())"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":7,"endColumn":63}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":10,"startColumn":25,"endColumn":35}},"message":{"text":"zipArchive"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":65,"endColumn":74}},"message":{"text":"entryPath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":26,"endColumn":75}},"message":{"text":"require ... ryPath)"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":11,"startColumn":9,"endColumn":75}},"message":{"text":"targetFilePath"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"targetFilePath"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":12,"startColumn":37,"endColumn":51}},"message":{"text":"this zip file"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSZipSlip/XSJSZipSlip.xsjs","uriBaseId":"%SRCROOT%","index":484},"region":{"startLine":7,"startColumn":35,"endColumn":62}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-reflected-xss","rule":{"id":"js/xsjs-reflected-xss","index":2,"toolComponent":{"index":7}},"message":{"text":"Reflected XSS vulnerability due to [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":22,"endColumn":66}}}],"partialFingerprints":{"primaryLocationLineHash":"a31830db0e0a3d3c:1","primaryLocationStartColumnFingerprint":"19"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":7,"endColumn":68}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":46,"endColumn":65}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":13,"startColumn":22,"endColumn":66}},"message":{"text":"request ... Value1)"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSReflectedXss/XSJSReflectedXss.xsjs","uriBaseId":"%SRCROOT%","index":480},"region":{"startLine":11,"startColumn":29,"endColumn":68}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/exposed/.xsaccess","uriBaseId":"%SRCROOT%","index":476},"region":{"startLine":3,"startColumn":23,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"a900cae7399fb257:1","primaryLocationStartColumnFingerprint":"18"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication is missing from the configuration."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/missing_auth/.xsaccess","uriBaseId":"%SRCROOT%","index":479},"region":{"startLine":1,"endLine":4,"endColumn":2}}}],"partialFingerprints":{"primaryLocationLineHash":"b57c6bae252883be:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":3,"startColumn":29,"endColumn":35}}}],"partialFingerprints":{"primaryLocationLineHash":"7c987b52e21935f7:1","primaryLocationStartColumnFingerprint":"24"}},{"ruleId":"js/xsjs-broken-authentication","rule":{"id":"js/xsjs-broken-authentication","index":3,"toolComponent":{"index":7}},"message":{"text":"Authentication should not be disabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSAccess/service/xs-app.json","uriBaseId":"%SRCROOT%","index":481},"region":{"startLine":15,"startColumn":35,"endColumn":41}}}],"partialFingerprints":{"primaryLocationLineHash":"f2aa90ab66c52c3c:1","primaryLocationStartColumnFingerprint":"22"}},{"ruleId":"js/xsjs-url-redirect","rule":{"id":"js/xsjs-url-redirect","index":4,"toolComponent":{"index":7}},"message":{"text":"[This URL](1) depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}}}],"partialFingerprints":{"primaryLocationLineHash":"f02e3e17e12824b3:1","primaryLocationStartColumnFingerprint":"35"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"request ... meter\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":7,"endColumn":66}},"message":{"text":"someParameterValue"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"someParameterValue"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":9,"startColumn":38,"endColumn":56}},"message":{"text":"This URL"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSUrlRedirect/XSJSUrlRedirect.xsjs","uriBaseId":"%SRCROOT%","index":483},"region":{"startLine":7,"startColumn":28,"endColumn":66}},"message":{"text":"user-provided value"}}]},{"ruleId":"js/xsjs-sql-injection","rule":{"id":"js/xsjs-sql-injection","index":5,"toolComponent":{"index":7}},"message":{"text":"This query depends on a [user-provided value](1).\nThis query depends on a [user-provided value](2)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}}}],"partialFingerprints":{"primaryLocationLineHash":"65aa43aa4e46559c:1","primaryLocationStartColumnFingerprint":"54"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter1\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter1\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":7,"endColumn":80}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":32,"endColumn":51}},"message":{"text":"someParameterValue1"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":15,"endColumn":107}},"message":{"text":"\"INSERT ... 2 + \")\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":7,"endColumn":107}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]},{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"request ... eter2\")"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":29,"endColumn":80}},"message":{"text":"JSON.pa ... ter2\"))"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":7,"endColumn":80}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":82,"endColumn":101}},"message":{"text":"someParameterValue2"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":15,"endColumn":107}},"message":{"text":"\"INSERT ... 2 + \")\""}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":10,"startColumn":7,"endColumn":107}},"message":{"text":"query"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":13,"startColumn":57,"endColumn":62}},"message":{"text":"query"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":8,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}},{"id":2,"physicalLocation":{"artifactLocation":{"uri":"javascript/frameworks/xsjs/test/queries/XSJSSqlInjection/XSJSSqlInjection.xsjs","uriBaseId":"%SRCROOT%","index":482},"region":{"startLine":9,"startColumn":40,"endColumn":79}},"message":{"text":"user-provided value"}}]}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarif-latest","metricResults":[{"rule":{"id":"js/summary/lines-of-user-code","index":102,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-user-code","value":3190,"baseline":2578},{"rule":{"id":"js/summary/lines-of-code","index":103,"toolComponent":{"index":1}},"ruleId":"js/summary/lines-of-code","value":3190}],"codeqlConfigSummary":{"disableDefaultQueries":false,"queries":[{"type":"builtinSuite","uses":"security-extended"},{"type":"localQuery","uses":"./javascript/frameworks/ui5/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/cap/src/codeql-suites/javascript-security-extended.qls"},{"type":"localQuery","uses":"./javascript/frameworks/xsjs/src/codeql-suites/javascript-security-extended.qls"}]}}}]} \ No newline at end of file diff --git a/README.md b/README.md index 70dcd788..1a73af88 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ jobs: - name: Perform CodeQL Analysis id: analyze uses: github/codeql-action/analyze@v3 + env: + LGTM_INDEX_XML_MODE: all + LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON" ``` Example configuration file: ```yaml @@ -50,7 +53,7 @@ packs: # Use these packs for JavaScript and TypeScript analysis javascript: - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls - - advanced-security/javascript-sap-async-xsjs-queries:codeql-suites/javascript-security-extended.qls + - advanced-security/javascript-sap-xsjs-queries:codeql-suites/javascript-security-extended.qls - advanced-security/javascript-sap-cap-queries:codeql-suites/javascript-security-extended.qls - advanced-security/javascript-sap-ui5-queries:codeql-suites/javascript-security-extended.qls @@ -84,7 +87,7 @@ codeql database create --language=javascript codeql database analyze --format=sarif-latest --output= \ --download advanced-security/javascript-sap-cap-queries \ advanced-security/javascript-sap-ui5-queries \ - advanced-security/javascript-sap-async-xsjs-queries + advanced-security/javascript-sap-xsjs-queries ``` ## License diff --git a/javascript/frameworks/xsjs/ext/qlpack.yml b/javascript/frameworks/xsjs/ext/qlpack.yml index 70b648a7..cc920828 100644 --- a/javascript/frameworks/xsjs/ext/qlpack.yml +++ b/javascript/frameworks/xsjs/ext/qlpack.yml @@ -1,6 +1,6 @@ --- library: true -name: advanced-security/javascript-sap-async-xsjs-models +name: advanced-security/javascript-sap-xsjs-models version: 0.1.0 extensionTargets: codeql/javascript-all: "^2.0.0" diff --git a/javascript/frameworks/xsjs/lib/qlpack.yml b/javascript/frameworks/xsjs/lib/qlpack.yml index cd6203bb..405f8041 100644 --- a/javascript/frameworks/xsjs/lib/qlpack.yml +++ b/javascript/frameworks/xsjs/lib/qlpack.yml @@ -1,6 +1,6 @@ --- library: true -name: advanced-security/javascript-sap-async-xsjs-lib +name: advanced-security/javascript-sap-xsjs-lib version: 0.1.0 suites: codeql-suites extractor: javascript diff --git a/javascript/frameworks/xsjs/src/qlpack.yml b/javascript/frameworks/xsjs/src/qlpack.yml index 0121ba42..97b9da71 100644 --- a/javascript/frameworks/xsjs/src/qlpack.yml +++ b/javascript/frameworks/xsjs/src/qlpack.yml @@ -1,11 +1,11 @@ --- library: false -name: advanced-security/javascript-sap-async-xsjs-queries +name: advanced-security/javascript-sap-xsjs-queries version: 0.1.0 suites: codeql-suites extractor: javascript dependencies: codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-async-xsjs-models: "^0.1.0" - advanced-security/javascript-sap-async-xsjs-lib: "^0.1.0" + advanced-security/javascript-sap-xsjs-models: "^0.1.0" + advanced-security/javascript-sap-xsjs-lib: "^0.1.0" default-suite-file: codeql-suites/javascript-code-scanning.qls diff --git a/javascript/frameworks/xsjs/test/qlpack.yml b/javascript/frameworks/xsjs/test/qlpack.yml index 012962f0..db2dbc27 100644 --- a/javascript/frameworks/xsjs/test/qlpack.yml +++ b/javascript/frameworks/xsjs/test/qlpack.yml @@ -1,8 +1,8 @@ --- -name: advanced-security/javascript-sap-async-xsjs-tests +name: advanced-security/javascript-sap-xsjs-tests version: 0.1.0 extractor: javascript dependencies: codeql/javascript-all: "^2.0.0" - advanced-security/javascript-sap-async-xsjs-queries: "^0.1.0" - advanced-security/javascript-sap-async-xsjs-lib: "^0.1.0" + advanced-security/javascript-sap-xsjs-queries: "^0.1.0" + advanced-security/javascript-sap-xsjs-lib: "^0.1.0"