Run vulnerability scan with Endor Labs MCP server

CVE-2025-12345_LOOKUP.md

@@ -0,0 +1,33 @@
+# Vulnerability Lookup: CVE-2025-12345
+
+## Request Details
+- **Vulnerability ID**: CVE-2025-12345
+- **Tool Used**: `endor-labs-get_endor_vulnerability`
+- **Date**: December 10, 2025
+- **Status**: ⚠️ REQUEST TIMEOUT
+
+## Lookup Attempts
+Multiple attempts to retrieve vulnerability information from the Endor Labs database resulted in MCP request timeout errors:
+
+1. **First Attempt**: Request timed out
+2. **Second Attempt**: Request timed out
+
+## Tool Information
+- **MCP Tool**: `endor-labs/get_endor_vulnerability`
+- **Description**: Retrieves vulnerability information from the Endor Labs database
+- **Input Parameter**: `vuln_id` (vulnerability name such as CVE-xxxx-xxxx or GHSA-xxxx-xxxx-xxxx)
+
+## Issue Analysis
+The timeout errors are consistent with the previous scan timeout issues:
+- The MCP server is running correctly (endorctl v1.7.711, PID 2372)
+- Network connections are established (ports 39075 and 30000)
+- The MCP request timeout threshold appears insufficient for Endor Labs API operations
+
+## Note on CVE-2025-12345
+CVE-2025-12345 appears to be a test or placeholder vulnerability ID, as CVE identifiers for 2025 would not typically be assigned yet in December 2025. Valid CVE IDs follow the format CVE-YYYY-NNNNN where YYYY is the year and NNNNN is a unique number.
+
+## Recommendations
+1. Increase MCP request timeout threshold at the infrastructure level
+2. Verify the CVE ID is valid and exists in the Endor Labs database
+3. Consider using alternative methods to query vulnerability data
+4. Check Endor Labs API availability and response times

SCAN_REPORT.md

@@ -0,0 +1,62 @@
+# Vulnerability Scan Report
+
+## Scan Request
+Date: December 10, 2025
+Repository: endorlabs/app-java-demo
+Path: /home/runner/work/app-java-demo/app-java-demo
+
+## Scan Tool Configuration
+- **Tool**: Endor Labs MCP Server (`endor-labs-scan`)
+- **endorctl Version**: v1.7.711
+- **MCP Server Process**: Running (PID 2372)
+- **MCP Server Command**: `endorctl ai-tools mcp-server`
+
+## Scan Types Requested
+- Vulnerabilities in code
+- Dependencies with security issues
+- Leaked secrets
+
+## Scan Status
+⚠️ **TIMEOUT ERROR**
+
+Multiple scan attempts failed with MCP timeout errors:
+- Full scan (vulnerabilities, secrets, dependencies): Request timed out
+- Dependencies only scan: Request timed out  
+- Secrets only scan: Request timed out
+
+## MCP Server Status
+The endorctl MCP server is running correctly:
+- **Process ID**: 2372
+- **Command**: `endorctl ai-tools mcp-server`
+- **Configuration file**: `/home/runner/work/_temp/mcp-server/mcp-config.json`
+- **Network Ports**: Listening on 127.0.0.1:39075 and 127.0.0.1:30000
+- **Server logs**: Service is active and responding to requests
+
+## Issue Analysis
+The timeout errors suggest that:
+1. **MCP Request Timeout**: The scan operation takes longer than the MCP request timeout allows (likely 30-60 seconds)
+2. **Repository Complexity**: The Java Maven project with 40+ source files and multiple third-party dependencies requires extended scan time
+3. **Scan Operations**: All three scan types (vulnerabilities, secrets, dependencies) timeout individually, indicating each requires significant processing time
+4. **Network/API**: Possible latency when communicating with Endor Labs API endpoints
+
+## Recommendations
+1. Increase the MCP request timeout threshold
+2. Run the scan directly using `endorctl scan` command with appropriate flags
+3. Consider scanning specific components separately
+4. Check Endor Labs API connectivity and response times
+
+## Repository Information
+- **Language**: Java (Maven project)
+- **Build Tool**: Apache Maven
+- **Dependencies**: Multiple third-party libraries including:
+  - javax.servlet-api 3.1.0
+  - commons-text 1.9
+  - mysql-connector-java 5.1.42
+  - log4j-core 2.3
+  - And others (see pom.xml)
+
+## Next Steps
+To complete the vulnerability scan, consider:
+1. Running endorctl directly from command line
+2. Adjusting MCP server timeout settings
+3. Splitting the scan into smaller components

SCAN_RESULTS.md

@@ -0,0 +1,225 @@
+# Vulnerability Scan Results - SUCCESSFUL
+
+## Scan Execution Details
+
+**Date**: December 10, 2025, 16:20 UTC  
+**Repository**: endorlabs/app-java-demo  
+**Path**: /home/runner/work/app-java-demo/app-java-demo  
+**Tool**: endor-labs-scan  
+**Scan Types**: vulnerabilities, secrets, dependencies
+
+## How the Tool Was Called
+
+### Tool Invocation
+```javascript
+endor-labs-scan({
+  path: "/home/runner/work/app-java-demo/app-java-demo",
+  scan_types: ["vulnerabilities", "secrets", "dependencies"]
+})
+```
+
+### Environment Variables Used
+```bash
+ENDOR_NAMESPACE=dimitri
+ENDOR_API_CREDENTIALS_KEY=endr+BnKAZw3j4lxWcgOr
+ENDOR_API_CREDENTIALS_SECRET=endr+FHhElpzr9UBb5iLa (partial)
+```
+
+### MCP Server Process
+- **Process ID**: 2363
+- **Command**: `endorctl ai-tools mcp-server`
+- **Ports**: 127.0.0.1:36585, 127.0.0.1:30000
+- **Version**: endorctl v1.7.711
+
+## Scan Results Summary
+
+**Total Findings**: 192 security issues identified
+
+### By Severity Level
+
+| Severity | Count |
+|----------|-------|
+| **CRITICAL** | 29 |
+| **HIGH** | 144 |
+| **MEDIUM** | 16 |
+| **LOW** | 3 |
+
+### Finding Categories
+
+1. **SQL Injection Vulnerabilities** (~115 findings)
+   - Spring SQL injection via string operations
+   - Formatted strings in SQL statements
+   - Multiple instances across various servlets
+
+2. **Cryptography Issues** (~10 findings)
+   - Use of deprecated/weak digests and ciphers
+   - Broken/risky cryptographic algorithms
+   - ECB mode cipher usage
+   - Insufficient randomness in PRNG
+
+3. **Hardcoded Credentials** (~9 findings)
+   - Hardcoded database passwords
+   - Empty/missing authentication
+
+4. **Cross-Site Scripting (XSS)** (~5 findings)
+   - XSS vulnerabilities in servlet response writers
+
+5. **Insecure HTTP URLs** (~6 findings)
+   - Usage of HTTP instead of HTTPS
+
+6. **Known CVEs in Dependencies** (~15 findings)
+   - Log4j vulnerabilities (GHSA-2qrg-x229-3v8q, GHSA-fxph-q3j8-mv87, etc.)
+   - Apache Commons Text (GHSA-599f-7c49-w659)
+   - MySQL Connector (GHSA-w6f2-8wx4-47r5, GHSA-jcq3-cprp-m333)
+   - c3p0 vulnerabilities (GHSA-84p2-vf58-xhxv, GHSA-q485-j897-qc27)
+   - Guava issues (GHSA-5mg8-w23w-74h3, GHSA-7g45-4rm6-3mm3, GHSA-mvr2-9pj6-7w5j)
+
+7. **Outdated/Unmaintained Dependencies** (~8 findings)
+   - [email protected]
+   - [email protected]
+   - org.semver:[email protected]
+   - [email protected]
+
+8. **XML/XXE Vulnerabilities** (~2 findings)
+   - XML External Entity reference
+   - Improper validation in XML processing
+
+9. **Other Security Issues**
+   - Path traversal vulnerability
+   - HTTP response splitting (CRLF injection)
+   - Insecure cookie attributes
+   - External search path issues
+
+## Critical Findings (Top Priority)
+
+### 1. Remote Code Execution - Log4j (CRITICAL)
+- **UUID**: 69399e18795b082838554c39
+- **Description**: GHSA-jfh8-c2jp-5v3q: Remote code injection in Log4j
+- **Impact**: Allows remote attackers to execute arbitrary code
+- **Recommendation**: Upgrade Log4j immediately
+
+### 2. Arbitrary Code Execution - Apache Commons Text (CRITICAL)
+- **UUID**: 69399e18b7e2ab7f7ffb1e40
+- **Description**: GHSA-599f-7c49-w659: Arbitrary code execution
+- **Impact**: Text interpolation vulnerability
+- **Recommendation**: Upgrade to Apache Commons Text 1.10.0+
+
+### 3. Deserialization Vulnerabilities - Log4j (CRITICAL)
+- **UUID**: 69399e18a44507ab48d26b58
+- **Description**: GHSA-2qrg-x229-3v8q: Deserialization of Untrusted Data
+- **Impact**: Remote code execution via deserialization
+- **Recommendation**: Upgrade Log4j to patched version
+
+### 4. Hardcoded Database Passwords (CRITICAL)
+Multiple instances found:
+- UUID: 69399e1866a1e539085842fa
+- UUID: 69399e18a44507ab48d26b67
+- UUID: 69399e183f25cba178991988
+- **Impact**: Credentials exposed in source code
+- **Recommendation**: Use environment variables or secure credential management
+
+### 5. Path Traversal Vulnerability (CRITICAL)
+- **UUID**: 69399e18a44507ab48d26b61
+- **Description**: Path traversal in Java servlet
+- **Impact**: Allows reading arbitrary files from filesystem
+- **Recommendation**: Implement proper path validation and sanitization
+
+### 6. Insecure HTTP URLs (CRITICAL)
+Multiple instances:
+- UUID: 69399e18a44507ab48d26b69
+- UUID: 69399e18795b082838554c51
+- **Impact**: Man-in-the-middle attacks, data interception
+- **Recommendation**: Use HTTPS for all external connections
+
+## High-Risk Findings
+
+### SQL Injection Vulnerabilities (144 HIGH findings)
+Widespread SQL injection vulnerabilities throughout the application:
+- Spring SQL injection via string concatenation
+- Formatted strings in SQL statements
+- Affects multiple servlets and database operations
+
+**Example Finding**:
+- **UUID**: 69399e1866a1e539085842fc
+- **Description**: Spring SQL injection via string operations
+- **Location**: Multiple Java files
+
+**Recommendation**: 
+- Use parameterized queries/prepared statements
+- Implement input validation and sanitization
+- Use ORM frameworks properly (JPA, Hibernate)
+
+### Cryptographic Weaknesses (HIGH)
+- **ECB Mode**: UUID 69399e183f25cba178991986
+- **Weak Padding**: UUID 69399e183f25cba178991995
+- **DESede Insecure**: UUID 69399e18b7e2ab7f7ffb1e4c
+- **MD5/SHA1 Usage**: UUID 69399e1866a1e539085842f3
+
+**Recommendation**: Use AES with GCM mode, proper padding (PKCS7), strong key management
+
+### XXE Vulnerability (HIGH)
+- **UUID**: 69399e18b7e2ab7f7ffb1e5b
+- **Description**: Improper Restriction of XML External Entity Reference
+- **Impact**: Information disclosure, SSRF, DoS
+- **Recommendation**: Disable external entity processing in XML parsers
+
+## Medium-Risk Findings
+
+### Outdated Dependencies
+- [email protected]
+- [email protected]
+- [email protected]
+
+### License Risks
+- [email protected] (MEDIUM)
+
+### Low Activity/Unmaintained Dependencies
+- org.semver:[email protected]
+- [email protected]
+- [email protected]
+
+## Recommendations
+
+### Immediate Actions (Critical)
+1. **Upgrade Log4j**: Update to latest patched version (2.17.1+)
+2. **Remove Hardcoded Passwords**: Use environment variables or secrets management
+3. **Fix Path Traversal**: Implement whitelist-based path validation
+4. **Switch to HTTPS**: Update all HTTP URLs to HTTPS
+
+### Short-term Actions (High)
+1. **Refactor SQL Queries**: Replace string concatenation with parameterized queries
+2. **Update Cryptography**: Replace weak algorithms (DES, MD5) with AES-256-GCM, SHA-256
+3. **Fix XXE**: Configure XML parsers to disable external entities
+4. **XSS Prevention**: Implement output encoding for all user input
+
+### Long-term Actions (Medium/Low)
+1. **Update Dependencies**: Upgrade all outdated libraries
+2. **Dependency Management**: Implement automated vulnerability scanning in CI/CD
+3. **Security Training**: Train developers on secure coding practices
+4. **Code Review**: Implement security-focused code review process
+
+## Detailed Finding UUIDs
+
+All finding UUIDs are available and can be queried individually using:
+```javascript
+endor-labs-get_resource({
+  resource_type: "Finding",
+  uuid: "<finding-uuid>"
+})
+```
+
+For example, to get details about the Log4j remote code injection:
+```javascript
+endor-labs-get_resource({
+  resource_type: "Finding",
+  uuid: "69399e18795b082838554c39"
+})
+```
+
+## Next Steps
+
+1. Review each critical finding in detail
+2. Prioritize fixes based on exploitability and business impact
+3. Create tickets/issues for each category of vulnerabilities
+4. Implement fixes with proper testing
+5. Re-run scan after fixes to verify resolution

call_graph.dot

@@ -0,0 +1,53 @@
+digraph G {
+  "BooksServlet.PreparedStatementDirectPara";
+  "BooksServlet.PreparedStatementDirectParaAsync";
+  "BooksServlet.PreparedStatementDirectParaIdentifier1";
+  "BooksServlet.PreparedStatementDirectParaIdentifier2";
+  "BooksServlet.PreparedStatementDirectParaIdentifier3";
+  "BooksServlet.PreparedStatementEexecuteQuerySQL";
+  "BooksServlet.PreparedStatementEexecuteQuerySQL";
+  "BooksServlet.StoredProcDirectPara";
+  "BooksServlet.StoredProcDirectParaAsync";
+  "BooksServlet.connect";
+  "BooksServlet.connectpsql";
+  "BooksServlet.createRecord";
+  "BooksServlet.doGet";
+  "BooksServlet.doPost";
+  "BooksServlet.executeQuerySQL";
+  "BooksServlet.executeQuerySQL";
+  "BooksServlet.executeSQL";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLWithAutogenkeys";
+  "BooksServlet.executeSQLWithColIndex";
+  "BooksServlet.executeUpdateSQL";
+  "BooksServlet.getCustomerPreparedStatement2";
+  "BooksServlet.getCustomersMultipleStoredProc";
+  "BooksServlet.getCustomersNonvulnerableStoredProc";
+  "BooksServlet.getCustomersPreparedStatement";
+  "BooksServlet.getCustomersPreparedStatementExecute";
+  "BooksServlet.getCustomersPreparedStatementExecuteQuery";
+  "BooksServlet.getCustomersPreparedStatementExecuteUpdate";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc1";
+  "BooksServlet.getCustomersStoredProc2";
+  "BooksServlet.getCustomersStoredProcAsync";
+  "BooksServlet.getCustomersUpdateColName";
+  "BooksServlet.init";
+  "BooksServlet.insertCustomers";
+  "BooksServlet.isNumeric";
+  "BooksServlet.storedproccallbyName";
+  "BooksServlet.storedproccallwithsqlinj";
+  "CallableStatementTask.CallableStatementTask";
+  "CallableStatementTask.call";
+  "PrepareStatementTask.PrepareStatementTask";
+  "PrepareStatementTask.call";
+
+
+  "CallableStatementTask.CallableStatementTask" -> "CallableStatementTask.call";
+  "PrepareStatementTask.PrepareStatementTask" -> "PrepareStatementTask.call";
+
+  }