Innovation sprint/autotriage/report issue

[kdenney]

🎟️ Tracking

📔 Objective

📸 Screenshots

[github-actions]

Checkmarx One – Scan Summary & Details – c2861531-8c73-4837-84b3-2d6cfd7d2749

---

New Issues (141)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Stored_XSS	/src/SharedWeb/Health/HealthCheckServiceExtensions.cs: 61	details The method embeds untrusted data in generated output with WriteAsync, at line 60 of /src/SharedWeb/Health/HealthCheckServiceExtensions.cs. This ... Attack Vector
2		Stored_XSS	/util/Server/Startup.cs: 57	details The method embeds untrusted data in generated output with WriteAsync, at line 59 of /util/Server/Startup.cs. This untrusted data is embedded int... Attack Vector
3		CVE-2022-37620	Npm-html-minifier-4.0.0	details Description: A Regular Expression Denial of Service (ReDoS) flaw was found in html-minifier versions 2.1.0 through 4.0.0 via the "candidate" variable in "htmlmi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4		CVE-2025-64756	Npm-glob-10.4.5	details Recommended version: 10.5.0 Description: Glob matches files using patterns the shell uses. In versions 10.2.0 prior to 10.5.0 and 11.0.0 prior to 11.1.0, the glob CLI contains a command in... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
5		CVE-2026-26996	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6		CVE-2026-26996	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
7		CVE-2026-26996	Npm-minimatch-9.0.1	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8		CVE-2026-27903	Npm-minimatch-9.0.1	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9		CVE-2026-27903	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10		CVE-2026-27903	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11		CVE-2026-27904	Npm-minimatch-9.0.5	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
12		CVE-2026-27904	Npm-minimatch-3.1.2	details Recommended version: 3.1.4 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13		CVE-2026-27904	Npm-minimatch-9.0.1	details Recommended version: 9.0.7 Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
14		CVE-2026-29063	Npm-immutable-5.1.3	details Recommended version: 5.1.5 Description: Immutable.js provides many Persistent Immutable data structures. 3.x prior to versions 3.8.3, 4.x prior to versions 4.3.7, and 5.x prior to versio... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
15		CVE-2026-32933	Nuget-AutoMapper-12.0.1	details Recommended version: 15.1.1 Description: AutoMapper is vulnerable to a Denial-of-Service (DoS) attack. Versions prior to 15.1.1 and 16.x prior to 16.1.1, when mapping deeply nested object ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16		CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17		Cxf5fb15b0-6576	Npm-serialize-javascript-6.0.2	details Recommended version: 7.0.3 Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
18		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
19		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 145	details Method at line 145 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from request. T... Attack Vector
20		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
21		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 97	details Method at line 97 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. This... Attack Vector
22		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 229	details Method at line 229 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
23		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1592	details Method at line 1592 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
24		CSRF	/src/Api/Tools/Controllers/SendsController.cs: 73	details Method at line 73 of /src/Api/Tools/Controllers/SendsController.cs gets a parameter from a user request from id. This parameter value flows thro... Attack Vector
25		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307	details Method at line 307 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from organizationUser... Attack Vector
26		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 307	details Method at line 307 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
27		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 128	details Method at line 128 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This p... Attack Vector
28		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 217	details Method at line 217 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
29		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
30		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
31		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
32		CSRF	/src/Api/Public/Controllers/CollectionsController.cs: 91	details Method at line 91 of /src/Api/Public/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value ... Attack Vector
33		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
34		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
35		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
36		CSRF	/src/Api/Controllers/CollectionsController.cs: 176	details Method at line 176 of /src/Api/Controllers/CollectionsController.cs gets a parameter from a user request from model. This parameter value flows ... Attack Vector
37		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
38		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 452	details Method at line 452 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
39		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
40		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 531	details Method at line 531 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
41		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 87	details Method at line 87 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
42		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 107	details Method at line 107 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organiza... Attack Vector
43		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1451	details Method at line 1451 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
44		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 233	details Method at line 233 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
45		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 286	details Method at line 286 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
46		CSRF	/src/Api/Dirt/Controllers/OrganizationReportsController.cs: 189	details Method at line 189 of /src/Api/Dirt/Controllers/OrganizationReportsController.cs gets a parameter from a user request from request. This paramet... Attack Vector
47		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1451	details Method at line 1451 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
48		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1451	details Method at line 1451 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
49		CSRF	/src/Api/AdminConsole/Controllers/GroupsController.cs: 289	details Method at line 289 of /src/Api/AdminConsole/Controllers/GroupsController.cs gets a parameter from a user request from orgUserId. This parameter ... Attack Vector
50		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1419	details Method at line 1419 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
51		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1480	details Method at line 1480 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
52		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1184	details Method at line 1184 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
53		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1068	details Method at line 1068 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector
54		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1317	details Method at line 1317 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from organizationId. This parameter ... Attack Vector
55		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 399	details Method at line 399 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
56		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 390	details Method at line 390 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from model. This par... Attack Vector
57		CSRF	/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs: 390	details Method at line 390 of /src/Api/AdminConsole/Controllers/OrganizationUsersController.cs gets a parameter from a user request from id. This parame... Attack Vector
58		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 95	details Method at line 95 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
59		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 82	details Method at line 82 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
60		CSRF	/src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs: 76	details Method at line 76 of /src/Api/Billing/Controllers/VNext/AccountBillingVNextController.cs gets a parameter from a user request from user. This pa... Attack Vector
61		CSRF	/src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs: 49	details Method at line 49 of /src/Api/Billing/Controllers/VNext/OrganizationBillingVNextController.cs gets a parameter from a user request from organizat... Attack Vector
62		CSRF	/src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs: 40	details Method at line 40 of /src/Api/Billing/Controllers/VNext/ProviderBillingVNextController.cs gets a parameter from a user request from provider. Th... Attack Vector
63		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1262	details Method at line 1262 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flo... Attack Vector
64		CSRF	/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs: 173	details Method at line 173 of /src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs gets a parameter from a user request from model. Thi... Attack Vector
65		CSRF	/src/Api/Vault/Controllers/SecurityTaskController.cs: 66	details Method at line 66 of /src/Api/Vault/Controllers/SecurityTaskController.cs gets a parameter from a user request from taskId. This parameter value... Attack Vector
66		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 721	details Method at line 721 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from request. This parameter value fl... Attack Vector
67		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 192	details Method at line 192 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
68		CSRF	/src/Api/Auth/Controllers/EmergencyAccessController.cs: 173	details Method at line 173 of /src/Api/Auth/Controllers/EmergencyAccessController.cs gets a parameter from a user request from model. This parameter val... Attack Vector
69		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 385	details Method at line 385 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
70		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 412	details Method at line 412 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
71		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 641	details Method at line 641 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
72		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 664	details Method at line 664 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
73		CSRF	/src/Api/Auth/Controllers/AccountsController.cs: 126	details Method at line 126 of /src/Api/Auth/Controllers/AccountsController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
74		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 853	details Method at line 853 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
75		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 853	details Method at line 853 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
76		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 853	details Method at line 853 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows t... Attack Vector
77		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 853	details Method at line 853 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from model. This parameter value flow... Attack Vector
78		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 67	details Method at line 67 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
79		CSRF	/src/Api/NotificationCenter/Controllers/NotificationsController.cs: 61	details Method at line 61 of /src/Api/NotificationCenter/Controllers/NotificationsController.cs gets a parameter from a user request from id. This param... Attack Vector
80		CSRF	/src/Api/Vault/Controllers/CiphersController.cs: 1480	details Method at line 1480 of /src/Api/Vault/Controllers/CiphersController.cs gets a parameter from a user request from id. This parameter value flows ... Attack Vector

More results are available on the CxOne platform

[codecov]

Codecov Report

❌ Patch coverage is 38.83929% with 137 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (innovation/autofill-triage@9624483). Learn more about missing BASE report.

Files with missing lines	Patch %	Lines
src/Admin/Views/AutofillTriage/Details.cshtml	0.00%	62 Missing ⚠️
src/Admin/Views/AutofillTriage/Index.cshtml	0.00%	23 Missing ⚠️
...ill/Repositories/AutofillTriageReportRepository.cs	0.00%	20 Missing ⚠️
...ill/Repositories/AutofillTriageReportRepository.cs	0.00%	17 Missing ⚠️
src/Admin/Models/AutofillTriageFieldResultModel.cs	0.00%	12 Missing ⚠️
src/Admin/Views/Shared/_Layout.cshtml	0.00%	3 Missing ⚠️

Additional details and impacted files

@@                      Coverage Diff                      @@
##             innovation/autofill-triage    #7337   +/-   ##
=============================================================
  Coverage                              ?   61.98%           
=============================================================
  Files                                 ?     2058           
  Lines                                 ?    90354           
  Branches                              ?     8050           
=============================================================
  Hits                                  ?    56007           
  Misses                                ?    32400           
  Partials                              ?     1947           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR adds a new autofill triage report feature spanning the full stack: a public API endpoint for clients to submit reports, database schema with stored procedures and EF migrations, and an Admin panel for viewing/archiving reports. The implementation follows existing Bitwarden patterns (command pattern, Dapper + EF dual-ORM, feature flags, rate limiting). Input validation is solid with [Url], [MaxLength], [ValidJsonArray], and HtmlEncodingStringConverter applied appropriately. Good test coverage across unit and integration tests.

Code Review Details

• ⚠️ : ReportData not HTML-encoded on input — future rendering must always go through Razor encoding or explicit HTML-encoding to remain safe
  • src/Api/Autofill/Models/AutofillTriageReportRequestModel.cs:28-30
• 🎨 : SQL NVARCHAR(MAX) vs C# [MaxLength(51200)] mismatch on ReportData — consider NVARCHAR(51200) for defense-in-depth
  • src/Sql/dbo/Autofill/Tables/AutofillTriageReport.sql:6
• 🎨 : Admin pagination parameters not bounds-checked — negative page values cause SQL errors on OFFSET
  • src/Admin/Controllers/AutofillTriageController.cs:21-23
• ❓ : PR description is empty — no tracking link, objective, or test plan provided

[sonarqubecloud]

Quality Gate passed

Issues
14 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
5.0% Duplication on New Code

See analysis details on SonarQube Cloud