Property
Language
Severity
CWE	CWE-1333: Inefficient Regular Expression Complexity
OWASP	A05:2021 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Medium

Description

The code creates regular expressions using input that isn’t hardcoded, such as function arguments. This allows user-controlled values to define regex patterns, which can introduce security risks if not validated.

Impact

An attacker could supply a specially crafted regular expression that causes excessive processing time (ReDoS), potentially freezing or severely slowing down your application. This can lead to denial of service, impacting availability for legitimate users.

Property
Language
Severity
CWE	CWE-1333: Inefficient Regular Expression Complexity
OWASP	A06:2017 - Security Misconfiguration
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

The code uses a regular expression that may be inefficient or vulnerable to excessive backtracking, which can slow down or hang your application when processing certain input. This makes your regex susceptible to denial of service attacks.

Impact

An attacker could send specially crafted input that causes your application to become unresponsive or crash, leading to lost availability and potential service downtime. This could disrupt users and make your application unreliable or unavailable.

Property
Language
Severity
CWE	CWE-1333: Inefficient Regular Expression Complexity
OWASP	A03:2017 - Sensitive Data Exposure
Confidence Level	Medium
Impact Level	Medium
Likelihood Level	High

Description

User input is being used directly to build regular expressions without proper validation or restrictions. This allows attackers to supply specially crafted inputs that can make the server spend excessive time processing those expressions.

Impact

An attacker could cause the application to slow down or become unresponsive (Denial of Service) by submitting malicious input, potentially making the service unavailable to legitimate users and affecting overall system reliability.

Property
Language
Severity
CWE	CWE-221: Information Loss or Omission
OWASP	A09:2021 – Security Logging and Monitoring Failures
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The DynamoDB table is created without point-in-time recovery enabled, which means you cannot restore the table to a previous state if data is accidentally or maliciously changed or deleted. This setting should be enabled to safeguard against data loss.

Impact

If point-in-time recovery is not enabled, accidental deletions or unauthorized modifications to table data cannot be reversed, potentially resulting in permanent data loss. This can disrupt application functionality, impact business operations, and compromise data reliability.

Property
Language
Severity
CWE	CWE-922: Insecure Storage of Sensitive Information
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

Storing JWT tokens in localStorage exposes them to JavaScript, making them vulnerable to theft via cross-site scripting (XSS) attacks. It’s safer to store sensitive tokens in secure, HTTP-only cookies to prevent unauthorized access.

Impact

If an attacker exploits an XSS vulnerability, they could steal JWT tokens from localStorage and use them to impersonate users, access protected data, or perform unauthorized actions in your application, leading to potential data breaches and loss of user trust.

Property
Language
Severity
CWE	CWE-922: Insecure Storage of Sensitive Information
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code reads data from a JWT token by decoding it, but does not verify whether the token is valid or has been tampered with. This means any data extracted from the token cannot be trusted and may be forged by an attacker.

Property
Language
Severity
CWE	CWE-377: Insecure Temporary File
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	Low
Likelihood Level	Low

Description

The code creates files directly in the shared /tmp directory without using Go’s ioutil.TempFile, which can lead to predictable filenames and race conditions. This makes it possible for other users or processes to interfere with or access those files.

Impact

An attacker could create or manipulate temporary files in /tmp before your code runs, potentially leading to data leaks, unauthorized file modification, or even code execution. This can compromise sensitive data or the stability of your application.

Property
Language
Severity
CWE	CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
OWASP	A01:2021 - Broken Access Control
Confidence Level	Low
Impact Level	High
Likelihood Level	Low

Description

Sensitive information like passwords, secrets, tokens, or API keys should not be passed as Docker build arguments, because these values are stored in image metadata and can be easily retrieved by anyone with access to the image. This exposes secrets even after deployment.

Property
Language	generic
Severity
CWE	CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
OWASP	A3:2017 Sensitive Data Exposure
Confidence Level	Medium
Impact Level	High
Likelihood Level	Medium

Description

Detects potential Google Maps API keys in code

Property
Language
Severity
CWE	CWE-532: Insertion of Sensitive Information into Log File
OWASP	A09:2021 - Security Logging and Monitoring Failures
Confidence Level	Low
Impact Level	Medium
Likelihood Level	Low

Description

Using unformatted strings directly in functions like printf (e.g., printing user input without specifying a format like %s) can accidentally reveal sensitive information or cause unexpected output. Always use proper format specifiers to safely display variable values.