Story #15655: allow downloading reassignment report#3618

Merged

bbenaissa merged 1 commit intodevelopfrom

story_15655_download_reassignment_report

Apr 9, 2026

Collaborator

bbenaissa commented Mar 18, 2026 •

edited

Loading

Description

Allow downloading reassignment report

Contributeur

VAS (Vitam Accessible en Service)

Collaborator

vitam-prg commented Mar 18, 2026 •

edited

Loading

Checkmarx One – Scan Summary & Details – ee0258e6-fd9c-420f-b98d-e8301ac49764

New Issues (782)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		Absolute_Path_Traversal	/api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileController.java: 221	details Method importArchivalProfiles at line 221 of /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileControl... Attack Vector
2		Absolute_Path_Traversal	/api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileController.java: 159	details Method importProfileFile at line 159 of /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileController.... Attack Vector
3		Cleartext_Submission_of_Sensitive_Information	/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/user/service/UserEmailService.java: 110	details Potentially sensitive personal information casResetPasswordUrl, at line 110 of /api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/user/serv... Attack Vector
4		Improper_Restriction_of_XXE_Ref	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The convertStringToXMLDocument loads and parses XML using parse, at line 433 of /api/api-ingest/ingest/src/main/java/fr/gouv/vitamui/ingest/server... Attack Vector
5		Improper_Restriction_of_XXE_Ref	/api/api-ingest/ingest/src/main/java/fr/gouv/vitamui/ingest/server/rest/IngestController.java: 129	details The convertStringToXMLDocument loads and parses XML using parse, at line 433 of /api/api-ingest/ingest/src/main/java/fr/gouv/vitamui/ingest/server... Attack Vector
6		Reflected_XSS	/api/api-archive-search/archive-search/src/main/java/fr/gouv/vitamui/archives/search/server/rest/ArchivesSearchController.java: 308	details The method reassignOriginatingAgency embeds untrusted data in generated output with reassignOriginatingAgency, at line 311 of /api/api-archive-se... Attack Vector
7		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method reassignOriginatingAgency embeds untrusted data in generated output with reassignOriginatingAgency, at line 311 of /api/api-archive-se... Attack Vector
8		Reflected_XSS	/api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/TransactionController.java: 195	details The method reclassification embeds untrusted data in generated output with reclassification, at line 201 of /api/api-collect/collect/src/main/java... Attack Vector
9		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method reclassification embeds untrusted data in generated output with reclassification, at line 201 of /api/api-collect/collect/src/main/java... Attack Vector
10		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method transferRequest embeds untrusted data in generated output with transferRequest, at line 192 of /api/api-archive-search/archive-search... Attack Vector
11		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method updateArchiveUnitsRules embeds untrusted data in generated output with updateArchiveUnitsRules, at line 233 of /api/api-archive-search... Attack Vector
12		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method reclassification embeds untrusted data in generated output with reclassification, at line 263 of /api/api-archive-search/archive-sear... Attack Vector
13		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method exportDIPByCriteria embeds untrusted data in generated output with requestToExportDIP, at line 182 of /api/api-archive-search/archive... Attack Vector
14		Reflected_XSS	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The method computedInheritedRules embeds untrusted data in generated output with computedInheritedRules, at line 243 of /api/api-archive-search/a... Attack Vector
15		Relative_Path_Traversal	/api/api-pastis/pastis-standalone/src/main/java/fr/gouv/vitamui/pastis/standalone/controller/PastisController.java: 196	details Method loadProfile at line 196 of /api/api-pastis/pastis-standalone/src/main/java/fr/gouv/vitamui/pastis/standalone/controller/PastisController.... Attack Vector
16		Open_Redirect	/api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/TransactionController.java: 175	details The potentially tainted value provided by transactionId in /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/TransactionC... Attack Vector
17		Open_Redirect	/api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/TransactionController.java: 176	details The potentially tainted value provided by inputStream in /api/api-collect/collect/src/main/java/fr/gouv/vitamui/collect/server/rest/TransactionCon... Attack Vector
18		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
19		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
20		Open_Redirect	/api/api-pastis/pastis/src/main/java/fr/gouv/vitamui/pastis/server/rest/PastisController.java: 137	details The potentially tainted value provided by notice in /api/api-pastis/pastis/src/main/java/fr/gouv/vitamui/pastis/server/rest/PastisController.java... Attack Vector
21		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
22		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
23		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
24		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
25		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
26		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
27		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 117	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
28		Open_Redirect	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175	details The potentially tainted value provided by getCredentials in /api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/Security... Attack Vector
29		Open_Redirect	/api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationController.java: 144	details The potentially tainted value provided by id in /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/OperationCo... Attack Vector
30		Open_Redirect	/api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileController.java: 140	details The potentially tainted value provided by id in /api/api-referential/referential/src/main/java/fr/gouv/vitamui/referential/server/rest/ProfileCont... Attack Vector
31		Parameter_Tampering	/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/TenantController.java: 130	details Method create at line 130 of /api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/TenantController.java gets user input from element dt... Attack Vector
32		Parameter_Tampering	/api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/TenantController.java: 130	details Method create at line 130 of /api/api-iam/iam/src/main/java/fr/gouv/vitamui/iam/server/rest/TenantController.java gets user input from element dt... Attack Vector

More results are available on the CxOne platform

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175
	~~Privacy_Violation~~	/api/api-iam/iam-security/src/main/java/fr/gouv/vitamui/iam/security/service/SecurityService.java: 175

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

bbenaissa force-pushed the story_15655_download_reassignment_report branch from 3b1efda to 2e2e5f5 Compare

March 18, 2026 16:41

bbenaissa marked this pull request as ready for review

April 3, 2026 15:23

bbenaissa self-assigned this

bbenaissa added enhancement VAS labels

bbenaissa added this to the IT 167 milestone

bbenaissa force-pushed the story_15655_download_reassignment_report branch 2 times, most recently from 24a7c7b to e0bb287 Compare

April 3, 2026 16:30


          Story #15655: allow downloading reassignment report

18698b8

bbenaissa force-pushed the story_15655_download_reassignment_report branch from e0bb287 to 18698b8 Compare

April 3, 2026 17:30

mkhediri approved these changes

View reviewed changes

lotfivitam approved these changes

View reviewed changes

bbenaissa merged commit 7cff576 into develop

13 checks passed

bbenaissa deleted the story_15655_download_reassignment_report branch

April 9, 2026 13:21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement VAS