Walkthrough

The changes update the widget components to incorporate a new resources property. In the Chart component, the resources prop is passed to the Legend component in both PieChart and BarStack renderings. The Legend component’s props interface is updated to include the resources array, which is then forwarded to the TooltipContent. Additionally, the Tooltip component’s props interface no longer includes the title property. Changes in the dashboard saving hook and the resource formatting utility remove intermediary filtering logic, simplifying the handling of resource data.

Changes

Sequence Diagram(s)

sequenceDiagram
    participant Chart
    participant Legend
    participant TooltipContent

    Chart->>Legend: Render Legend with {..., resources}
    Legend->>TooltipContent: Pass resources via props

Possibly related PRs

• Fix([Resource Status]): Clicking on refresh icon with resource details panel open change resource #5146: The changes in the main PR, which involve adding the resources prop to the Legend component, are related to the modifications in the retrieved PR that also deal with resource handling, specifically in the context of the Listing component.
• Fix([widget-graph] ):Fix display legend when many metrics are selected #5778: The changes in the main PR, which involve adding a resources prop to the Legend component, are related to the modifications in the retrieved PR that also focus on enhancing the Legend component's functionality regarding its display and handling of metrics.
• enh(dashboad): fix and enhance the condensed status grid tooltip #5544: The changes in the main PR, which involve adding the resources prop to the Legend component, are directly related to the modifications in the retrieved PR that enhance the useLoadResources function by removing the call to getFormattedResources, as both PRs deal with the handling and structure of the resources data.

Suggested labels

area/backend

Suggested reviewers

• Yassir-BenBOUBKER
• Noha-ElAbrouki
• quborg
• dmyios

Configuration used: .coderabbit.yml
Review profile: CHILL
Plan: Pro

• 📝 Generate Docstrings

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

-------------------------------------
Found 1 issues of Very High severity.
-------------------------------------
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'): www/include/common/javascript/Timeline/src/main/webapp/api/scripts/timeline.js:134
Details: This call to eval() contains untrusted input or potentially untrusted data. If this input could be modified by an attacker, arbitrary JS code could be executed. Validate all untrusted and untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. In general, avoid executing code derived from untrusted input. References: CWE
https://downloads.veracode.com/securityscan/cwe/v4/java/95.html
---------------------------------
Found 43 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/reporting/dashboard/db-func.php:471
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/servicesservicegroups/xml/servicesummarybysgxml.php:169
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/servicesservicegroups/xml/servicesummarybysgxml.php:267
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query2. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/servicesservicegroups/xml/servicegridbysgxml.php:171
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/servicesservicegroups/xml/servicegridbysgxml.php:248
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query2. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/serviceshostgroups/xml/servicegridbyhgxml.php:173
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq1. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/services/xml/servicesummaryxml.php:157
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq1. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/services/xml/servicegridxml.php:175
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/hosts/xml/hostxml.php:260
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq1. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/monitoring/status/hostgroups/xml/hostgroupxml.php:140
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq1. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configobject/service/listservicebyhostgroup.php:237
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configobject/host/db-func.php:139
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configobject/host/db-func.php:1101
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configobject/contact/db-func.php:667
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable rq. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configknowledge/display-servicetemplates.php:114
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configknowledge/display-services.php:202
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configknowledge/display-hosttemplates.php:111
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configknowledge/display-hosts.php:137
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/configuration/configgenerate/xml/movefiles.php:146
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/vault-functions.php:1525
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request, data from a backend database. The data from the incoming HTTP request, data from a backend database originated from an earlier call to PDOStatement.fetchColumn. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/common-func.php:1815
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request, data from a backend database from the variable query. The data from the incoming HTTP request, data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/common-func.php:1858
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request, data from a backend database from the variable query. The data from the incoming HTTP request, data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/common-func.php:1892
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from a backend database from the variable query. The data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/common-func.php:1992
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request, data from a backend database from the variable query. The data from the incoming HTTP request, data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/common/common-func.php:2021
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from a backend database from the variable query. The data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/include/administration/performance/viewmetrics.php:73
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.query() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to query() contains data from the incoming HTTP request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreontraps.class.php:137
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreontraps.class.php:613
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreonldapadmin.class.php:616
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreonldap.class.php:193
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable queryLdapHostParameters. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreondowntime.class.php:1094
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/class/centreondb.class.php:341
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'): www/api/class/webservice.class.php:348
Details: This call to !operator_phprequire() contains a PHP file inclusion flaw. The PHP application receives untrusted input but does not properly restrict the input before using it in require(), include(), or similar functions. This can allow an attacker to specify a URL to a remote location from which the application will retrieve code and execute it. The first argument to !operator_phprequire() contains data from the incoming HTTP request from the variable webService. Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Use allowlists to specify known safe values rather than relying on blocklists to detect malicious input. References: CWE
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'): www/api/class/centreon_realtime_base.class.php:88
Details: This call to !operator_phprequire() contains a PHP file inclusion flaw. The PHP application receives untrusted input but does not properly restrict the input before using it in require(), include(), or similar functions. This can allow an attacker to specify a URL to a remote location from which the application will retrieve code and execute it. The first argument to !operator_phprequire() contains data from the incoming HTTP request from the variable targetedFile. Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Use allowlists to specify known safe values rather than relying on blocklists to detect malicious input. References: CWE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/api/class/centreon_realtime_base.class.php:204
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable queryValuesRetrieval. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'): www/api/class/centreon_configuration_objects.class.php:84
Details: This call to !operator_phprequire() contains a PHP file inclusion flaw. The PHP application receives untrusted input but does not properly restrict the input before using it in require(), include(), or similar functions. This can allow an attacker to specify a URL to a remote location from which the application will retrieve code and execute it. The first argument to !operator_phprequire() contains data from the incoming HTTP request from the variable targetedFile. Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. Use allowlists to specify known safe values rather than relying on blocklists to detect malicious input. References: CWE
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/api/class/centreon_configuration_objects.class.php:223
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable queryValuesRetrieval. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): www/api/class/centreon_configuration_host.class.php:144
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): src/core/platform/infrastructure/repository/dbwriteupdaterepository.php:319
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.query() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to query() contains data arriving over the network from the variable query. The data arriving over the network originated from an earlier call to fgets. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): src/centreon/infrastructure/centreonlegacydb/centreondbadapter.php:107
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from the incoming HTTP request from the variable query. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): src/centreon/infrastructure/centreonlegacydb/centreondbadapter.php:167
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from a backend database from the variable sql. The data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): cron/centacl-func.php:639
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from a backend database from the variable request. The data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): cron/centacl-func.php:674
Details: This database query contains a SQL injection flaw. The call to !php_standard_ns.PDO.prepare() constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could exploit this flaw to execute arbitrary SQL queries against the database. The first argument to prepare() contains data from a backend database from the variable request. The data from a backend database originated from an earlier call to PDOStatement.fetchAll. Avoid dynamically constructing SQL queries. Instead, use parameterized prepared statements to prevent the database from interpreting the contents of bind variables as part of the query. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
---------------------------------------
Skipping 241 issues of Medium severity.
---------------------------------------
------------------------------------
Skipping 108 issues of Low severity.
------------------------------------
---------------------------------------------
Skipping 36 issues of Informational severity.
---------------------------------------------

Total flaws found: 429, New flaws found: 44 as compared to baseline


=========================
FAILURE: Found 44 issues!
=========================