MoazEmad1/Hospital-Management-System-RestAPI

https://github.com/MoazEmad1/Hospital-Management-System-RestAPI

Scanned on Mar 16, 2026

2 Critical

30 High

26 Medium

23 Low

Base 500+155 bonuses−45 penalties=610C

Bonuses earned

+155

Clean Security+70

Clean Secrets & Credentials+50

Has LICENSE+20

Low complexity+15

Clean Dependencies+40

Has tests+40

Clean Code Quality+30

Has CI/CD+30

Has quality README+15

Has lock file+10

Has SECURITY.md+10

No duplication+10

Has CODEOWNERS+5

Has .gitignore+5

Penalties

−45

dependenciesDependencies−40

qualityCode Quality−3

bestpracticesBest Practices−2

Grade caps applied

2 critical findingsCapped to C

AI Assessment

VERDICT

Not production-ready. The repository has two critical CVE vulnerabilities in core dependencies (Tomcat and Spring Security) plus 63 unresolved dependency issues spanning 30 high-severity CVEs. Automated testing infrastructure is also missing entirely.

TOP RISKS

→ CVE-2025-24813 in org.apache.tomcat.embed:tomcat-embed-core@10.1.12 flagged in pom.xml — critical severity vulnerability in embedded web server.

→ CVE-2024-38821 in org.springframework.security:spring-security-web@6.1.3 flagged in pom.xml — critical severity vulnerability in authentication framework.

→ 30 high-severity CVEs across Spring Framework, Spring Security, and Tomcat dependencies flagged in pom.xml — including CVE-2023-6378 in logback and multiple Spring component vulnerabilities.

→ Duplicated code block (72 lines) detected across DoctorController.java and AdminController.java plus docker-compose.yml — reduces maintainability and increases bug surface.

→ No test suite detected and no README file — missing fundamental production readiness markers and documentation.

WHAT TO FIX FIRST

Update org.apache.tomcat.embed:tomcat-embed-core from 10.1.12 in pom.xml. This single dependency has accumulated 15+ CVEs (critical, high, and medium severity) and upgrading to a patched version would eliminate a substantial portion of the vulnerability load.

Note: Verify critical CVEs against your actual code — some may be false positives if unexploited code paths are unused. However, dependency upgrades are mandatory regardless for production deployment.

fix-prompt.md

Category Breakdown

300/300

Security

200/200

Secrets & Credentials

0/150

Dependencies63 findings

88/100

Code Quality11 findings

87/100

Best Practices7 findings

Findings(81 in 70 groups)

tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT | Fix available: 11.0.3, 10.1.35, 9.0.99 | Package: org.apache.tomcat.embed:tomcat-embed-core (pom) | https://avd.aquasec.com/nvd/cve-2025-24813

Affected files

pom.xml

Spring-WebFlux: Authorization Bypass of Static Resources in WebFlux Applications | Fix available: 5.7.13, 5.8.15, 6.2.7, 6.0.13, 6.1.11, 6.3.4 | Package: org.springframework.security:spring-security-web (pom) | https://avd.aquasec.com/nvd/cve-2024-38821

Affected files

pom.xml

Duplicate found between docker-compose.yml:1 and target/classes/docker-compose.yml:1. Consider extracting shared logic into a reusable function or module.

Affected files

docker-compose.ymlL1

src/main/java/com/example/hospital/controller/DoctorController.javaL5

src/main/java/com/example/hospital/controller/AdminController.javaL5

src/main/java/com/example/hospital/controller/AuthController.javaL65

src/main/java/com/example/hospital/mapper/UserMapper.javaL1

src/main/java/com/example/hospital/controller/ReservationController.javaL73

src/main/java/com/example/hospital/controller/DoctorController.javaL38

src/main/java/com/example/hospital/controller/AdminController.javaL39

src/main/java/com/example/hospital/controller/PatientSurgeryController.javaL6

src/main/java/com/example/hospital/controller/ReservationController.javaL4

logback: serialization vulnerability in logback receiver | Fix available: 1.3.12, 1.4.12, 1.2.13 | Package: ch.qos.logback:logback-classic (pom) | https://avd.aquasec.com/nvd/cve-2023-6378

Affected files

pom.xml

jackson-core: Number Length Constraint Bypass in Async Parser Leads to Potential DoS Condition | Fix available: 2.18.6, 2.21.1, 3.1.0 | Package: com.fasterxml.jackson.core:jackson-core (pom) | https://github.com/advisories/GHSA-72hv-8253-57qq

Affected files

pom.xml

mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2023) | Fix available: 8.2.0 | Package: com.mysql:mysql-connector-j (pom) | https://avd.aquasec.com/nvd/cve-2023-22102

Affected files

pom.xml

tomcat: HTTP request smuggling via malformed trailer headers | Fix available: 11.0.0-M11, 10.1.16, 9.0.83, 8.5.96 | Package: org.apache.tomcat.embed:tomcat-embed-core (pom) | https://avd.aquasec.com/nvd/cve-2023-46589

Affected files

pom.xml

tomcat: Improper Handling of Exceptional Conditions | Fix available: 11.0.0-M21, 10.1.25, 9.0.90 | Package: org.apache.tomcat.embed:tomcat-embed-core (pom) | https://avd.aquasec.com/nvd/cve-2024-34750

Affected files

pom.xml

tomcat: RCE due to TOCTOU issue in JSP compilation | Fix available: 11.0.2, 10.1.34, 9.0.98 | Package: org.apache.tomcat.embed:tomcat-embed-core (pom) | https://avd.aquasec.com/nvd/cve-2024-50379

Affected files

pom.xml

tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation | Fix available: 11.0.2, 10.1.34, 9.0.98 | Package: org.apache.tomcat.embed:tomcat-embed-core (pom) | https://avd.aquasec.com/nvd/cve-2024-56337

Affected files

pom.xml

Share your ShipScanner

Show the world your code quality. Your report has a beautiful preview image built in.

LinkedIn Twitter / X

Embed Trust Badge

Show your code quality score in your README. The badge updates automatically every time you re-scan.

README.md

[![ShipScanner: B 610](https://shipscanner.dev/api/badge/cmmt5z5lm0009kt04q3fryxg1)](https://shipscanner.dev/report/cmmt5z5lm0009kt04q3fryxg1)