MoazEmad1/Hospital-Management-System-RestAPI
https://github.com/MoazEmad1/Hospital-Management-System-RestAPIScanned on Mar 29, 2026
AI Assessment
VERDICT
Not production-ready. The scanner detected 2 critical CVEs in core dependencies (Tomcat and Spring Security) plus 33 additional high-severity vulnerabilities concentrated in pom.xml. While no secrets or direct code flaws were found, the dependency layer poses immediate security risk.
TOP RISKS
→ CVE-2025-24813 in org.apache.tomcat.embed:tomcat-embed-core@10.1.12 flagged in pom.xml — critical severity
→ CVE-2024-38821 in org.springframework.security:spring-security-web@6.1.3 flagged in pom.xml — critical severity
→ 15+ high-severity CVEs in tomcat-embed-core@10.1.12 across multiple CVE IDs (CVE-2024-50379, CVE-2025-48988, CVE-2025-53506, etc.) all in pom.xml
→ 7 high-severity CVEs in Spring Framework libraries (spring-web, spring-webmvc, spring-core, spring-security-core) in pom.xml
→ Duplicated code blocks detected across DoctorController.java:5 and AdminController.java:5 (72 lines each)
WHAT TO FIX FIRST
Update org.apache.tomcat.embed:tomcat-embed-core in pom.xml to a version patching CVE-2025-24813. This single library accounts for 18 of the 35 high-severity findings. Verify against your actual code that these are not false positives before deployment, but the volume suggests real version lag.
Secondary priority: Add automated tests and a README file (both flagged as missing under best practices). No CI/CD pipeline was detected.
Category Breakdown
Findings(93 in 75 groups)
Tip: 23 low-severity findings are style suggestions, not security risks.
A package your app depends on (the affected package) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (CVE-2025-24813: org.apache.tomcat.embed:tomcat-embed-core@10.1.12). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (the affected package) has a known security hole. Hackers are actively exploiting this vulnerability in the wild. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (CVE-2024-38821: org.springframework.security:spring-security-web@6.1.3). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
The same code is copied in multiple places. If there's a bug in one copy, all the other copies still have it. This makes fixing bugs much harder.
In docker-compose.yml at line 1, duplicated code was detected. Refactor it: 1. Identify the repeated code block 2. Extract it into a shared function with a descriptive name 3. Replace all multiple copies with calls to the new function 4. If the copies differ slightly, add parameters to the function to handle the differences 5. Make sure all existing behavior is preserved after the refactor
A package your app depends on (the affected package) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (CVE-2023-6378: ch.qos.logback:logback-classic@1.4.11). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A dependency (ch.qos.logback:logback-classic) uses a license with partial copyleft obligations. You may need to disclose modifications or include license notices.
The dependency ch.qos.logback:logback-classic in pom.xml uses a restrictive license. Fix it: 1. Check if you actually need this package — can you remove it? 2. Look for an alternative package with a permissive license (MIT, Apache-2.0, BSD) 3. Search npmjs.com or libraries.io for replacements with the same functionality 4. If you must keep it, consult a lawyer about your obligations under its license
A dependency (jakarta.annotation:jakarta.annotation-api) uses a copyleft license that could legally force you to open-source your entire project. This is a serious legal risk for commercial or closed-source apps.
The dependency jakarta.annotation:jakarta.annotation-api in pom.xml uses a restrictive license. Fix it: 1. Check if you actually need this package — can you remove it? 2. Look for an alternative package with a permissive license (MIT, Apache-2.0, BSD) 3. Search npmjs.com or libraries.io for replacements with the same functionality 4. If you must keep it, consult a lawyer about your obligations under its license
A dependency (org.hibernate.common:hibernate-commons-annotations) uses a license with partial copyleft obligations. You may need to disclose modifications or include license notices.
The dependency org.hibernate.common:hibernate-commons-annotations in pom.xml uses a restrictive license. Fix it: 1. Check if you actually need this package — can you remove it? 2. Look for an alternative package with a permissive license (MIT, Apache-2.0, BSD) 3. Search npmjs.com or libraries.io for replacements with the same functionality 4. If you must keep it, consult a lawyer about your obligations under its license
A package your app depends on (the affected package) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (GHSA-72hv-8253-57qq: com.fasterxml.jackson.core:jackson-core@2.15.2). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (the affected package) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (CVE-2023-22102: com.mysql:mysql-connector-j@8.0.33). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
A package your app depends on (the affected package) has a known security hole. Hackers can potentially exploit this to compromise your app. You need to update it.
The dependency the affected package in pom.xml has a known vulnerability (CVE-2023-46589: org.apache.tomcat.embed:tomcat-embed-core@10.1.12). Update it to a patched version: 1. Run: npm update the affected package (or yarn upgrade the affected package) 2. If that doesn't fix it, check the latest safe version and set it explicitly in package.json 3. Run npm audit to verify the vulnerability is resolved 4. Test your app to make sure the update didn't break anything
Share your ShipScanner
Show the world your code quality. Your report has a beautiful preview image built in.
Embed Trust Badge
Show your code quality score in your README. The badge updates automatically every time you re-scan.
[](https://shipscanner.dev/report/cmnbds6q7000lif04wkavr5id)