We are using both Mongoose and Sequelize ORM in one repository for PostgreSQL and MongoDB.
We use Veracode to scan for security vulnerabilities. Before installing the Mongoose package, there were no high vulnerabilities identified. However, after installing Mongoose, Veracode reported several high vulnerabilities that were not related to any NoSQL queries but it is pointing to mongooes.model.findOne/ mongooes.model.update/ mongooes.model.create in node js controller/model file.
It seems that method names are common in Mongoose and Sequelize, while we need to properly define the schema with field types for MongoDB queries.
Backend Language - Node js with express js framework
mongoose": "^8.0.2"
const mongoose = require('mongoose');
const MSchema = new mongoose.Schema({
Code: { type: String, trim: true, required: true },
locale: { type: String, trim: true, required: true },
field1: { type: String },
field2: [{
f1Text: { type: String },
f2Text: { type: String },
isEnabled: { type: Boolean, default: true },
}]
});
As per the Veracode tool e.g
Type: mongoose.Model.create
Category: Improper Neutralization of Special Elements in Data Query Logic
CWE ID: 943
Exploitability: Likely