community-scripts Address potential classloader performance issues in JS scripts

Dec 12 '25 16:12 kingthorin

Note I used const in all the changes but didn't change/reduce other use of var. I can I just wasn't sure if it should be the same PR.

Dec 12 '25 16:12 kingthorin

Checkmarx One – Scan Summary & Details – 52f4454d-29a2-46d3-9bcd-4af0422c5656

New Issues (5)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
Last User Is 'root'	/docker-wrapper: 10	details Leaving the last user as root can cause security risks. Change to another user after running the commands that need privileges `ID: 48tNdC6UziXyOGUccQZn3tPPzi4%3D`
MAINTAINER Instruction Being Used	/docker-wrapper: 3	details The MAINTAINER instruction sets the Author field of the generated images. The LABEL instruction is a much more flexible version of this and you sh... `ID: nlHBIHIr9RZHoVXOgGxJ9hQCHFA%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 31	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: z89ONTXYaYdPcNUEzfFqPVDqGfU%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 34	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: wmF9HbZcEd4Px83a0Vg%2BO%2F%2B%2B4BU%3D`
Unpinned Actions Full Length Commit SHA	/codeql.yml: 35	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA help... `ID: ivv4LqDvobLaIQBf4po7RJO0z9E%3D`

Fixed Issues (2)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2025-66418~~	Python-urllib3-2.5.0
	~~CVE-2025-66471~~	Python-urllib3-2.5.0

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

Dec 12 '25 16:12 psiinon

The CX failure is unrelated to the changes.

Dec 16 '25 12:12 kingthorin

Think I got all those.

Dec 19 '25 14:12 kingthorin

Not all scripts were updated (some still left in the changed scripts), was that on purpose?

Dec 19 '25 17:12 thc202

I thought I copied the full content from zaproxy/docker will check.

Dec 19 '25 17:12 kingthorin

I'm referring to scripts that are just here (e.g. Telerik Using Poor Crypto.js with Base64 and Alert, Capture and Replace Anti CSRF Token.js with ScriptVars).

Dec 19 '25 17:12 thc202

My search must have missed them, thanks for clarifying.

Dec 19 '25 17:12 kingthorin

I just remembered there were a few I left on purpose like in the extender scripts cause they're only used on install and uninstall or register and unregister, but I guess I should change them all to be consistent.

Dec 19 '25 18:12 kingthorin