From f8a09d97b767c6d2e985f938e3deb28b66846fcf Mon Sep 17 00:00:00 2001
From: Steven Susanto <steven.susanto20@gmail.com>
Date: Wed, 18 Feb 2026 13:58:00 -0500
Subject: [PATCH 1/3] PR comment test

PR comment test
---
 VulnerablePythonScript.py | 55 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 VulnerablePythonScript.py

diff --git a/VulnerablePythonScript.py b/VulnerablePythonScript.py
new file mode 100644
index 0000000..ff5f811
--- /dev/null
+++ b/VulnerablePythonScript.py
@@ -0,0 +1,55 @@
+import os
+import subprocess
+import requests
+from flask import Flask, request
+
+app = Flask(__name__)
+
+# Vulnerability 1: Insecure Use of Subprocess (Command Injection)
+@app.route('/ping', methods=['GET'])
+def ping():
+    ip = request.args.get('ip', '')
+    result = subprocess.check_output(['ping', '-c', '4', ip])
+    return result
+
+# Vulnerability 2: Hardcoded Credentials
+USERNAME = 'admin'
+PASSWORD = 'password123'
+
+@app.route('/login', methods=['POST'])
+def login():
+    username = request.form['username']
+    password = request.form['password']
+    if username == USERNAME and password == PASSWORD:
+        return "Login successful"
+    else:
+        return "Login failed", 401
+
+# Vulnerability 3: Insecure Deserialization
+@app.route('/unserialize', methods=['POST'])
+def unserialize():
+    import pickle
+    data = request.data
+    obj = pickle.loads(data)
+    return str(obj)
+
+# Vulnerability 4: Use of Outdated Library with Known Vulnerabilities
+@app.route('/requests_example', methods=['GET'])
+def requests_example():
+    response = requests.get('https://example.com')
+    return response.content
+
+# Vulnerability 5: SQL Injection
+@app.route('/user', methods=['GET'])
+def get_user():
+    user_id = request.args.get('id', '')
+    query = "SELECT * FROM users WHERE id = '" + user_id + "'"
+    result = run_query(query)  # This function is not defined but simulates a database query
+    return str(result)
+
+def run_query(query):
+    # Simulating a database query without proper sanitization (SQL Injection risk)
+    return "Query result for: " + query
+
+if __name__ == '__main__':
+    app.run(debug=True)

From c8ab537e5d67381b243b2f9da85ca16e73a52db3 Mon Sep 17 00:00:00 2001
From: Steven Susanto <susanto@blackduck.com>
Date: Wed, 18 Feb 2026 14:15:40 -0500
Subject: [PATCH 2/3] Update main.yml

---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e79e007..b8e5ccc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -36,7 +36,7 @@ jobs:
         ### SCANNING OPTIONAL
         polaris_application_name: 'susantoblackduck'
         polaris_project_name: 'PythonProjects'
-        polaris_branch_name: 'main'
+        #polaris_branch_name: 'main'
         
         ### SCANNING OPTIONAL: Pull Request comments
         polaris_prComment_enabled: true

From 967a8d33af3b8cfdf7c65e2b4d75183782825a83 Mon Sep 17 00:00:00 2001
From: Steven Susanto <susanto@blackduck.com>
Date: Wed, 18 Feb 2026 14:20:21 -0500
Subject: [PATCH 3/3] Update main.yml

---
 .github/workflows/main.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b8e5ccc..ab1b491 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -40,6 +40,7 @@ jobs:
         
         ### SCANNING OPTIONAL: Pull Request comments
         polaris_prComment_enabled: true
+        polaris_branch_parent_name: 'main'
         github_token: ${{ secrets.GITHUB_TOKEN }} # Required when Pull Request comments field enabled
         
         ### ENABLE OPTIONAL SCAN REPORTS