# Scan Notes: TRON DAO `java-tron`

Date: 2026-02-15  
Repo: https://github.com/tronprotocol/java-tron  
Program: HackerOne TRON DAO (top-paying export)

## Quick Results

Semgrep (`p/security-audit` + `p/owasp-top-ten`):
- 39 findings total
- 35 are `java.lang.security.audit.xss.no-direct-response-writer.no-direct-response-writer`
  - Mostly servlets printing `JsonFormat.printToString(...)` to `response.getWriter()` (likely false positives for JSON APIs)
- 2 Dockerfile missing `USER` findings
- 1 weak RNG finding is used for peer-selection logic (not token/session)
- 1 "custom digest" engine base class (library code)

Trufflehog (filesystem, filtered, no verification):
- 1 detection in `.git/packed-refs` (false positive)

## Next Places To Look (Manual)

- HTTP API endpoints: input parsing, authz boundaries, and error handling (info leaks)
- Any file IO / path handling in admin/debug endpoints
- RPC/GRPC exposure and any unsafe deserialization/parsing