Comments (3)
jamacku
commented on June 22, 2024
1
from GitHub Marketplace:
from openscanhub.
lzaoral
commented on June 22, 2024
1
@kdudka Given the poor quality of the Snyk Code results, I'm quite hesitant to actually enable this scanner for this repository.
edit: typo
from openscanhub.
kdudka
commented on June 22, 2024
@lzaoral I completely agree that statically analyzing C programs without compiling them is a bad idea. But OpenScanHub is written in Python, where such approach is commonly used by other successful scanners, including Coverity. I would say that the quality of Snyk Code's results for OpenScanHub's code is comparable with some other scanners/linters that we use already:
Error: SNYK_CODE_WARNING (CWE-23):
osh-0.9.5.20231129.205734.g44072c0a/build/lib/osh/client/completion/main.py:65:14: warning[python/PT]: Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
# 63|
# 64| try:
# 65|-> with open(can_path, 'rb') as can:
# 66| can_time = datetime.fromtimestamp(os.path.getmtime(can_path))
# 67| if can_time + timedelta(minutes=5) > datetime.now():
Error: SNYK_CODE_WARNING (CWE-502):
osh-0.9.5.20231129.205734.g44072c0a/build/lib/osh/client/completion/main.py:68:24: warning[python/Deserialization]: Unsanitized input from a command line argument flows into pickle.load, where it is used to deserialize an object. This may result in an Unsafe Deserialization vulnerability.
# 66| can_time = datetime.fromtimestamp(os.path.getmtime(can_path))
# 67| if can_time + timedelta(minutes=5) > datetime.now():
# 68|-> return pickle.load(can)
# 69| except OSError:
# 70| pass
Error: SNYK_CODE_WARNING (CWE-23):
osh-0.9.5.20231129.205734.g44072c0a/build/lib/osh/client/completion/main.py:83:9: warning[python/PT]: Unsanitized input from a command line argument flows into pickle.dump, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.
# 81| # store them to cache
# 82| with open(get_can_path(action), 'wb') as can:
# 83|-> pickle.dump(opts, can)
# 84|
# 85| return opts
Error: SNYK_CODE_WARNING (CWE-798):
osh-0.9.5.20231129.205734.g44072c0a/build/lib/osh/hub/settings_local.ci.py:26:9: warning[python/NoHardcodedPasswords]: Do not hardcode passwords in code. Found hardcoded password used in a dictionary key.
# 24| 'NAME': 'openscanhub',
# 25| 'USER': 'openscanhub',
# 26|-> 'PASSWORD': 'velryba',
# 27| 'HOST': 'localhost',
# 28| 'PORT': '5432',
Error: SNYK_CODE_WARNING (CWE-798):
osh-0.9.5.20231129.205734.g44072c0a/build/lib/osh/hub/settings_local.py:28:9: warning[python/NoHardcodedPasswords]: Do not hardcode passwords in code. Found hardcoded password used in a dictionary key.
# 26| 'NAME': 'openscanhub',
# 27| 'USER': 'openscanhub',
# 28|-> 'PASSWORD': 'velryba',
# 29| 'HOST': 'db',
# 30| 'PORT': '5432',
Error: SNYK_CODE_WARNING (CWE-23):
osh-0.9.5.20231129.205734.g44072c0a/osh/client/completion/main.py:65:14: warning[python/PT]: Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.
# 63|
# 64| try:
# 65|-> with open(can_path, 'rb') as can:
# 66| can_time = datetime.fromtimestamp(os.path.getmtime(can_path))
# 67| if can_time + timedelta(minutes=5) > datetime.now():
Error: SNYK_CODE_WARNING (CWE-502):
osh-0.9.5.20231129.205734.g44072c0a/osh/client/completion/main.py:68:24: warning[python/Deserialization]: Unsanitized input from a command line argument flows into pickle.load, where it is used to deserialize an object. This may result in an Unsafe Deserialization vulnerability.
# 66| can_time = datetime.fromtimestamp(os.path.getmtime(can_path))
# 67| if can_time + timedelta(minutes=5) > datetime.now():
# 68|-> return pickle.load(can)
# 69| except OSError:
# 70| pass
Error: SNYK_CODE_WARNING (CWE-23):
osh-0.9.5.20231129.205734.g44072c0a/osh/client/completion/main.py:83:9: warning[python/PT]: Unsanitized input from a command line argument flows into pickle.dump, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.
# 81| # store them to cache
# 82| with open(get_can_path(action), 'wb') as can:
# 83|-> pickle.dump(opts, can)
# 84|
# 85| return opts
Error: SNYK_CODE_WARNING (CWE-798):
osh-0.9.5.20231129.205734.g44072c0a/osh/hub/settings_local.ci.py:26:9: warning[python/NoHardcodedPasswords]: Do not hardcode passwords in code. Found hardcoded password used in a dictionary key.
# 24| 'NAME': 'openscanhub',
# 25| 'USER': 'openscanhub',
# 26|-> 'PASSWORD': 'velryba',
# 27| 'HOST': 'localhost',
# 28| 'PORT': '5432',
Error: SNYK_CODE_WARNING (CWE-798):
osh-0.9.5.20231129.205734.g44072c0a/osh/hub/settings_local.py:28:9: warning[python/NoHardcodedPasswords]: Do not hardcode passwords in code. Found hardcoded password used in a dictionary key.
# 26| 'NAME': 'openscanhub',
# 27| 'USER': 'openscanhub',
# 28|-> 'PASSWORD': 'velryba',
# 29| 'HOST': 'db',
# 30| 'PORT': '5432',from openscanhub.
Related Issues (20)
- hub: task list page should show number of defects found HOT 2
- docs: what shall we use for OpenScanHub documentation? HOT 2
- hub: make results easy to interpret for users HOT 3
- hub: base scans may exist without a `ScanBinding` HOT 2
- release `osh-0.9.5`
- hub: user with a name containing the `/` character cannot be modified in Django Admin HOT 3
- client: change default hub url to `openscanhub.fedoraproject.org` HOT 8
- hub: merge `errata` and `scan` Django applications
- hub: do not use `noarch` as the default worker architecture
- client: rename `shortcuts` and `common` modules to something more descriptive
- Fedora PoC feedback HOT 4
- Web interface: design/accessibility issues HOT 2
- hub: merge code in `hub/scan/scanner.py` responsible for scheduling of build tasks
- hub: actions in scan admin should change task states properly
- hub: tweak configration of systemd units and timers
- Allow passing SRPM as URL HOT 9
- containers: dummy SMTP server does not log to file
- hub: domain name for notification e-mails should be configurable
- Shall we remove `Hostname` field from e-mail notifications? HOT 1
- Shall we remove support for CentOS Stream 8? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openscanhub.