Commit 406558bf authored by GitLab QA's avatar GitLab QA
Browse files

Create Secure compatible application to serve premade reports

parent 7f3edaf7
Pipeline #2629 canceled with stage
include:
template: Dependency-Scanning.gitlab-ci.yml
template: Container-Scanning.gitlab-ci.yml
template: SAST.gitlab-ci.yml
template: DAST.gitlab-ci.yml
template: License-Scanning.gitlab-ci.yml
dependency_scanning:
tags:
- qa
- test
script:
- echo "Skipped"
artifacts:
reports:
dependency_scanning: gl-dependency-scanning-report.json
container_scanning:
tags:
- qa
- test
only: null # Template defaults to feature branches only
variables:
GIT_STRATEGY: fetch # Template defaults to none, which stops fetching the premade report
script:
- echo "Skipped"
artifacts:
reports:
container_scanning: gl-container-scanning-report.json
sast:
tags:
- qa
- test
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
sast: gl-sast-report.json
dast:
tags:
- qa
- test
only: null # Template defaults to feature branches only
script:
- echo "Skipped"
artifacts:
reports:
dast: gl-dast-report.json
license_scanning:
tags:
- qa
- test
script:
- echo "Skipped"
artifacts:
reports:
license_scanning: gl-license-scanning-report.json
{
"version": "2.3",
"vulnerabilities": [
{
"category": "container_scanning",
"message": "CVE-2017-18269 in glibc",
"description": "Short description to match in specs",
"cve": "debian:9:glibc:CVE-2017-18269",
"severity": "Critical",
"confidence": "Unknown",
"solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-18269",
"value": "CVE-2017-18269",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-18269"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2017-16997 in glibc",
"description": "elf/dl-load.c in the GNU C Library (aka glibc or libc6) 2.19 through 2.26 mishandles RPATH and RUNPATH containing $ORIGIN for a privileged (setuid or AT_SECURE) program, which allows local users to gain privileges via a Trojan horse library in the current working directory, related to the fillin_rpath and decompose_rpath functions. This is associated with misinterpretion of an empty RPATH/RUNPATH token as the \"./\" directory. NOTE: this configuration of RPATH/RUNPATH for a privileged program is apparently very uncommon; most likely, no such program is shipped with any common Linux distribution.",
"cve": "debian:9:glibc:CVE-2017-16997",
"severity": "Critical",
"confidence": "Unknown",
"solution": "Upgrade glibc from 2.24-11+deb9u3 to 2.24-11+deb9u4",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2017-16997",
"value": "CVE-2017-16997",
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2017-16997"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-1000001 in glibc",
"description": "In glibc 2.26 and earlier there is confusion in the usage of getcwd() by realpath() which can be used to write before the destination buffer leading to a buffer underflow and potential code execution.",
"cve": "debian:9:glibc:CVE-2018-1000001",
"severity": "High",
"confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-1000001",
"value": "CVE-2018-1000001",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-1000001"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2016-10228 in glibc",
"description": "The iconv program in the GNU C Library (aka glibc or libc6) 2.25 and earlier, when invoked with the -c option, enters an infinite loop when processing invalid multi-byte input sequences, leading to a denial of service.",
"cve": "debian:9:glibc:CVE-2016-10228",
"severity": "Medium",
"confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2016-10228",
"value": "CVE-2016-10228",
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2016-10228"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-18520 in elfutils",
"description": "An Invalid Memory Address Dereference exists in the function elf_end in libelf in elfutils through v0.174. Although eu-size is intended to support ar files inside ar files, handle_ar in size.c closes the outer ar file before handling all inner entries. The vulnerability allows attackers to cause a denial of service (application crash) with a crafted ELF file.",
"cve": "debian:9:elfutils:CVE-2018-18520",
"severity": "Low",
"confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "elfutils"
},
"version": "0.168-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18520",
"value": "CVE-2018-18520",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18520"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2010-4052 in glibc",
"description": "Stack consumption vulnerability in the regcomp implementation in the GNU C Library (aka glibc or libc6) through 2.11.3, and 2.12.x through 2.12.2, allows context-dependent attackers to cause a denial of service (resource exhaustion) via a regular expression containing adjacent repetition operators, as demonstrated by a {10,}{10,}{10,}{10,} sequence in the proftpd.gnu.c exploit for ProFTPD.",
"cve": "debian:9:glibc:CVE-2010-4052",
"severity": "Low",
"confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "glibc"
},
"version": "2.24-11+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2010-4052",
"value": "CVE-2010-4052",
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2010-4052"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-16869 in nettle",
"description": "A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.",
"cve": "debian:9:nettle:CVE-2018-16869",
"severity": "Unknown",
"confidence": "Unknown",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "nettle"
},
"version": "3.3-1"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-16869",
"value": "CVE-2018-16869",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-16869"
}
]
},
{
"category": "container_scanning",
"message": "CVE-2018-18311 in perl",
"description": "Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations.",
"cve": "debian:9:perl:CVE-2018-18311",
"severity": "Unknown",
"confidence": "Unknown",
"solution": "Upgrade perl from 5.24.1-3+deb9u3 to 5.24.1-3+deb9u5",
"scanner": {
"id": "klar",
"name": "klar"
},
"location": {
"dependency": {
"package": {
"name": "perl"
},
"version": "5.24.1-3+deb9u3"
},
"operating_system": "debian:9",
"image": "registry.gitlab.com/gitlab-org/security-products/dast/webgoat-8.0@sha256:bc09fe2e0721dfaeee79364115aeedf2174cce0947b9ae5fe7c33312ee019a4e"
},
"identifiers": [
{
"type": "cve",
"name": "CVE-2018-18311",
"value": "CVE-2018-18311",
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
],
"links": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2018-18311"
}
]
}
],
"remediations": []
}
{"@generated": "Thu, 12 Sep 2019 22:57:16", "@version": "D-2019-09-02", "site": [{"@port": "80", "@host": "gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "@name": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "alerts": [{"count": "2", "riskdesc": "Low (Medium)", "name": "Cookie Without SameSite Attribute", "reference": "<p>https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site</p>", "sourceid": "3", "confidence": "2", "alert": "Cookie Without SameSite Attribute", "instances": [{"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "param": "JSESSIONID", "method": "GET"}, {"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "param": "JSESSIONID", "method": "GET"}], "pluginid": "10054", "riskcode": "1", "wascid": "13", "solution": "<p>Ensure that the SameSite attribute is set to either 'lax' or ideally 'strict' for all cookies.</p>", "cweid": "16", "desc": "<p>A cookie has been set without the SameSite attribute, which means that the cookie can be sent as a result of a 'cross-site' request. The SameSite attribute is an effective counter measure to cross-site request forgery, cross-site script inclusion, and timing attacks.</p>"}, {"count": "5", "riskdesc": "Informational (Low)", "name": "Timestamp Disclosure - Unix", "reference": "<p>https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure</p><p>http://projects.webappsec.org/w/page/13246936/Information%20Leakage</p>", "otherinfo": "<p>80000000, which evaluates to: 1972-07-14 22:13:20</p>", "sourceid": "3", "confidence": "1", "alert": "Timestamp Disclosure - Unix", "instances": [{"evidence": "80000000", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "33333333", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "00000000", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "66666667", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}, {"evidence": "42857143", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "method": "GET"}], "pluginid": "10096", "riskcode": "0", "wascid": "13", "solution": "<p>Manually confirm that the timestamp data is not sensitive, and that the data cannot be aggregated to disclose exploitable patterns.</p>", "cweid": "200", "desc": "<p>A timestamp was disclosed by the application/web server - Unix</p>"}, {"count": "4", "riskdesc": "Low (Medium)", "name": "Absence of Anti-CSRF Tokens", "reference": "<p>http://projects.webappsec.org/Cross-Site-Request-Forgery</p><p>http://cwe.mitre.org/data/definitions/352.html</p>", "otherinfo": "<p>No known Anti-CSRF token [anticsrf, CSRFToken, __RequestVerificationToken, csrfmiddlewaretoken, authenticity_token, OWASP_CSRFTOKEN, anoncsrf, csrf_token, _csrf, _csrfSecret] was found in the following HTML form: [Form 1: \"username\" \"password\" \"matchingPassword\" \"agree\" ].</p>", "sourceid": "3", "confidence": "2", "alert": "Absence of Anti-CSRF Tokens", "instances": [{"evidence": "<form class=\"form-horizontal\" action=\"/register.mvc\" method=\"POST\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/registration", "method": "GET"}, {"evidence": "<form class=\"form-horizontal\" action=\"/register.mvc\" method=\"POST\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/register.mvc", "method": "POST"}, {"evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/login\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "method": "GET"}, {"evidence": "<form method=\"POST\" style=\"width: 200px;\" action=\"/login\">", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login?error", "method": "GET"}], "pluginid": "10202", "riskcode": "1", "wascid": "9", "solution": "<p>Phase: Architecture and Design</p><p>Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.</p><p>For example, use anti-CSRF packages such as the OWASP CSRFGuard.</p><p></p><p>Phase: Implementation</p><p>Ensure that your application is free of cross-site scripting issues, because most CSRF defenses can be bypassed using attacker-controlled script.</p><p></p><p>Phase: Architecture and Design</p><p>Generate a unique nonce for each form, place the nonce into the form, and verify the nonce upon receipt of the form. Be sure that the nonce is not predictable (CWE-330).</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Identify especially dangerous operations. When the user performs a dangerous operation, send a separate confirmation request to ensure that the user intended to perform that operation.</p><p>Note that this can be bypassed using XSS.</p><p></p><p>Use the ESAPI Session Management control.</p><p>This control includes a component for CSRF.</p><p></p><p>Do not use the GET method for any request that triggers a state change.</p><p></p><p>Phase: Implementation</p><p>Check the HTTP Referer header to see if the request originated from an expected page. This could break legitimate functionality, because users or proxies may have disabled sending the Referer for privacy reasons.</p>", "cweid": "352", "desc": "<p>No Anti-CSRF tokens were found in a HTML submission form.</p><p>A cross-site request forgery is an attack that involves forcing a victim to send an HTTP request to a target destination without their knowledge or intent in order to perform an action as the victim. The underlying cause is application functionality using predictable URL/form actions in a repeatable way. The nature of the attack is that CSRF exploits the trust that a web site has for a user. By contrast, cross-site scripting (XSS) exploits the trust that a user has for a web site. Like XSS, CSRF attacks are not necessarily cross-site, but they can be. Cross-site request forgery is also known as CSRF, XSRF, one-click attack, session riding, confused deputy, and sea surf.</p><p></p><p>CSRF attacks are effective in a number of situations, including:</p><p> * The victim has an active session on the target site.</p><p> * The victim is authenticated via HTTP auth on the target site.</p><p> * The victim is on the same local network as the target site.</p><p></p><p>CSRF has primarily been used to perform an action against a target site using the victim's privileges, but recent techniques have been discovered to disclose information by gaining access to the response. The risk of information disclosure is dramatically increased when the target site is vulnerable to XSS, because XSS can be used as a platform for CSRF, allowing the attack to operate within the bounds of the same-origin policy.</p>"}, {"count": "2", "riskdesc": "Low (Medium)", "name": "Cookie No HttpOnly Flag", "reference": "<p>http://www.owasp.org/index.php/HttpOnly</p>", "sourceid": "3", "confidence": "2", "alert": "Cookie No HttpOnly Flag", "instances": [{"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "param": "JSESSIONID", "method": "GET"}, {"evidence": "Set-Cookie: JSESSIONID", "uri": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "param": "JSESSIONID", "method": "GET"}], "pluginid": "10010", "riskcode": "1", "wascid": "13", "solution": "<p>Ensure that the HttpOnly flag is set for all cookies.</p>", "cweid": "16", "desc": "<p>A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript. If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site. If this is a session cookie then session hijacking may be possible.</p>"}], "@ssl": "false"}], "spider": {"progress": "100", "state": "FINISHED", "result": {"urlsIoError": [], "urlsOutOfScope": ["http://getbootstrap.com/", "http://daneden.me/animate", "http://fontawesome.io/", "https://github.com/twbs/bootstrap/blob/master/LICENSE", "https://github.com/nickpettit/glide", "http://fontawesome.io/license"], "urlsInScope": [{"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/robots.txt", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/sitemap.xml", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/start.mvc", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/main.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/registration", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/plugins/bootstrap/css/bootstrap.min.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/font-awesome.min.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/css/animate.css", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "POST", "statusCode": "302"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/register.mvc", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "POST", "statusCode": "200"}, {"url": "http://gitlab-org-security-products-tests-webgoat.review-get-dast-r-vqezi1.35.194.50.105.xip.io/login?error", "statusReason": "", "reasonNotProcessed": "", "processed": "true", "method": "GET", "statusCode": "200"}]}}}
\ No newline at end of file
This diff is collapsed.
{
"version": "2.1",
"licenses": [
{
"id": "Apache-2.0",
"name": "Apache License 2.0",
"url": "http://www.apache.org/licenses/LICENSE-2.0.html"
},
{
"id": "MIT",
"name": "MIT License",
"url": "http://opensource.org/licenses/mit-license"
}
],
"dependencies": [
{
"name": "test_dependency",
"version": "0.1.0",
"package_manager": "bundler",
"path": "Gemfile.lock",
"licenses": ["Apache-2.0"]
},
{
"name": "actioncable",
"version": "1.2",
"url": "http://rubyonrails.org",
"package_manager": "bundler",
"description": "WebSocket framework for Rails.",
"path": ".",
"licenses": ["MIT"]
}
]
}
{
"version": "1.2",
"vulnerabilities": [
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 47,
"end_line": 47,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken2"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 47,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 13,
"tool": "bandit"
},
{
"category": "sast",
"message": "Pickle library appears to be in use, possible security issue.",
"cve": "python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 15,
"end_line": 15
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B301",
"value": "B301"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
}
]
}
This diff is collapsed.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment