Commit 44a9231d authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch 'use-raw-file-format' into 'master'

Add RAW file format which is used to store security reports

Closes gitlab-ee#7996

See merge request gitlab-org/gitlab-ce!22365
parents fbb0f712 15cd91c7
...@@ -27,11 +27,15 @@ module Ci ...@@ -27,11 +27,15 @@ module Ci
metadata: :gzip, metadata: :gzip,
trace: :raw, trace: :raw,
junit: :gzip, junit: :gzip,
codequality: :gzip,
sast: :gzip, # All these file formats use `raw` as we need to store them uncompressed
dependency_scanning: :gzip, # for Frontend to fetch the files and do analysis
container_scanning: :gzip, # When they will be only used by backend, they can be `gzipped`.
dast: :gzip codequality: :raw,
sast: :raw,
dependency_scanning: :raw,
container_scanning: :raw,
dast: :raw
}.freeze }.freeze
belongs_to :project belongs_to :project
...@@ -100,7 +104,8 @@ module Ci ...@@ -100,7 +104,8 @@ module Ci
} }
FILE_FORMAT_ADAPTERS = { FILE_FORMAT_ADAPTERS = {
gzip: Gitlab::Ci::Build::Artifacts::GzipFileAdapter gzip: Gitlab::Ci::Build::Artifacts::Adapters::GzipStream,
raw: Gitlab::Ci::Build::Artifacts::Adapters::RawStream
}.freeze }.freeze
def valid_file_format? def valid_file_format?
......
...@@ -30,12 +30,12 @@ module Ci ...@@ -30,12 +30,12 @@ module Ci
def create_reports(reports, expire_in:) def create_reports(reports, expire_in:)
return unless reports&.any? return unless reports&.any?
reports.map do |k, v| reports.map do |report_type, report_paths|
{ {
artifact_type: k.to_sym, artifact_type: report_type.to_sym,
artifact_format: :gzip, artifact_format: ::Ci::JobArtifact::TYPE_AND_FORMAT_PAIRS.fetch(report_type.to_sym),
name: ::Ci::JobArtifact::DEFAULT_FILE_NAMES[k.to_sym], name: ::Ci::JobArtifact::DEFAULT_FILE_NAMES.fetch(report_type.to_sym),
paths: v, paths: report_paths,
when: 'always', when: 'always',
expire_in: expire_in expire_in: expire_in
} }
......
---
title: Make all legacy security reports to use raw format
merge_request:
author:
type: changed
require './spec/support/sidekiq' require './spec/support/sidekiq'
class Gitlab::Seeder::Pipelines class Gitlab::Seeder::Pipelines
STAGES = %w[build test deploy notify] STAGES = %w[build test security deploy notify]
BUILDS = [ BUILDS = [
# build stage # build stage
{ name: 'build:linux', stage: 'build', status: :success, { name: 'build:linux', stage: 'build', status: :success,
...@@ -31,6 +31,16 @@ class Gitlab::Seeder::Pipelines ...@@ -31,6 +31,16 @@ class Gitlab::Seeder::Pipelines
{ name: 'spinach:osx', stage: 'test', status: :failed, allow_failure: true, { name: 'spinach:osx', stage: 'test', status: :failed, allow_failure: true,
queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago }, queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago },
# security stage
{ name: 'dast', stage: 'security', status: :success,
queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago },
{ name: 'sast', stage: 'security', status: :success,
queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago },
{ name: 'dependency_scanning', stage: 'security', status: :success,
queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago },
{ name: 'container_scanning', stage: 'security', status: :success,
queued_at: 8.hour.ago, started_at: 8.hour.ago, finished_at: 7.hour.ago },
# deploy stage # deploy stage
{ name: 'staging', stage: 'deploy', environment: 'staging', status_event: :success, { name: 'staging', stage: 'deploy', environment: 'staging', status_event: :success,
options: { environment: { action: 'start', on_stop: 'stop staging' } }, options: { environment: { action: 'start', on_stop: 'stop staging' } },
...@@ -108,6 +118,11 @@ class Gitlab::Seeder::Pipelines ...@@ -108,6 +118,11 @@ class Gitlab::Seeder::Pipelines
setup_artifacts(build) setup_artifacts(build)
setup_test_reports(build) setup_test_reports(build)
if build.ref == build.project.default_branch
setup_security_reports_file(build)
else
setup_security_reports_legacy_archive(build)
end
setup_build_log(build) setup_build_log(build)
build.project.environments. build.project.environments.
...@@ -143,6 +158,55 @@ class Gitlab::Seeder::Pipelines ...@@ -143,6 +158,55 @@ class Gitlab::Seeder::Pipelines
end end
end end
def setup_security_reports_file(build)
return unless build.stage == "security"
# we have two sources: master and feature-branch
branch_name = build.ref == build.project.default_branch ?
'master' : 'feature-branch'
artifacts_cache_file(security_reports_path(branch_name, build.name)) do |file|
build.job_artifacts.build(
project: build.project,
file_type: build.name,
file_format: :raw,
file: file)
end
end
def setup_security_reports_legacy_archive(build)
return unless build.stage == "security"
# we have two sources: master and feature-branch
branch_name = build.ref == build.project.default_branch ?
'master' : 'feature-branch'
artifacts_cache_file(security_reports_archive_path(branch_name)) do |file|
build.job_artifacts.build(
project: build.project,
file_type: :archive,
file_format: :zip,
file: file)
end
# assign dummy metadata
artifacts_cache_file(artifacts_metadata_path) do |file|
build.job_artifacts.build(
project: build.project,
file_type: :metadata,
file_format: :gzip,
file: file)
end
build.options = {
artifacts: {
paths: [
Ci::JobArtifact::DEFAULT_FILE_NAMES.fetch(build.name.to_sym)
]
}
}
end
def setup_build_log(build) def setup_build_log(build)
if %w(running success failed).include?(build.status) if %w(running success failed).include?(build.status)
build.trace.set(FFaker::Lorem.paragraphs(6).join("\n\n")) build.trace.set(FFaker::Lorem.paragraphs(6).join("\n\n"))
...@@ -190,6 +254,15 @@ class Gitlab::Seeder::Pipelines ...@@ -190,6 +254,15 @@ class Gitlab::Seeder::Pipelines
Rails.root + 'spec/fixtures/junit/junit.xml.gz' Rails.root + 'spec/fixtures/junit/junit.xml.gz'
end end
def security_reports_archive_path(branch)
Rails.root.join('spec', 'fixtures', 'security-reports', branch + '.zip')
end
def security_reports_path(branch, name)
file_name = Ci::JobArtifact::DEFAULT_FILE_NAMES.fetch(name.to_sym)
Rails.root.join('spec', 'fixtures', 'security-reports', branch, file_name)
end
def artifacts_cache_file(file_path) def artifacts_cache_file(file_path)
file = Tempfile.new("artifacts") file = Tempfile.new("artifacts")
file.close file.close
......
module Gitlab
module Ci
module Build
module Artifacts
module Adapters
class GzipStream
attr_reader :stream
InvalidStreamError = Class.new(StandardError)
def initialize(stream)
raise InvalidStreamError, "Stream is required" unless stream
@stream = stream
end
def each_blob
stream.seek(0)
until stream.eof?
gzip(stream) do |gz|
yield gz.read, gz.orig_name
unused = gz.unused&.length.to_i
# pos has already reached to EOF at the moment
# We rewind the pos to the top of unused files
# to read next gzip stream, to support multistream archives
# https://golang.org/src/compress/gzip/gunzip.go#L117
stream.seek(-unused, IO::SEEK_CUR)
end
end
end
private
def gzip(stream, &block)
gz = Zlib::GzipReader.new(stream)
yield(gz)
rescue Zlib::Error => e
raise InvalidStreamError, e.message
ensure
gz&.finish
end
end
end
end
end
end
end
module Gitlab
module Ci
module Build
module Artifacts
module Adapters
class RawStream
attr_reader :stream
InvalidStreamError = Class.new(StandardError)
def initialize(stream)
raise InvalidStreamError, "Stream is required" unless stream
@stream = stream
end
def each_blob
stream.seek(0)
yield(stream.read, 'raw') unless stream.eof?
end
end
end
end
end
end
end
module Gitlab
module Ci
module Build
module Artifacts
class GzipFileAdapter
attr_reader :stream
InvalidStreamError = Class.new(StandardError)
def initialize(stream)
raise InvalidStreamError, "Stream is required" unless stream
@stream = stream
end
def each_blob
stream.seek(0)
until stream.eof?
gzip(stream) do |gz|
yield gz.read, gz.orig_name
unused = gz.unused&.length.to_i
# pos has already reached to EOF at the moment
# We rewind the pos to the top of unused files
# to read next gzip stream, to support multistream archives
# https://golang.org/src/compress/gzip/gunzip.go#L117
stream.seek(-unused, IO::SEEK_CUR)
end
end
end
private
def gzip(stream, &block)
gz = Zlib::GzipReader.new(stream)
yield(gz)
rescue Zlib::Error => e
raise InvalidStreamError, e.message
ensure
gz&.finish
end
end
end
end
end
end
...@@ -119,11 +119,11 @@ FactoryBot.define do ...@@ -119,11 +119,11 @@ FactoryBot.define do
trait :codequality do trait :codequality do
file_type :codequality file_type :codequality
file_format :gzip file_format :raw
after(:build) do |artifact, evaluator| after(:build) do |artifact, evaluator|
artifact.file = fixture_file_upload( artifact.file = fixture_file_upload(
Rails.root.join('spec/fixtures/codequality/codequality.json.gz'), 'application/x-gzip') Rails.root.join('spec/fixtures/codequality/codequality.json'), 'application/json')
end end
end end
......
{
"image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
"unapproved": [
"CVE-2017-15650"
],
"vulnerabilities": [
{
"featurename": "musl",
"featureversion": "1.1.14-r15",
"vulnerability": "CVE-2017-15650",
"namespace": "alpine:v3.4",
"description": "",
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15650",
"severity": "Medium",
"fixedby": "1.1.14-r16"
}
]
}
{
"site": {
"alerts": [
{
"sourceid": "3",
"wascid": "15",
"cweid": "16",
"reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://www.owasp.org/index.php/List_of_useful_HTTP_headers</p>",
"otherinfo": "<p>This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At \"High\" threshold this scanner will not alert on client or server error responses.</p>",
"solution": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>",
"count": "2",
"pluginid": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>",
"instances": [
{
"param": "X-Content-Type-Options",
"method": "GET",
"uri": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io"
},
{
"param": "X-Content-Type-Options",
"method": "GET",
"uri": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io/"
}
]
}
],
"@ssl": "false",
"@port": "80",
"@host": "bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io",
"@name": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io"
},
"@generated": "Fri, 13 Apr 2018 09:22:01",
"@version": "2.7.0"
}
[
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2012-4387",
"url": "http://struts.apache.org/docs/s2-011.html",
"message": "Long parameter name DoS for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
},
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2013-1966",
"url": "http://struts.apache.org/docs/s2-014.html",
"message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
},
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2013-2115",
"url": "http://struts.apache.org/docs/s2-014.html",
"message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
},
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2013-2134",
"url": "http://struts.apache.org/docs/s2-015.html",
"message": "Arbitrary OGNL code execution via unsanitized wildcard matching for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
}
]
{
"licenses": [
{
"count": 13,
"name": "MIT"
},
{
"count": 2,
"name": "New BSD"
},
{
"count": 1,
"name": "LGPL"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "bundler",
"url": "http://bundler.io",
"description": "The best way to manage your application's dependencies",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "concurrent-ruby",
"url": "http://www.concurrent-ruby.com",
"description": "Modern concurrency tools for Ruby. Inspired by Erlang, Clojure, Scala, Haskell, F#, C#, Java, and classic concurrency patterns.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "connection_pool",
"url": "https://github.com/mperham/connection_pool",
"description": "Generic connection pool for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_portile2",
"url": "http://github.com/flavorjones/mini_portile",
"description": "Simplistic port-like solution for developers",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mustermann",
"url": "https://github.com/sinatra/mustermann",
"description": "Your personal string matching expert.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nokogiri",
"url": "http://nokogiri.org",
"description": "Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "pg",
"url": "https://bitbucket.org/ged/ruby-pg",
"description": "Pg is the Ruby interface to the {PostgreSQL RDBMS}[http://www.postgresql.org/]",
"pathes": [
"."
]
}
},
{
"license": {
"name": "New BSD",
"url": "http://opensource.org/licenses/BSD-3-Clause"
},
"dependency": {
"name": "puma",
"url": "http://puma.io",
"description": "Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack",
"url": "https://rack.github.io/",
"description": "a modular Ruby webserver interface",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack-protection",
"url": "http://github.com/sinatra/sinatra/tree/master/rack-protection",
"description": "Protect against typical web attacks, works with all Rack apps, including Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "redis",
"url": "https://github.com/redis/redis-rb",
"description": "A Ruby client library for Redis",
"pathes": [
"."
]
}
},
{
"license": {
"name": "LGPL",
"url": "http://www.gnu.org/licenses/lgpl.txt"
},
"dependency": {
"name": "sidekiq",
"url": "http://sidekiq.org",
"description": "Simple, efficient background processing for Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sinatra",
"url": "http://www.sinatrarb.com/",
"description": "Classy web-development dressed in a DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "slim",
"url": "http://slim-lang.com/",
"description": "Slim is a template language.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "temple",
"url": "https://github.com/judofyr/temple",
"description": "Template compilation framework in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "tilt",
"url": "http://github.com/rtomayko/tilt/",
"description": "Generic interface to multiple Ruby template engines",
"pathes": [
"."
]
}
}
]
}
[
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 47,
"end_line": 47,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken2"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 47,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:41:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 41,
"end_line": 41,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken1"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 41,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:cb203b465dffb0cb3a8e8bd8910b84b93b0a5995a938e4b903dbb0cd6ffa1254:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 11,
"end_line": 11
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 11,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:a7173c43ae66bd07466632d819d450e0071e02dbf782763640d1092981f9631b:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 12,
"end_line": 12
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 12,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 13,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:45fc8c53aea7b84f06bc4e590cc667678d6073c4c8a1d471177ca2146fb22db2:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 14,
"tool": "bandit"
},
{
"category": "sast",
"message": "Pickle library appears to be in use, possible security issue.",
"cve": "python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 15,
"end_line": 15
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B301",
"value": "B301"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "ECB mode is insecure",
"message": "ECB mode is insecure",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:ECB_MODE",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-ECB_MODE",
"value": "ECB_MODE",
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:63dd4d626855555b816985d82c4614a790462a0a3ada89dc58eb97f9c50f3077:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 14,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:4ad6d4c40a8c263fc265f3384724014e0a4f8dd6200af83e51ff120420038031:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 10,
"end_line": 10
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 10,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-aliases.py:2c3e1fa1e54c3c6646e8bcfaee2518153c6799b77587ff8d9a7b0631f6d34785:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports.py:af58d07f6ad519ef5287fcae65bf1a6999448a1a3a8bc1ac2a11daa80d0b96bf:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports.py:8de9bc98029d212db530785a5f6780cfa663548746ff228ab8fa96c5bb82f089:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:97c30f1d76d2a88913e3ce9ae74087874d740f87de8af697a9c455f01119f633:B106",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 22,
"end_line": 22
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B106",
"value": "B106",
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 22,
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'root'",
"cve": "python/hardcoded/hardcoded-passwords.py:7431c73a0bc16d94ece2a2e75ef38f302574d42c37ac0c3c38ad0b3bf8a59f10:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 5,
"end_line": 5
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 5,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: ''",
"cve": "python/hardcoded/hardcoded-passwords.py:d2d1857c27caedd49c57bfbcdc23afcc92bd66a22701fcdc632869aab4ca73ee:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'ajklawejrkl42348swfgkg'",
"cve": "python/hardcoded/hardcoded-passwords.py:fb3866215a61393a5c9c32a3b60e2058171a23219c353f722cbd3567acab21d2:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 13,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:63c62a8b7e1e5224439bd26b28030585ac48741e28ca64561a6071080c560a5f:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 23,
"end_line": 23
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 23,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:4311b06d08df8fa58229b341c531da8e1a31ec4520597bdff920cd5c098d86f9:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 24,
"end_line": 24
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 24,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-function.py:5858400c2f39047787702de44d03361ef8d954c9d14bd54ee1c2bef9e6a7df93:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-function.py:dbda3cf4190279d30e0aad7dd137eca11272b0b225e8af4e8bf39682da67d956:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:eb8a0db9cd1a8c1ab39a77e6025021b1261cc2a0b026b2f4a11fca4e0636d8dd:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 7,
"end_line": 7
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell",
"cve": "python/imports/imports-aliases.py:f99f9721e27537fbcb6699a4cf39c6740d6234d2c6f06cfc2d9ea977313c483d:B602",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B602",
"value": "B602",
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-from.py:332a12ab1146698f614a905ce6a6a5401497a12281aef200e80522711c69dcf4:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:0a48de4a3d5348853a03666cb574697e3982998355e7a095a798bd02a5947276:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 1,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-aliases.py:51b71661dff994bde3529639a727a678c8f5c4c96f00d300913f6d5be1bbdf26:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 7,
"end_line": 8
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with loads module.",
"cve": "python/imports/imports-aliases.py:6ff02aeb3149c01ab68484d794a94f58d5d3e3bb0d58557ef4153644ea68ea54:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "c/subdir/utils.c:b466873101951fe96e1332f6728eb7010acbbd5dfc3b65d7d53571d091a06d9e:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 4
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "c/subdir/utils.c",
"line": 4,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)",
"cve": "c/subdir/utils.c:bab681140fcc8fc3085b6bba74081b44ea145c1c98b5e70cf19ace2417d30770:CWE-362",
"confidence": "Low",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 8
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-362",
"value": "362",
"url": "https://cwe.mitre.org/data/definitions/362.html"
}
],
"file": "c/subdir/utils.c",
"line": 8,
"url": "https://cwe.mitre.org/data/definitions/362.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "cplusplus/src/hello.cpp:c8c6dd0afdae6814194cf0930b719f757ab7b379cf8f261e7f4f9f2f323a818a:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 6
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 6,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
"cve": "cplusplus/src/hello.cpp:331c04062c4fe0c7c486f66f59e82ad146ab33cdd76ae757ca41f392d568cbd0:CWE-120",
"confidence": "Low",
"solution": "Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 7
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 7,
"url": "https://cwe.mitre.org/data/definitions/120.html",
"tool": "flawfinder"
}
]
{
"image": "registry.gitlab.com/bikebilly/auto-devops-10-6/feature-branch:e7315ba964febb11bac8f5cd6ec433db8a3a1583",
"unapproved": [
"CVE-2017-15651"
],
"vulnerabilities": [
{
"featurename": "musl",
"featureversion": "1.1.14-r15",
"vulnerability": "CVE-2017-15651",
"namespace": "alpine:v3.4",
"description": "",
"link": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15651",
"severity": "Medium",
"fixedby": "1.1.14-r16"
}
]
}
{
"site": {
"alerts": [
{
"sourceid": "3",
"wascid": "15",
"cweid": "16",
"reference": "<p>http://msdn.microsoft.com/en-us/library/ie/gg622941%28v=vs.85%29.aspx</p><p>https://www.owasp.org/index.php/List_of_useful_HTTP_headers</p>",
"otherinfo": "<p>This issue still applies to error type pages (401, 403, 500, etc) as those pages are often still affected by injection issues, in which case there is still concern for browsers sniffing pages away from their actual content type.</p><p>At \"High\" threshold this scanner will not alert on client or server error responses.</p>",
"solution": "<p>Ensure that the application/web server sets the Content-Type header appropriately, and that it sets the X-Content-Type-Options header to 'nosniff' for all web pages.</p><p>If possible, ensure that the end user uses a standards-compliant and modern web browser that does not perform MIME-sniffing at all, or that can be directed by the web application/web server to not perform MIME-sniffing.</p>",
"count": "2",
"pluginid": "10021",
"alert": "X-Content-Type-Options Header Missing",
"name": "X-Content-Type-Options Header Missing",
"riskcode": "1",
"confidence": "2",
"riskdesc": "Low (Medium)",
"desc": "<p>The Anti-MIME-Sniffing header X-Content-Type-Options was not set to 'nosniff'. This allows older versions of Internet Explorer and Chrome to perform MIME-sniffing on the response body, potentially causing the response body to be interpreted and displayed as a content type other than the declared content type. Current (early 2014) and legacy versions of Firefox will use the declared content type (if one is set), rather than performing MIME-sniffing.</p>",
"instances": [
{
"param": "X-Content-Type-Options",
"method": "GET",
"uri": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io"
},
{
"param": "X-Content-Type-Options",
"method": "GET",
"uri": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io/"
}
]
}
],
"@ssl": "false",
"@port": "80",
"@host": "bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io",
"@name": "http://bikebilly-spring-auto-devops-review-feature-br-3y2gpb.35.192.176.43.xip.io"
},
"@generated": "Fri, 13 Apr 2018 09:22:01",
"@version": "2.7.0"
}
[
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2012-4386",
"url": "http://struts.apache.org/docs/s2-010.html",
"message": "CSRF protection bypass for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
},
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2012-4387",
"url": "http://struts.apache.org/docs/s2-011.html",
"message": "Long parameter name DoS for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
},
{
"priority": "Unknown",
"file": "pom.xml",
"cve": "CVE-2013-1966",
"url": "http://struts.apache.org/docs/s2-014.html",
"message": "Remote command execution due to flaw in the includeParams attribute of URL and Anchor tags for org.apache.struts/struts2-core",
"tools": [
"gemnasium"
],
"tool": "gemnasium"
}
]
{
"licenses": [
{
"count": 10,
"name": "MIT"
}
],
"dependencies": [
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mini_portile2",
"url": "http://github.com/flavorjones/mini_portile",
"description": "Simplistic port-like solution for developers",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "mustermann",
"url": "https://github.com/sinatra/mustermann",
"description": "Your personal string matching expert.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "nokogiri",
"url": "http://nokogiri.org",
"description": "Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack",
"url": "https://rack.github.io/",
"description": "a modular Ruby webserver interface",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "rack-protection",
"url": "http://github.com/sinatra/sinatra/tree/master/rack-protection",
"description": "Protect against typical web attacks, works with all Rack apps, including Rails.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "redis",
"url": "https://github.com/redis/redis-rb",
"description": "A Ruby client library for Redis",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "sinatra",
"url": "http://www.sinatrarb.com/",
"description": "Classy web-development dressed in a DSL",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "slim",
"url": "http://slim-lang.com/",
"description": "Slim is a template language.",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "temple",
"url": "https://github.com/judofyr/temple",
"description": "Template compilation framework in Ruby",
"pathes": [
"."
]
}
},
{
"license": {
"name": "MIT",
"url": "http://opensource.org/licenses/mit-license"
},
"dependency": {
"name": "tilt",
"url": "http://github.com/rtomayko/tilt/",
"description": "Generic interface to multiple Ruby template engines",
"pathes": [
"."
]
}
}
]
}
[
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:52865813c884a507be1f152d654245af34aba8a391626d01f1ab6d3f52ec8779:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 1,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:47:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 47,
"end_line": 47,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken2"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 47,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Predictable pseudorandom number generator",
"message": "Predictable pseudorandom number generator",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:41:PREDICTABLE_RANDOM",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 41,
"end_line": 41,
"class": "com.gitlab.security_products.tests.App",
"method": "generateSecretToken1"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-PREDICTABLE_RANDOM",
"value": "PREDICTABLE_RANDOM",
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 41,
"url": "https://find-sec-bugs.github.io/bugs.htm#PREDICTABLE_RANDOM",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:cb203b465dffb0cb3a8e8bd8910b84b93b0a5995a938e4b903dbb0cd6ffa1254:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 11,
"end_line": 11
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 11,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:a7173c43ae66bd07466632d819d450e0071e02dbf782763640d1092981f9631b:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 12,
"end_line": 12
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 12,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:017017b77deb0b8369b6065947833eeea752a92ec8a700db590fece3e934cf0d:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 13,
"tool": "bandit"
},
{
"category": "sast",
"message": "Use of insecure MD2, MD4, or MD5 hash function.",
"cve": "python/imports/imports-aliases.py:45fc8c53aea7b84f06bc4e590cc667678d6073c4c8a1d471177ca2146fb22db2:B303",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B303",
"value": "B303"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 14,
"tool": "bandit"
},
{
"category": "sast",
"message": "Pickle library appears to be in use, possible security issue.",
"cve": "python/imports/imports-aliases.py:5f200d47291e7bbd8352db23019b85453ca048dd98ea0c291260fa7d009963a4:B301",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 15,
"end_line": 15
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B301",
"value": "B301"
}
],
"priority": "Medium",
"file": "python/imports/imports-aliases.py",
"line": 15,
"tool": "bandit"
},
{
"category": "sast",
"name": "ECB mode is insecure",
"message": "ECB mode is insecure",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:ECB_MODE",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-ECB_MODE",
"value": "ECB_MODE",
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#ECB_MODE",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"name": "Cipher with no integrity",
"message": "Cipher with no integrity",
"cve": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy:29:CIPHER_INTEGRITY",
"severity": "Medium",
"confidence": "High",
"scanner": {
"id": "find_sec_bugs",
"name": "Find Security Bugs"
},
"location": {
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"start_line": 29,
"end_line": 29,
"class": "com.gitlab.security_products.tests.App",
"method": "insecureCypher"
},
"identifiers": [
{
"type": "find_sec_bugs_type",
"name": "Find Security Bugs-CIPHER_INTEGRITY",
"value": "CIPHER_INTEGRITY",
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY"
}
],
"priority": "Medium",
"file": "groovy/src/main/java/com/gitlab/security_products/tests/App.groovy",
"line": 29,
"url": "https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY",
"tool": "find_sec_bugs"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:63dd4d626855555b816985d82c4614a790462a0a3ada89dc58eb97f9c50f3077:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 14,
"end_line": 14
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 14,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Probable insecure usage of temp file/directory.",
"cve": "python/hardcoded/hardcoded-tmp.py:4ad6d4c40a8c263fc265f3384724014e0a4f8dd6200af83e51ff120420038031:B108",
"severity": "Medium",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-tmp.py",
"start_line": 10,
"end_line": 10
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B108",
"value": "B108",
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html"
}
],
"priority": "Medium",
"file": "python/hardcoded/hardcoded-tmp.py",
"line": 10,
"url": "https://docs.openstack.org/bandit/latest/plugins/b108_hardcoded_tmp_directory.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-aliases.py:2c3e1fa1e54c3c6646e8bcfaee2518153c6799b77587ff8d9a7b0631f6d34785:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 1,
"end_line": 1
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports.py:af58d07f6ad519ef5287fcae65bf1a6999448a1a3a8bc1ac2a11daa80d0b96bf:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports.py:8de9bc98029d212db530785a5f6780cfa663548746ff228ab8fa96c5bb82f089:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:97c30f1d76d2a88913e3ce9ae74087874d740f87de8af697a9c455f01119f633:B106",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 22,
"end_line": 22
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B106",
"value": "B106",
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 22,
"url": "https://docs.openstack.org/bandit/latest/plugins/b106_hardcoded_password_funcarg.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'root'",
"cve": "python/hardcoded/hardcoded-passwords.py:7431c73a0bc16d94ece2a2e75ef38f302574d42c37ac0c3c38ad0b3bf8a59f10:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 5,
"end_line": 5
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 5,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: ''",
"cve": "python/hardcoded/hardcoded-passwords.py:d2d1857c27caedd49c57bfbcdc23afcc92bd66a22701fcdc632869aab4ca73ee:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'ajklawejrkl42348swfgkg'",
"cve": "python/hardcoded/hardcoded-passwords.py:fb3866215a61393a5c9c32a3b60e2058171a23219c353f722cbd3567acab21d2:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 13,
"end_line": 13
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 13,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:63c62a8b7e1e5224439bd26b28030585ac48741e28ca64561a6071080c560a5f:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 23,
"end_line": 23
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 23,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Possible hardcoded password: 'blerg'",
"cve": "python/hardcoded/hardcoded-passwords.py:4311b06d08df8fa58229b341c531da8e1a31ec4520597bdff920cd5c098d86f9:B105",
"severity": "Low",
"confidence": "Medium",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/hardcoded/hardcoded-passwords.py",
"start_line": 24,
"end_line": 24
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B105",
"value": "B105",
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html"
}
],
"priority": "Low",
"file": "python/hardcoded/hardcoded-passwords.py",
"line": 24,
"url": "https://docs.openstack.org/bandit/latest/plugins/b105_hardcoded_password_string.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-function.py:5858400c2f39047787702de44d03361ef8d954c9d14bd54ee1c2bef9e6a7df93:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 4,
"end_line": 4
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 4,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-function.py:dbda3cf4190279d30e0aad7dd137eca11272b0b225e8af4e8bf39682da67d956:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-function.py",
"start_line": 2,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-function.py",
"line": 2,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:eb8a0db9cd1a8c1ab39a77e6025021b1261cc2a0b026b2f4a11fca4e0636d8dd:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 7,
"end_line": 7
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "subprocess call with shell=True seems safe, but may be changed in the future, consider rewriting without shell",
"cve": "python/imports/imports-aliases.py:f99f9721e27537fbcb6699a4cf39c6740d6234d2c6f06cfc2d9ea977313c483d:B602",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 9,
"end_line": 9
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B602",
"value": "B602",
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 9,
"url": "https://docs.openstack.org/bandit/latest/plugins/b602_subprocess_popen_with_shell_equals_true.html",
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with subprocess module.",
"cve": "python/imports/imports-from.py:332a12ab1146698f614a905ce6a6a5401497a12281aef200e80522711c69dcf4:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with Popen module.",
"cve": "python/imports/imports-from.py:0a48de4a3d5348853a03666cb574697e3982998355e7a095a798bd02a5947276:B404",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-from.py",
"start_line": 1,
"end_line": 2
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B404",
"value": "B404"
}
],
"priority": "Low",
"file": "python/imports/imports-from.py",
"line": 1,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with pickle module.",
"cve": "python/imports/imports-aliases.py:51b71661dff994bde3529639a727a678c8f5c4c96f00d300913f6d5be1bbdf26:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 7,
"end_line": 8
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 7,
"tool": "bandit"
},
{
"category": "sast",
"message": "Consider possible security implications associated with loads module.",
"cve": "python/imports/imports-aliases.py:6ff02aeb3149c01ab68484d794a94f58d5d3e3bb0d58557ef4153644ea68ea54:B403",
"severity": "Low",
"confidence": "High",
"scanner": {
"id": "bandit",
"name": "Bandit"
},
"location": {
"file": "python/imports/imports-aliases.py",
"start_line": 6,
"end_line": 6
},
"identifiers": [
{
"type": "bandit_test_id",
"name": "Bandit Test ID B403",
"value": "B403"
}
],
"priority": "Low",
"file": "python/imports/imports-aliases.py",
"line": 6,
"tool": "bandit"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "c/subdir/utils.c:b466873101951fe96e1332f6728eb7010acbbd5dfc3b65d7d53571d091a06d9e:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 4
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "c/subdir/utils.c",
"line": 4,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents? (CWE-362)",
"cve": "c/subdir/utils.c:bab681140fcc8fc3085b6bba74081b44ea145c1c98b5e70cf19ace2417d30770:CWE-362",
"confidence": "Low",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "c/subdir/utils.c",
"start_line": 8
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-362",
"value": "362",
"url": "https://cwe.mitre.org/data/definitions/362.html"
}
],
"file": "c/subdir/utils.c",
"line": 8,
"url": "https://cwe.mitre.org/data/definitions/362.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues (CWE-119!/CWE-120)",
"cve": "cplusplus/src/hello.cpp:c8c6dd0afdae6814194cf0930b719f757ab7b379cf8f261e7f4f9f2f323a818a:CWE-119!/CWE-120",
"confidence": "Low",
"solution": "Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 6
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-119",
"value": "119",
"url": "https://cwe.mitre.org/data/definitions/119.html"
},
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 6,
"url": "https://cwe.mitre.org/data/definitions/119.html",
"tool": "flawfinder"
},
{
"category": "sast",
"message": "Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120)",
"cve": "cplusplus/src/hello.cpp:331c04062c4fe0c7c486f66f59e82ad146ab33cdd76ae757ca41f392d568cbd0:CWE-120",
"confidence": "Low",
"solution": "Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)",
"scanner": {
"id": "flawfinder",
"name": "Flawfinder"
},
"location": {
"file": "cplusplus/src/hello.cpp",
"start_line": 7
},
"identifiers": [
{
"type": "cwe",
"name": "CWE-120",
"value": "120",
"url": "https://cwe.mitre.org/data/definitions/120.html"
}
],
"file": "cplusplus/src/hello.cpp",
"line": 7,
"url": "https://cwe.mitre.org/data/definitions/120.html",
"tool": "flawfinder"
}
]
require 'spec_helper' require 'spec_helper'
describe Gitlab::Ci::Build::Artifacts::GzipFileAdapter do describe Gitlab::Ci::Build::Artifacts::Adapters::GzipStream do
describe '#initialize' do describe '#initialize' do
context 'when stream is passed' do context 'when stream is passed' do
let(:stream) { File.open(expand_fixture_path('junit/junit.xml.gz'), 'rb') } let(:stream) { File.open(expand_fixture_path('junit/junit.xml.gz'), 'rb') }
......
require 'spec_helper'
describe Gitlab::Ci::Build::Artifacts::Adapters::RawStream do
describe '#initialize' do
context 'when stream is passed' do
let(:stream) { File.open(expand_fixture_path('junit/junit.xml'), 'rb') }
it 'initialized' do
expect { described_class.new(stream) }.not_to raise_error
end
end
context 'when stream is not passed' do
let(:stream) { nil }
it 'raises an error' do
expect { described_class.new(stream) }.to raise_error(described_class::InvalidStreamError)
end
end
end
describe '#each_blob' do
let(:adapter) { described_class.new(stream) }
context 'when file is not empty' do
let(:stream) { File.open(expand_fixture_path('junit/junit.xml'), 'rb') }
it 'iterates content' do
expect { |b| adapter.each_blob(&b) }
.to yield_with_args(fixture_file('junit/junit.xml'), 'raw')
end
end
context 'when file is empty' do
let(:stream) { Tempfile.new }
after do
stream.unlink
end
it 'does not iterate content' do
expect { |b| adapter.each_blob(&b) }
.not_to yield_control
end
end
end
end
...@@ -194,6 +194,14 @@ describe Ci::JobArtifact do ...@@ -194,6 +194,14 @@ describe Ci::JobArtifact do
end end
end end
context 'when file format is raw' do
let(:artifact) { build(:ci_job_artifact, :codequality, file_format: :raw) }
it 'iterates blob once' do
expect { |b| artifact.each_blob(&b) }.to yield_control.once
end
end
context 'when there are no adapters for the file format' do context 'when there are no adapters for the file format' do
let(:artifact) { build(:ci_job_artifact, :junit, file_format: :zip) } let(:artifact) { build(:ci_job_artifact, :junit, file_format: :zip) }
......
...@@ -40,6 +40,7 @@ describe Ci::BuildRunnerPresenter do ...@@ -40,6 +40,7 @@ describe Ci::BuildRunnerPresenter do
context "with reports" do context "with reports" do
Ci::JobArtifact::DEFAULT_FILE_NAMES.each do |file_type, filename| Ci::JobArtifact::DEFAULT_FILE_NAMES.each do |file_type, filename|
context file_type.to_s do
let(:report) { { "#{file_type}": [filename] } } let(:report) { { "#{file_type}": [filename] } }
let(:build) { create(:ci_build, options: { artifacts: { reports: report } } ) } let(:build) { create(:ci_build, options: { artifacts: { reports: report } } ) }
...@@ -47,7 +48,7 @@ describe Ci::BuildRunnerPresenter do ...@@ -47,7 +48,7 @@ describe Ci::BuildRunnerPresenter do
{ {
name: filename, name: filename,
artifact_type: :"#{file_type}", artifact_type: :"#{file_type}",
artifact_format: :gzip, artifact_format: Ci::JobArtifact::TYPE_AND_FORMAT_PAIRS.fetch(file_type),
paths: [filename], paths: [filename],
when: 'always' when: 'always'
} }
...@@ -58,6 +59,7 @@ describe Ci::BuildRunnerPresenter do ...@@ -58,6 +59,7 @@ describe Ci::BuildRunnerPresenter do
end end
end end
end end
end
context "when option has both archive and reports specification" do context "when option has both archive and reports specification" do
let(:report) { { junit: ['junit.xml'] } } let(:report) { { junit: ['junit.xml'] } }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment