@soos-io/soos-sast

{ "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json", "runs": [ { "invocations": [ { "executionSuccessful": true, "toolExecutionNotifications": [ { "descriptor": { "id": "Syntax error" }, "level": "warning", "message": { "text": "Syntax error at line image_resizer_semgrep_output.sarif.json:0:\n missing element" } } ] } ], "results": [ { "fingerprints": { "matchBasedId/v1": "02ff27fd9e6124099780ed1e0bd9763362d74809437d1f49319e82806581d7e23ef41924bd699137004eda91356d5498bad501540be26f469a3347b56e94d0a1_0" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "src/streams/response.js", "uriBaseId": "%SRCROOT%" }, "region": { "endColumn": 45, "endLine": 108, "snippet": { "text": " shasum = crypto.createHash('sha1');" }, "startColumn": 20, "startLine": 108 } } } ], "message": { "text": "The SHA1 hashing algorithm is considered to be weak. If this is used in any sensitive operation such as password hashing, or is used to ensure data integrity (collision sensitive) then you should use a stronger hashing algorithm. For passwords, consider using `Argon2id`, `scrypt`, or `bcrypt`. For data integrity, consider using `SHA-256`" }, "properties": {}, "ruleId": "contrib.nodejsscan.crypto_node.node_sha1" }, { "fingerprints": { "matchBasedId/v1": "d54c4671782116ee5f450af989ccef772ea4fa27152c691c362335475a8ace86ff967530ee16c1179dafcb5d8b06724ea8c4fcb37ae2ef34ae3747760bc0a4f6_0" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "bin/image_resizer.js", "uriBaseId": "%SRCROOT%" }, "region": { "endColumn": 43, "endLine": 47, "snippet": { "text": " appName = path.basename(path.resolve(dir));" }, "startColumn": 40, "startLine": 47 } } } ], "message": { "text": "Detected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first." }, "properties": {}, "ruleId": "javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal" }, { "fingerprints": { "matchBasedId/v1": "fa1a34192730484ffeaa5c5c301945a9e5d5df37de61faf43a0f6bffdca38288e652afcb533629b042d76bea1c43df8db12b5b390a54c257e39b395aeb127ab6_0" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "test.js", "uriBaseId": "%SRCROOT%" }, "region": { "endColumn": 20, "endLine": 10, "snippet": { "text": " app = express()," }, "startColumn": 5, "startLine": 10 } } } ], "message": { "text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies." }, "properties": {}, "ruleId": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage" } ], "tool": { "driver": { "name": "semgrep", "rules": [ { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "AWS AppSync GraphQL Key detected" }, "help": { "markdown": "AWS AppSync GraphQL Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", "text": "AWS AppSync GraphQL Key detected" }, "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key", "id": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key", "name": "generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key", "properties": { "precision": "very-high", "tags": [ "CWE-798: Use of Hard-coded Credentials", "LOW CONFIDENCE", "OWASP-A07:2021 - Identification and Authentication Failures", "security" ] }, "shortDescription": { "text": "Semgrep Finding: generic.secrets.security.detected-aws-appsync-graphql-key.detected-aws-appsync-graphql-key" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "This rule is deprecated." }, "help": { "markdown": "This rule is deprecated.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.mime-type-dos.mime-type-dos)\n - [https://cwe.mitre.org/data/definitions/400.html](https://cwe.mitre.org/data/definitions/400.html)\n", "text": "This rule is deprecated." }, "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.mime-type-dos.mime-type-dos", "id": "ruby.rails.security.audit.mime-type-dos.mime-type-dos", "name": "ruby.rails.security.audit.mime-type-dos.mime-type-dos", "properties": { "precision": "very-high", "tags": [ "CWE-400: Uncontrolled Resource Consumption", "LOW CONFIDENCE", "OWASP-A05:2021 - Security Misconfiguration", "security" ] }, "shortDescription": { "text": "Semgrep Finding: ruby.rails.security.audit.mime-type-dos.mime-type-dos" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." }, "help": { "markdown": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." }, "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", "id": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", "name": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", "properties": { "precision": "very-high", "tags": [ "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", "MEDIUM CONFIDENCE", "OWASP-A02:2021 - Cryptographic Failures", "OWASP-A03:2017 - Sensitive Data Exposure", "security" ] }, "shortDescription": { "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `<compilation ... />`" }, "help": { "markdown": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `<compilation ... />`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug)\n - [https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/](https://web.archive.org/web/20190919105353/https://blogs.msdn.microsoft.com/prashant_upadhyay/2011/07/14/why-debugfalse-in-asp-net-applications-in-production-environment/)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n", "text": "ASP.NET applications built with `debug` set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set `debug` to `false` or remove it from `<compilation ... />`" }, "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug", "id": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug", "name": "csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug", "properties": { "precision": "very-high", "tags": [ "CWE-11: ASP.NET Misconfiguration: Creating Debug Binary", "LOW CONFIDENCE", "OWASP-A05:2021 - Security Misconfiguration", "security" ] }, "shortDescription": { "text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-debug.net-webconfig-debug" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)." }, "help": { "markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n", "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)." }, "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", "id": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", "name": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "LOW CONFIDENCE", "OWASP-A03:2021 - Injection", "OWASP-A07:2017 - Cross-Site Scripting (XSS)", "security" ] }, "shortDescription": { "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations." }, "help": { "markdown": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n", "text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations." }, "helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval", "id": "python.lang.security.audit.logging.listeneval.listen-eval", "name": "python.lang.security.audit.logging.listeneval.listen-eval", "properties": { "precision": "very-high", "tags": [ "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", "LOW CONFIDENCE", "OWASP-A03:2021 - Injection", "security" ] }, "shortDescription": { "text": "Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "This rule is deprecated." }, "help": { "markdown": "This rule is deprecated.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.timing-attack.timing-attack)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_basic_auth_timing_attack.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_basic_auth_timing_attack.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/ANv0HDHEC3k/m/mt7wNGxbFQAJ](https://groups.google.com/g/rubyonrails-security/c/ANv0HDHEC3k/m/mt7wNGxbFQAJ)\n", "text": "This rule is deprecated." }, "helpUri": "https://semgrep.dev/r/ruby.lang.security.timing-attack.timing-attack", "id": "ruby.lang.security.timing-attack.timing-attack", "name": "ruby.lang.security.timing-attack.timing-attack", "properties": { "precision": "very-high", "tags": [ "CWE-208: Observable Timing Discrepancy", "LOW CONFIDENCE", "security" ] }, "shortDescription": { "text": "Semgrep Finding: ruby.lang.security.timing-attack.timing-attack" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information." }, "help": { "markdown": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect)\n - [https://flask-login.readthedocs.io/en/latest/#login-example](https://flask-login.readthedocs.io/en/latest/#login-example)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html#dangerous-url-redirect-example-1)\n - [https://docs.python.org/3/library/urllib.parse.html#url-parsing](https://docs.python.org/3/library/urllib.parse.html#url-parsing)\n", "text": "Data from request is passed to redirect(). This is an open redirect and could be exploited. Consider using 'url_for()' to generate links to known locations. If you must use a URL to unknown pages, consider using 'urlparse()' or similar and checking if the 'netloc' property is the same as your site's host name. See the references for more information." }, "helpUri": "https://semgrep.dev/r/python.flask.security.open-redirect.open-redirect", "id": "python.flask.security.open-redirect.open-redirect", "name": "python.flask.security.open-redirect.open-redirect", "properties": { "precision": "very-high", "tags": [ "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "LOW CONFIDENCE", "OWASP-A01:2021 - Broken Access Control", "security" ] }, "shortDescription": { "text": "Semgrep Finding: python.flask.security.open-redirect.open-redirect" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "Outlook Team detected" }, "help": { "markdown": "Outlook Team detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", "text": "Outlook Team detected" }, "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-outlook-team.detected-outlook-team", "id": "generic.secrets.security.detected-outlook-team.detected-outlook-team", "name": "generic.secrets.security.detected-outlook-team.detected-outlook-team", "properties": { "precision": "very-high", "tags": [ "CWE-798: Use of Hard-coded Credentials", "LOW CONFIDENCE", "OWASP-A07:2021 - Identification and Authentication Failures", "security" ] }, "shortDescription": { "text": "Semgrep Finding: generic.secrets.security.detected-outlook-team.detected-outlook-team" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message." }, "help": { "markdown": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message." }, "helpUri": "https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", "id": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", "name": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", "properties": { "precision": "very-high", "tags": [ "CWE-345: Insufficient Verification of Data Authenticity", "MEDIUM CONFIDENCE", "OWASP-A08:2021 - Software and Data Integrity Failures", "security" ] }, "shortDescription": { "text": "Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." }, "help": { "markdown": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", "text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." }, "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", "id": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", "name": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", "properties": { "precision": "very-high", "tags": [ "CWE-320: CWE CATEGORY: Key Management Errors", "LOW CONFIDENCE", "OWASP-A03:2017 - Sensitive Data Exposure", "security" ] }, "shortDescription": { "text": "Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks" }, "help": { "markdown": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token)\n - [https://docs.djangoproject.com/en/4.2/howto/csrf/](https://docs.djangoproject.com/en/4.2/howto/csrf/)\n", "text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks" }, "helpUri": "https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token", "id": "python.django.security.django-no-csrf-token.django-no-csrf-token", "name": "python.django.security.django-no-csrf-token.django-no-csrf-token", "properties": { "precision": "very-high", "tags": [ "CWE-352: Cross-Site Request Forgery (CSRF)", "MEDIUM CONFIDENCE", "security" ] }, "shortDescription": { "text": "Semgrep Finding: python.django.security.django-no-csrf-token.django-no-csrf-token" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval." }, "help": { "markdown": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", "text": "Use of eval with user-controllable input detected. This can lead to attackers running arbitrary code. Ensure external data does not reach here, otherwise this is a security vulnerability. Consider other ways to do this without eval." }, "helpUri": "https://semgrep.dev/r/ruby.lang.security.no-eval.ruby-eval", "id": "ruby.lang.security.no-eval.ruby-eval", "name": "ruby.lang.security.no-eval.ruby-eval", "properties": { "precision": "very-high", "tags": [ "CWE-94: Improper Control of Generation of Code ('Code Injection')", "MEDIUM CONFIDENCE", "OWASP-A03:2021 - Injection", "security" ] }, "shortDescription": { "text": "Semgrep Finding: ruby.lang.security.no-eval.ruby-eval" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`." }, "help": { "markdown": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled)\n - [https://symfony.com/doc/current/security/csrf.html](https://symfony.com/doc/current/security/csrf.html)\n", "text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`." }, "helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", "id": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", "name": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", "properties": { "precision": "very-high", "tags": [ "CWE-352: Cross-Site Request Forgery (CSRF)", "LOW CONFIDENCE", "OWASP-A01:2021 - Broken Access Control", "security" ] }, "shortDescription": { "text": "Semgrep Finding: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project." }, "help": { "markdown": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public)\n - [https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html](https://docs.aws.amazon.com/codebuild/latest/userguide/public-builds.html)\n", "text": "CodeBuild Project $X is set to have a public URL. This will make the build results, logs, artifacts publically accessible, including builds prior to the project being public. Ensure this is acceptable for the project." }, "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public", "id": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public", "name": "typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public", "properties": { "precision": "very-high", "tags": [ "CWE-306: Missing Authentication for Critical Function", "MEDIUM CONFIDENCE", "OWASP-A07:2021 - Identification and Authentication Failures", "security" ] }, "shortDescription": { "text": "Semgrep Finding: typescript.aws-cdk.security.awscdk-codebuild-project-public.awscdk-codebuild-project-public" } }, { "defaultConfiguration": { "level": "note" }, "fullDescription": { "text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`." }, "help": { "markdown": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", "text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`." }, "helpUri": "https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", "id": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", "name": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", "properties": { "precision": "very-high", "tags": [ "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "LOW CONFIDENCE", "OWASP-A03:2021 - Injection", "OWASP-A07:2017 - Cross-Site Scripting (XSS)", "security" ] }, "shortDescription": { "text": "Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution" }, "help": { "markdown": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", "text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution" }, "helpUri": "https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", "id": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", "name": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", "properties": { "precision": "very-high", "tags": [ "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "LOW CONFIDENCE", "OWASP-A01:2017 - Injection", "OWASP-A03:2021 - Injection", "security" ] }, "shortDescription": { "text": "Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection" } }, { "defaultConfiguration": { "level": "error" }, "fullDescription": { "text": "This rule is deprecated." }, "help": { "markdown": "This rule is deprecated.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unquoted-csv-writer.unquoted-csv-writer)\n - [https://github.com/returntocorp/semgrep-rules/issues/2351](https://github.com/returntocorp/semgrep-rules/issues/2351)\n", "text": "This rule is deprecated." }, "helpUri": "https://semgrep.dev/r/python.lang.security.unquoted-csv-writer.unquoted-csv-writer", "id": "python.lang.security.unquoted-csv-writer.unquoted-csv-writer", "name": "python.lang.security.unquoted-csv-writer.unquoted-csv-writer", "properties": { "precision": "very-high", "tags": [ "CWE-1236: Improper Neutralization of Formula Elements in a CSV File", "LOW CONFIDENCE", "OWASP-A01:2017 - Injection", "security" ] }, "shortDescription": { "text": "Semgrep Finding: python.lang.security.unquoted-csv-writer.unquoted-csv-writer" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source." }, "help": { "markdown": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n", "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source." }, "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", "id": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", "name": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", "properties": { "precision": "very-high", "tags": [ "CWE-778: Insufficient Logging", "HIGH CONFIDENCE", "OWASP-A09:2021 - Security Logging and Monitoring Failures", "security" ] }, "shortDescription": { "text": "Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network." }, "help": { "markdown": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request)\n - [https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server](https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server)\n - [https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html](https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html)\n", "text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network." }, "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", "id": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", "name": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", "properties": { "precision": "very-high", "tags": [ "CWE-319: Cleartext Transmission of Sensitive Information", "MEDIUM CONFIDENCE", "OWASP-A03:2017 - Sensitive Data Exposure", "security" ] }, "shortDescription": { "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." }, "help": { "markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n", "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." }, "helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", "id": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", "name": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", "properties": { "precision": "very-high", "tags": [ "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", "MEDIUM CONFIDENCE", "OWASP-A04:2021 - Insecure Design", "security" ] }, "shortDescription": { "text": "Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling" } }, { "defaultConfiguration": { "level": "warning" }, "fullDescription": { "text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly." }, "help": { "markdown": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", "text": "Don\u2019t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly." }, "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", "properties": { "precision": "very-high", "tags": [