diff --git a/.coverage b/.coverage index c708d82..e0caa2b 100644 Binary files a/.coverage and b/.coverage differ diff --git a/.gitignore b/.gitignore index 4cbcde5..8799c70 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,7 @@ dist/ __pycache__/ **/*.pyc **/.DS_Store +ssvc.cdx.json +osv.sarif.json +semgrep.sarif.json +src/ssvc.egg-info/ diff --git a/.python-version b/.python-version new file mode 100644 index 0000000..24ee5b1 --- /dev/null +++ b/.python-version @@ -0,0 +1 @@ +3.13 diff --git a/Makefile b/Makefile index e9ea235..40c8d5d 100644 --- a/Makefile +++ b/Makefile @@ -15,39 +15,33 @@ clean: ## Cleanup tmp files @find . -type f -name '*.DS_Store' -delete 2>/dev/null setup: ## FOR DOCO ONLY - Run these one at a time, do not call this target directly - uv venv --python $(which python3.12) + uv python install + uv venv source .venv/bin/activate - uv pip install -U pip + uv sync + uv build + uv pip install dist/ssvc-1.0.10-py3-none-any.whl + uv pip install "." -install: ## poetry install and create poetry.lock - poetry install --no-root - poetry self add poetry-plugin-up - -update: ## poetry update poetry.lock - git submodule update - poetry self update - poetry up +update: ## update and lock + uv lock -U test: clean ## pytest with coverage coverage run -m pytest --nf coverage report -m --fail-under=100 coverage-badge -f -o coverage.svg -publish: clean update ## upload to pypi.org - poetry publish --build - git commit -a -s -m 'feat: v$(shell poetry version -s)' - git tag --force v$(shell poetry version -s) +publish: clean ## upload to pypi.org + uv build + uv publish + git commit -a -s -m 'feat: $(shell uv tree -q | head -1 | awk '{print $2}')' + git tag --force $(shell uv tree -q | head -1 | awk '{print $2}') git push git push --tags --force -sarif: clean update ## generate SARIF from Semgrep for this project +sarif: clean ## generate SARIF from Semgrep for this project osv-scanner --format sarif --call-analysis=all -r . | jq >osv.sarif.json semgrep $(SEMGREP_ARGS) $(SEMGREP_RULES) | jq >semgrep.sarif.json -lockfile: ## generate pip lockfile for this project - uv pip compile --generate-hashes -o requirements.txt --all-extras --upgrade pyproject.toml - -sbom: lockfile ## generate CycloneDX for this project - pip-audit -r requirements.txt -f cyclonedx-json --require-hashes | jq > sbom.cdx.json - rm requirements.txt - cyclonedx convert --input-file sbom.cdx.json --output-file sbom.spdx.json +sbom: ## generate CycloneDX for this project + uvx pip-audit -f cyclonedx-json | jq > ssvc.cdx.json diff --git a/osv.sarif.json b/osv.sarif.json deleted file mode 100644 index f9bd4b0..0000000 --- a/osv.sarif.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "version": "2.1.0", - "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json", - "runs": [ - { - "tool": { - "driver": { - "informationUri": "https://github.com/google/osv-scanner", - "name": "osv-scanner", - "rules": [], - "version": "1.8.3" - } - }, - "results": [] - } - ] -} diff --git a/poetry.lock b/poetry.lock deleted file mode 100644 index af9f5d7..0000000 --- a/poetry.lock +++ /dev/null @@ -1,1680 +0,0 @@ -# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. - -[[package]] -name = "boolean-py" -version = "4.0" -description = "Define boolean algebras, create and parse boolean expressions and create custom boolean DSL." -optional = false -python-versions = "*" -files = [ - {file = "boolean.py-4.0-py3-none-any.whl", hash = "sha256:2876f2051d7d6394a531d82dc6eb407faa0b01a0a0b3083817ccd7323b8d96bd"}, - {file = "boolean.py-4.0.tar.gz", hash = "sha256:17b9a181630e43dde1851d42bef546d616d5d9b4480357514597e78b203d06e4"}, -] - -[[package]] -name = "build" -version = "1.2.1" -description = "A simple, correct Python build frontend" -optional = false -python-versions = ">=3.8" -files = [ - {file = "build-1.2.1-py3-none-any.whl", hash = "sha256:75e10f767a433d9a86e50d83f418e83efc18ede923ee5ff7df93b6cb0306c5d4"}, - {file = "build-1.2.1.tar.gz", hash = "sha256:526263f4870c26f26c433545579475377b2b7588b6f1eac76a001e873ae3e19d"}, -] - -[package.dependencies] -colorama = {version = "*", markers = "os_name == \"nt\""} -packaging = ">=19.1" -pyproject_hooks = "*" - -[package.extras] -docs = ["furo (>=2023.08.17)", "sphinx (>=7.0,<8.0)", "sphinx-argparse-cli (>=1.5)", "sphinx-autodoc-typehints (>=1.10)", "sphinx-issues (>=3.0.0)"] -test = ["build[uv,virtualenv]", "filelock (>=3)", "pytest (>=6.2.4)", "pytest-cov (>=2.12)", "pytest-mock (>=2)", "pytest-rerunfailures (>=9.1)", "pytest-xdist (>=1.34)", "setuptools (>=42.0.0)", "setuptools (>=56.0.0)", "setuptools (>=56.0.0)", "setuptools (>=67.8.0)", "wheel (>=0.36.0)"] -typing = ["build[uv]", "importlib-metadata (>=5.1)", "mypy (>=1.9.0,<1.10.0)", "tomli", "typing-extensions (>=3.7.4.3)"] -uv = ["uv (>=0.1.18)"] -virtualenv = ["virtualenv (>=20.0.35)"] - -[[package]] -name = "cachecontrol" -version = "0.14.0" -description = "httplib2 caching for requests" -optional = false -python-versions = ">=3.7" -files = [ - {file = "cachecontrol-0.14.0-py3-none-any.whl", hash = "sha256:f5bf3f0620c38db2e5122c0726bdebb0d16869de966ea6a2befe92470b740ea0"}, - {file = "cachecontrol-0.14.0.tar.gz", hash = "sha256:7db1195b41c81f8274a7bbd97c956f44e8348265a1bc7641c37dfebc39f0c938"}, -] - -[package.dependencies] -filelock = {version = ">=3.8.0", optional = true, markers = "extra == \"filecache\""} -msgpack = ">=0.5.2,<2.0.0" -requests = ">=2.16.0" - -[package.extras] -dev = ["CacheControl[filecache,redis]", "black", "build", "cherrypy", "furo", "mypy", "pytest", "pytest-cov", "sphinx", "sphinx-copybutton", "tox", "types-redis", "types-requests"] -filecache = ["filelock (>=3.8.0)"] -redis = ["redis (>=2.10.5)"] - -[[package]] -name = "certifi" -version = "2024.8.30" -description = "Python package for providing Mozilla's CA Bundle." -optional = false -python-versions = ">=3.6" -files = [ - {file = "certifi-2024.8.30-py3-none-any.whl", hash = "sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8"}, - {file = "certifi-2024.8.30.tar.gz", hash = "sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9"}, -] - -[[package]] -name = "cffi" -version = "1.17.0" -description = "Foreign Function Interface for Python calling C code." -optional = false -python-versions = ">=3.8" -files = [ - {file = "cffi-1.17.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:f9338cc05451f1942d0d8203ec2c346c830f8e86469903d5126c1f0a13a2bcbb"}, - {file = "cffi-1.17.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:a0ce71725cacc9ebf839630772b07eeec220cbb5f03be1399e0457a1464f8e1a"}, - {file = "cffi-1.17.0-cp310-cp310-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c815270206f983309915a6844fe994b2fa47e5d05c4c4cef267c3b30e34dbe42"}, - {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d6bdcd415ba87846fd317bee0774e412e8792832e7805938987e4ede1d13046d"}, - {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:8a98748ed1a1df4ee1d6f927e151ed6c1a09d5ec21684de879c7ea6aa96f58f2"}, - {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0a048d4f6630113e54bb4b77e315e1ba32a5a31512c31a273807d0027a7e69ab"}, - {file = "cffi-1.17.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:24aa705a5f5bd3a8bcfa4d123f03413de5d86e497435693b638cbffb7d5d8a1b"}, - {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:856bf0924d24e7f93b8aee12a3a1095c34085600aa805693fb7f5d1962393206"}, - {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:4304d4416ff032ed50ad6bb87416d802e67139e31c0bde4628f36a47a3164bfa"}, - {file = "cffi-1.17.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:331ad15c39c9fe9186ceaf87203a9ecf5ae0ba2538c9e898e3a6967e8ad3db6f"}, - {file = "cffi-1.17.0-cp310-cp310-win32.whl", hash = "sha256:669b29a9eca6146465cc574659058ed949748f0809a2582d1f1a324eb91054dc"}, - {file = "cffi-1.17.0-cp310-cp310-win_amd64.whl", hash = "sha256:48b389b1fd5144603d61d752afd7167dfd205973a43151ae5045b35793232aa2"}, - {file = "cffi-1.17.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c5d97162c196ce54af6700949ddf9409e9833ef1003b4741c2b39ef46f1d9720"}, - {file = "cffi-1.17.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:5ba5c243f4004c750836f81606a9fcb7841f8874ad8f3bf204ff5e56332b72b9"}, - {file = "cffi-1.17.0-cp311-cp311-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bb9333f58fc3a2296fb1d54576138d4cf5d496a2cc118422bd77835e6ae0b9cb"}, - {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:435a22d00ec7d7ea533db494da8581b05977f9c37338c80bc86314bec2619424"}, - {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d1df34588123fcc88c872f5acb6f74ae59e9d182a2707097f9e28275ec26a12d"}, - {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:df8bb0010fdd0a743b7542589223a2816bdde4d94bb5ad67884348fa2c1c67e8"}, - {file = "cffi-1.17.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a8b5b9712783415695663bd463990e2f00c6750562e6ad1d28e072a611c5f2a6"}, - {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:ffef8fd58a36fb5f1196919638f73dd3ae0db1a878982b27a9a5a176ede4ba91"}, - {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:4e67d26532bfd8b7f7c05d5a766d6f437b362c1bf203a3a5ce3593a645e870b8"}, - {file = "cffi-1.17.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:45f7cd36186db767d803b1473b3c659d57a23b5fa491ad83c6d40f2af58e4dbb"}, - {file = "cffi-1.17.0-cp311-cp311-win32.whl", hash = "sha256:a9015f5b8af1bb6837a3fcb0cdf3b874fe3385ff6274e8b7925d81ccaec3c5c9"}, - {file = "cffi-1.17.0-cp311-cp311-win_amd64.whl", hash = "sha256:b50aaac7d05c2c26dfd50c3321199f019ba76bb650e346a6ef3616306eed67b0"}, - {file = "cffi-1.17.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:aec510255ce690d240f7cb23d7114f6b351c733a74c279a84def763660a2c3bc"}, - {file = "cffi-1.17.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:2770bb0d5e3cc0e31e7318db06efcbcdb7b31bcb1a70086d3177692a02256f59"}, - {file = "cffi-1.17.0-cp312-cp312-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:db9a30ec064129d605d0f1aedc93e00894b9334ec74ba9c6bdd08147434b33eb"}, - {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a47eef975d2b8b721775a0fa286f50eab535b9d56c70a6e62842134cf7841195"}, - {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:f3e0992f23bbb0be00a921eae5363329253c3b86287db27092461c887b791e5e"}, - {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:6107e445faf057c118d5050560695e46d272e5301feffda3c41849641222a828"}, - {file = "cffi-1.17.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:eb862356ee9391dc5a0b3cbc00f416b48c1b9a52d252d898e5b7696a5f9fe150"}, - {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:c1c13185b90bbd3f8b5963cd8ce7ad4ff441924c31e23c975cb150e27c2bf67a"}, - {file = "cffi-1.17.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:17c6d6d3260c7f2d94f657e6872591fe8733872a86ed1345bda872cfc8c74885"}, - {file = "cffi-1.17.0-cp312-cp312-win32.whl", hash = "sha256:c3b8bd3133cd50f6b637bb4322822c94c5ce4bf0d724ed5ae70afce62187c492"}, - {file = "cffi-1.17.0-cp312-cp312-win_amd64.whl", hash = "sha256:dca802c8db0720ce1c49cce1149ff7b06e91ba15fa84b1d59144fef1a1bc7ac2"}, - {file = "cffi-1.17.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:6ce01337d23884b21c03869d2f68c5523d43174d4fc405490eb0091057943118"}, - {file = "cffi-1.17.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:cab2eba3830bf4f6d91e2d6718e0e1c14a2f5ad1af68a89d24ace0c6b17cced7"}, - {file = "cffi-1.17.0-cp313-cp313-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:14b9cbc8f7ac98a739558eb86fabc283d4d564dafed50216e7f7ee62d0d25377"}, - {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b00e7bcd71caa0282cbe3c90966f738e2db91e64092a877c3ff7f19a1628fdcb"}, - {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:41f4915e09218744d8bae14759f983e466ab69b178de38066f7579892ff2a555"}, - {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:e4760a68cab57bfaa628938e9c2971137e05ce48e762a9cb53b76c9b569f1204"}, - {file = "cffi-1.17.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:011aff3524d578a9412c8b3cfaa50f2c0bd78e03eb7af7aa5e0df59b158efb2f"}, - {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_aarch64.whl", hash = "sha256:a003ac9edc22d99ae1286b0875c460351f4e101f8c9d9d2576e78d7e048f64e0"}, - {file = "cffi-1.17.0-cp313-cp313-musllinux_1_1_x86_64.whl", hash = "sha256:ef9528915df81b8f4c7612b19b8628214c65c9b7f74db2e34a646a0a2a0da2d4"}, - {file = "cffi-1.17.0-cp313-cp313-win32.whl", hash = "sha256:70d2aa9fb00cf52034feac4b913181a6e10356019b18ef89bc7c12a283bf5f5a"}, - {file = "cffi-1.17.0-cp313-cp313-win_amd64.whl", hash = "sha256:b7b6ea9e36d32582cda3465f54c4b454f62f23cb083ebc7a94e2ca6ef011c3a7"}, - {file = "cffi-1.17.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:964823b2fc77b55355999ade496c54dde161c621cb1f6eac61dc30ed1b63cd4c"}, - {file = "cffi-1.17.0-cp38-cp38-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:516a405f174fd3b88829eabfe4bb296ac602d6a0f68e0d64d5ac9456194a5b7e"}, - {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dec6b307ce928e8e112a6bb9921a1cb00a0e14979bf28b98e084a4b8a742bd9b"}, - {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e4094c7b464cf0a858e75cd14b03509e84789abf7b79f8537e6a72152109c76e"}, - {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:2404f3de742f47cb62d023f0ba7c5a916c9c653d5b368cc966382ae4e57da401"}, - {file = "cffi-1.17.0-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3aa9d43b02a0c681f0bfbc12d476d47b2b2b6a3f9287f11ee42989a268a1833c"}, - {file = "cffi-1.17.0-cp38-cp38-win32.whl", hash = "sha256:0bb15e7acf8ab35ca8b24b90af52c8b391690ef5c4aec3d31f38f0d37d2cc499"}, - {file = "cffi-1.17.0-cp38-cp38-win_amd64.whl", hash = "sha256:93a7350f6706b31f457c1457d3a3259ff9071a66f312ae64dc024f049055f72c"}, - {file = "cffi-1.17.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:1a2ddbac59dc3716bc79f27906c010406155031a1c801410f1bafff17ea304d2"}, - {file = "cffi-1.17.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:6327b572f5770293fc062a7ec04160e89741e8552bf1c358d1a23eba68166759"}, - {file = "cffi-1.17.0-cp39-cp39-manylinux_2_12_i686.manylinux2010_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dbc183e7bef690c9abe5ea67b7b60fdbca81aa8da43468287dae7b5c046107d4"}, - {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5bdc0f1f610d067c70aa3737ed06e2726fd9d6f7bfee4a351f4c40b6831f4e82"}, - {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:6d872186c1617d143969defeadac5a904e6e374183e07977eedef9c07c8953bf"}, - {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0d46ee4764b88b91f16661a8befc6bfb24806d885e27436fdc292ed7e6f6d058"}, - {file = "cffi-1.17.0-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6f76a90c345796c01d85e6332e81cab6d70de83b829cf1d9762d0a3da59c7932"}, - {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:0e60821d312f99d3e1569202518dddf10ae547e799d75aef3bca3a2d9e8ee693"}, - {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:eb09b82377233b902d4c3fbeeb7ad731cdab579c6c6fda1f763cd779139e47c3"}, - {file = "cffi-1.17.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:24658baf6224d8f280e827f0a50c46ad819ec8ba380a42448e24459daf809cf4"}, - {file = "cffi-1.17.0-cp39-cp39-win32.whl", hash = "sha256:0fdacad9e0d9fc23e519efd5ea24a70348305e8d7d85ecbb1a5fa66dc834e7fb"}, - {file = "cffi-1.17.0-cp39-cp39-win_amd64.whl", hash = "sha256:7cbc78dc018596315d4e7841c8c3a7ae31cc4d638c9b627f87d52e8abaaf2d29"}, - {file = "cffi-1.17.0.tar.gz", hash = "sha256:f3157624b7558b914cb039fd1af735e5e8049a87c817cc215109ad1c8779df76"}, -] - -[package.dependencies] -pycparser = "*" - -[[package]] -name = "charset-normalizer" -version = "3.3.2" -description = "The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet." -optional = false -python-versions = ">=3.7.0" -files = [ - {file = "charset-normalizer-3.3.2.tar.gz", hash = "sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_ppc64le.whl", hash = "sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_s390x.whl", hash = "sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-win32.whl", hash = "sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73"}, - {file = "charset_normalizer-3.3.2-cp310-cp310-win_amd64.whl", hash = "sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_ppc64le.whl", hash = "sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_s390x.whl", hash = "sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-win32.whl", hash = "sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab"}, - {file = "charset_normalizer-3.3.2-cp311-cp311-win_amd64.whl", hash = "sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_ppc64le.whl", hash = "sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_s390x.whl", hash = "sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-win32.whl", hash = "sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7"}, - {file = "charset_normalizer-3.3.2-cp312-cp312-win_amd64.whl", hash = "sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_i686.whl", hash = "sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_ppc64le.whl", hash = "sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_s390x.whl", hash = "sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-win32.whl", hash = "sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4"}, - {file = "charset_normalizer-3.3.2-cp37-cp37m-win_amd64.whl", hash = "sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_ppc64le.whl", hash = "sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_s390x.whl", hash = "sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-win32.whl", hash = "sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25"}, - {file = "charset_normalizer-3.3.2-cp38-cp38-win_amd64.whl", hash = "sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_ppc64le.whl", hash = "sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_s390x.whl", hash = "sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-win32.whl", hash = "sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f"}, - {file = "charset_normalizer-3.3.2-cp39-cp39-win_amd64.whl", hash = "sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d"}, - {file = "charset_normalizer-3.3.2-py3-none-any.whl", hash = "sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc"}, -] - -[[package]] -name = "cleo" -version = "2.1.0" -description = "Cleo allows you to create beautiful and testable command-line interfaces." -optional = false -python-versions = ">=3.7,<4.0" -files = [ - {file = "cleo-2.1.0-py3-none-any.whl", hash = "sha256:4a31bd4dd45695a64ee3c4758f583f134267c2bc518d8ae9a29cf237d009b07e"}, - {file = "cleo-2.1.0.tar.gz", hash = "sha256:0b2c880b5d13660a7ea651001fb4acb527696c01f15c9ee650f377aa543fd523"}, -] - -[package.dependencies] -crashtest = ">=0.4.1,<0.5.0" -rapidfuzz = ">=3.0.0,<4.0.0" - -[[package]] -name = "colorama" -version = "0.4.6" -description = "Cross-platform colored terminal text." -optional = false -python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,!=3.4.*,!=3.5.*,!=3.6.*,>=2.7" -files = [ - {file = "colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6"}, - {file = "colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44"}, -] - -[[package]] -name = "coverage" -version = "7.6.1" -description = "Code coverage measurement for Python" -optional = false -python-versions = ">=3.8" -files = [ - {file = "coverage-7.6.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:b06079abebbc0e89e6163b8e8f0e16270124c154dc6e4a47b413dd538859af16"}, - {file = "coverage-7.6.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:cf4b19715bccd7ee27b6b120e7e9dd56037b9c0681dcc1adc9ba9db3d417fa36"}, - {file = "coverage-7.6.1-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e61c0abb4c85b095a784ef23fdd4aede7a2628478e7baba7c5e3deba61070a02"}, - {file = "coverage-7.6.1-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:fd21f6ae3f08b41004dfb433fa895d858f3f5979e7762d052b12aef444e29afc"}, - {file = "coverage-7.6.1-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8f59d57baca39b32db42b83b2a7ba6f47ad9c394ec2076b084c3f029b7afca23"}, - {file = "coverage-7.6.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a1ac0ae2b8bd743b88ed0502544847c3053d7171a3cff9228af618a068ed9c34"}, - {file = "coverage-7.6.1-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:e6a08c0be454c3b3beb105c0596ebdc2371fab6bb90c0c0297f4e58fd7e1012c"}, - {file = "coverage-7.6.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:f5796e664fe802da4f57a168c85359a8fbf3eab5e55cd4e4569fbacecc903959"}, - {file = "coverage-7.6.1-cp310-cp310-win32.whl", hash = "sha256:7bb65125fcbef8d989fa1dd0e8a060999497629ca5b0efbca209588a73356232"}, - {file = "coverage-7.6.1-cp310-cp310-win_amd64.whl", hash = "sha256:3115a95daa9bdba70aea750db7b96b37259a81a709223c8448fa97727d546fe0"}, - {file = "coverage-7.6.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:7dea0889685db8550f839fa202744652e87c60015029ce3f60e006f8c4462c93"}, - {file = "coverage-7.6.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:ed37bd3c3b063412f7620464a9ac1314d33100329f39799255fb8d3027da50d3"}, - {file = "coverage-7.6.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d85f5e9a5f8b73e2350097c3756ef7e785f55bd71205defa0bfdaf96c31616ff"}, - {file = "coverage-7.6.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9bc572be474cafb617672c43fe989d6e48d3c83af02ce8de73fff1c6bb3c198d"}, - {file = "coverage-7.6.1-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0c0420b573964c760df9e9e86d1a9a622d0d27f417e1a949a8a66dd7bcee7bc6"}, - {file = "coverage-7.6.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:1f4aa8219db826ce6be7099d559f8ec311549bfc4046f7f9fe9b5cea5c581c56"}, - {file = "coverage-7.6.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:fc5a77d0c516700ebad189b587de289a20a78324bc54baee03dd486f0855d234"}, - {file = "coverage-7.6.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:b48f312cca9621272ae49008c7f613337c53fadca647d6384cc129d2996d1133"}, - {file = "coverage-7.6.1-cp311-cp311-win32.whl", hash = "sha256:1125ca0e5fd475cbbba3bb67ae20bd2c23a98fac4e32412883f9bcbaa81c314c"}, - {file = "coverage-7.6.1-cp311-cp311-win_amd64.whl", hash = "sha256:8ae539519c4c040c5ffd0632784e21b2f03fc1340752af711f33e5be83a9d6c6"}, - {file = "coverage-7.6.1-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:95cae0efeb032af8458fc27d191f85d1717b1d4e49f7cb226cf526ff28179778"}, - {file = "coverage-7.6.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:5621a9175cf9d0b0c84c2ef2b12e9f5f5071357c4d2ea6ca1cf01814f45d2391"}, - {file = "coverage-7.6.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:260933720fdcd75340e7dbe9060655aff3af1f0c5d20f46b57f262ab6c86a5e8"}, - {file = "coverage-7.6.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:07e2ca0ad381b91350c0ed49d52699b625aab2b44b65e1b4e02fa9df0e92ad2d"}, - {file = "coverage-7.6.1-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:c44fee9975f04b33331cb8eb272827111efc8930cfd582e0320613263ca849ca"}, - {file = "coverage-7.6.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:877abb17e6339d96bf08e7a622d05095e72b71f8afd8a9fefc82cf30ed944163"}, - {file = "coverage-7.6.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:3e0cadcf6733c09154b461f1ca72d5416635e5e4ec4e536192180d34ec160f8a"}, - {file = "coverage-7.6.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:c3c02d12f837d9683e5ab2f3d9844dc57655b92c74e286c262e0fc54213c216d"}, - {file = "coverage-7.6.1-cp312-cp312-win32.whl", hash = "sha256:e05882b70b87a18d937ca6768ff33cc3f72847cbc4de4491c8e73880766718e5"}, - {file = "coverage-7.6.1-cp312-cp312-win_amd64.whl", hash = "sha256:b5d7b556859dd85f3a541db6a4e0167b86e7273e1cdc973e5b175166bb634fdb"}, - {file = "coverage-7.6.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:a4acd025ecc06185ba2b801f2de85546e0b8ac787cf9d3b06e7e2a69f925b106"}, - {file = "coverage-7.6.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:a6d3adcf24b624a7b778533480e32434a39ad8fa30c315208f6d3e5542aeb6e9"}, - {file = "coverage-7.6.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d0c212c49b6c10e6951362f7c6df3329f04c2b1c28499563d4035d964ab8e08c"}, - {file = "coverage-7.6.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6e81d7a3e58882450ec4186ca59a3f20a5d4440f25b1cff6f0902ad890e6748a"}, - {file = "coverage-7.6.1-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:78b260de9790fd81e69401c2dc8b17da47c8038176a79092a89cb2b7d945d060"}, - {file = "coverage-7.6.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:a78d169acd38300060b28d600344a803628c3fd585c912cacc9ea8790fe96862"}, - {file = "coverage-7.6.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:2c09f4ce52cb99dd7505cd0fc8e0e37c77b87f46bc9c1eb03fe3bc9991085388"}, - {file = "coverage-7.6.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:6878ef48d4227aace338d88c48738a4258213cd7b74fd9a3d4d7582bb1d8a155"}, - {file = "coverage-7.6.1-cp313-cp313-win32.whl", hash = "sha256:44df346d5215a8c0e360307d46ffaabe0f5d3502c8a1cefd700b34baf31d411a"}, - {file = "coverage-7.6.1-cp313-cp313-win_amd64.whl", hash = "sha256:8284cf8c0dd272a247bc154eb6c95548722dce90d098c17a883ed36e67cdb129"}, - {file = "coverage-7.6.1-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:d3296782ca4eab572a1a4eca686d8bfb00226300dcefdf43faa25b5242ab8a3e"}, - {file = "coverage-7.6.1-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:502753043567491d3ff6d08629270127e0c31d4184c4c8d98f92c26f65019962"}, - {file = "coverage-7.6.1-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6a89ecca80709d4076b95f89f308544ec8f7b4727e8a547913a35f16717856cb"}, - {file = "coverage-7.6.1-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a318d68e92e80af8b00fa99609796fdbcdfef3629c77c6283566c6f02c6d6704"}, - {file = "coverage-7.6.1-cp313-cp313t-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:13b0a73a0896988f053e4fbb7de6d93388e6dd292b0d87ee51d106f2c11b465b"}, - {file = "coverage-7.6.1-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:4421712dbfc5562150f7554f13dde997a2e932a6b5f352edcce948a815efee6f"}, - {file = "coverage-7.6.1-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:166811d20dfea725e2e4baa71fffd6c968a958577848d2131f39b60043400223"}, - {file = "coverage-7.6.1-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:225667980479a17db1048cb2bf8bfb39b8e5be8f164b8f6628b64f78a72cf9d3"}, - {file = "coverage-7.6.1-cp313-cp313t-win32.whl", hash = "sha256:170d444ab405852903b7d04ea9ae9b98f98ab6d7e63e1115e82620807519797f"}, - {file = "coverage-7.6.1-cp313-cp313t-win_amd64.whl", hash = "sha256:b9f222de8cded79c49bf184bdbc06630d4c58eec9459b939b4a690c82ed05657"}, - {file = "coverage-7.6.1-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:6db04803b6c7291985a761004e9060b2bca08da6d04f26a7f2294b8623a0c1a0"}, - {file = "coverage-7.6.1-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:f1adfc8ac319e1a348af294106bc6a8458a0f1633cc62a1446aebc30c5fa186a"}, - {file = "coverage-7.6.1-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a95324a9de9650a729239daea117df21f4b9868ce32e63f8b650ebe6cef5595b"}, - {file = "coverage-7.6.1-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:b43c03669dc4618ec25270b06ecd3ee4fa94c7f9b3c14bae6571ca00ef98b0d3"}, - {file = "coverage-7.6.1-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8929543a7192c13d177b770008bc4e8119f2e1f881d563fc6b6305d2d0ebe9de"}, - {file = "coverage-7.6.1-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:a09ece4a69cf399510c8ab25e0950d9cf2b42f7b3cb0374f95d2e2ff594478a6"}, - {file = "coverage-7.6.1-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:9054a0754de38d9dbd01a46621636689124d666bad1936d76c0341f7d71bf569"}, - {file = "coverage-7.6.1-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:0dbde0f4aa9a16fa4d754356a8f2e36296ff4d83994b2c9d8398aa32f222f989"}, - {file = "coverage-7.6.1-cp38-cp38-win32.whl", hash = "sha256:da511e6ad4f7323ee5702e6633085fb76c2f893aaf8ce4c51a0ba4fc07580ea7"}, - {file = "coverage-7.6.1-cp38-cp38-win_amd64.whl", hash = "sha256:3f1156e3e8f2872197af3840d8ad307a9dd18e615dc64d9ee41696f287c57ad8"}, - {file = "coverage-7.6.1-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:abd5fd0db5f4dc9289408aaf34908072f805ff7792632250dcb36dc591d24255"}, - {file = "coverage-7.6.1-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:547f45fa1a93154bd82050a7f3cddbc1a7a4dd2a9bf5cb7d06f4ae29fe94eaf8"}, - {file = "coverage-7.6.1-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:645786266c8f18a931b65bfcefdbf6952dd0dea98feee39bd188607a9d307ed2"}, - {file = "coverage-7.6.1-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9e0b2df163b8ed01d515807af24f63de04bebcecbd6c3bfeff88385789fdf75a"}, - {file = "coverage-7.6.1-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:609b06f178fe8e9f89ef676532760ec0b4deea15e9969bf754b37f7c40326dbc"}, - {file = "coverage-7.6.1-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:702855feff378050ae4f741045e19a32d57d19f3e0676d589df0575008ea5004"}, - {file = "coverage-7.6.1-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:2bdb062ea438f22d99cba0d7829c2ef0af1d768d1e4a4f528087224c90b132cb"}, - {file = "coverage-7.6.1-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:9c56863d44bd1c4fe2abb8a4d6f5371d197f1ac0ebdee542f07f35895fc07f36"}, - {file = "coverage-7.6.1-cp39-cp39-win32.whl", hash = "sha256:6e2cd258d7d927d09493c8df1ce9174ad01b381d4729a9d8d4e38670ca24774c"}, - {file = "coverage-7.6.1-cp39-cp39-win_amd64.whl", hash = "sha256:06a737c882bd26d0d6ee7269b20b12f14a8704807a01056c80bb881a4b2ce6ca"}, - {file = "coverage-7.6.1-pp38.pp39.pp310-none-any.whl", hash = "sha256:e9a6e0eb86070e8ccaedfbd9d38fec54864f3125ab95419970575b42af7541df"}, - {file = "coverage-7.6.1.tar.gz", hash = "sha256:953510dfb7b12ab69d20135a0662397f077c59b1e6379a768e97c59d852ee51d"}, -] - -[package.extras] -toml = ["tomli"] - -[[package]] -name = "coverage-badge" -version = "1.1.2" -description = "Generate coverage badges for Coverage.py." -optional = false -python-versions = "*" -files = [ - {file = "coverage_badge-1.1.2-py2.py3-none-any.whl", hash = "sha256:d8413ce51c91043a1692b943616b450868cbeeb0ea6a0c54a32f8318c9c96ff7"}, - {file = "coverage_badge-1.1.2.tar.gz", hash = "sha256:fe7ed58a3b72dad85a553b64a99e963dea3847dcd0b8ddd2b38a00333618642c"}, -] - -[package.dependencies] -coverage = "*" -setuptools = "*" - -[[package]] -name = "crashtest" -version = "0.4.1" -description = "Manage Python errors with ease" -optional = false -python-versions = ">=3.7,<4.0" -files = [ - {file = "crashtest-0.4.1-py3-none-any.whl", hash = "sha256:8d23eac5fa660409f57472e3851dab7ac18aba459a8d19cbbba86d3d5aecd2a5"}, - {file = "crashtest-0.4.1.tar.gz", hash = "sha256:80d7b1f316ebfbd429f648076d6275c877ba30ba48979de4191714a75266f0ce"}, -] - -[[package]] -name = "cryptography" -version = "43.0.1" -description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers." -optional = false -python-versions = ">=3.7" -files = [ - {file = "cryptography-43.0.1-cp37-abi3-macosx_10_9_universal2.whl", hash = "sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d"}, - {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062"}, - {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962"}, - {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277"}, - {file = "cryptography-43.0.1-cp37-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a"}, - {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042"}, - {file = "cryptography-43.0.1-cp37-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494"}, - {file = "cryptography-43.0.1-cp37-abi3-win32.whl", hash = "sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2"}, - {file = "cryptography-43.0.1-cp37-abi3-win_amd64.whl", hash = "sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d"}, - {file = "cryptography-43.0.1-cp39-abi3-macosx_10_9_universal2.whl", hash = "sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d"}, - {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806"}, - {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85"}, - {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_aarch64.whl", hash = "sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c"}, - {file = "cryptography-43.0.1-cp39-abi3-manylinux_2_28_x86_64.whl", hash = "sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1"}, - {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_aarch64.whl", hash = "sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa"}, - {file = "cryptography-43.0.1-cp39-abi3-musllinux_1_2_x86_64.whl", hash = "sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4"}, - {file = "cryptography-43.0.1-cp39-abi3-win32.whl", hash = "sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47"}, - {file = "cryptography-43.0.1-cp39-abi3-win_amd64.whl", hash = "sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb"}, - {file = "cryptography-43.0.1-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034"}, - {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d"}, - {file = "cryptography-43.0.1-pp310-pypy310_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289"}, - {file = "cryptography-43.0.1-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84"}, - {file = "cryptography-43.0.1-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365"}, - {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_aarch64.whl", hash = "sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96"}, - {file = "cryptography-43.0.1-pp39-pypy39_pp73-manylinux_2_28_x86_64.whl", hash = "sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172"}, - {file = "cryptography-43.0.1-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2"}, - {file = "cryptography-43.0.1.tar.gz", hash = "sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d"}, -] - -[package.dependencies] -cffi = {version = ">=1.12", markers = "platform_python_implementation != \"PyPy\""} - -[package.extras] -docs = ["sphinx (>=5.3.0)", "sphinx-rtd-theme (>=1.1.1)"] -docstest = ["pyenchant (>=1.6.11)", "readme-renderer", "sphinxcontrib-spelling (>=4.0.1)"] -nox = ["nox"] -pep8test = ["check-sdist", "click", "mypy", "ruff"] -sdist = ["build"] -ssh = ["bcrypt (>=3.1.5)"] -test = ["certifi", "cryptography-vectors (==43.0.1)", "pretend", "pytest (>=6.2.0)", "pytest-benchmark", "pytest-cov", "pytest-xdist"] -test-randomorder = ["pytest-randomly"] - -[[package]] -name = "cyclonedx-python-lib" -version = "7.6.0" -description = "Python library for CycloneDX" -optional = false -python-versions = "<4.0,>=3.8" -files = [ - {file = "cyclonedx_python_lib-7.6.0-py3-none-any.whl", hash = "sha256:30655e89e5f987dc8d57835919748d71589fafeb33ff1dec45048eb72eda3cf9"}, - {file = "cyclonedx_python_lib-7.6.0.tar.gz", hash = "sha256:fa481d5f0d82728cb6a32e55f8ba9c666ba75a2bd99eb643228e3011c56bb5c4"}, -] - -[package.dependencies] -license-expression = ">=30,<31" -packageurl-python = ">=0.11,<2" -py-serializable = ">=1.1.0,<2.0.0" -sortedcontainers = ">=2.4.0,<3.0.0" - -[package.extras] -json-validation = ["jsonschema[format] (>=4.18,<5.0)"] -validation = ["jsonschema[format] (>=4.18,<5.0)", "lxml (>=4,<6)"] -xml-validation = ["lxml (>=4,<6)"] - -[[package]] -name = "defusedxml" -version = "0.7.1" -description = "XML bomb protection for Python stdlib modules" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -files = [ - {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"}, - {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"}, -] - -[[package]] -name = "distlib" -version = "0.3.8" -description = "Distribution utilities" -optional = false -python-versions = "*" -files = [ - {file = "distlib-0.3.8-py2.py3-none-any.whl", hash = "sha256:034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784"}, - {file = "distlib-0.3.8.tar.gz", hash = "sha256:1530ea13e350031b6312d8580ddb6b27a104275a31106523b8f123787f494f64"}, -] - -[[package]] -name = "dulwich" -version = "0.21.7" -description = "Python Git Library" -optional = false -python-versions = ">=3.7" -files = [ - {file = "dulwich-0.21.7-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:d4c0110798099bb7d36a110090f2688050703065448895c4f53ade808d889dd3"}, - {file = "dulwich-0.21.7-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:2bc12697f0918bee324c18836053644035362bb3983dc1b210318f2fed1d7132"}, - {file = "dulwich-0.21.7-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:471305af74790827fcbafe330fc2e8bdcee4fb56ca1177c8c481b1c8f806c4a4"}, - {file = "dulwich-0.21.7-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d54c9d0e845be26f65f954dff13a1cd3f2b9739820c19064257b8fd7435ab263"}, - {file = "dulwich-0.21.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:12d61334a575474e707614f2e93d6ed4cdae9eb47214f9277076d9e5615171d3"}, - {file = "dulwich-0.21.7-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:e274cebaf345f0b1e3b70197f2651de92b652386b68020cfd3bf61bc30f6eaaa"}, - {file = "dulwich-0.21.7-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:817822f970e196e757ae01281ecbf21369383285b9f4a83496312204cf889b8c"}, - {file = "dulwich-0.21.7-cp310-cp310-win32.whl", hash = "sha256:7836da3f4110ce684dcd53489015fb7fa94ed33c5276e3318b8b1cbcb5b71e08"}, - {file = "dulwich-0.21.7-cp310-cp310-win_amd64.whl", hash = "sha256:4a043b90958cec866b4edc6aef5fe3c2c96a664d0b357e1682a46f6c477273c4"}, - {file = "dulwich-0.21.7-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:ce8db196e79c1f381469410d26fb1d8b89c6b87a4e7f00ff418c22a35121405c"}, - {file = "dulwich-0.21.7-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:62bfb26bdce869cd40be443dfd93143caea7089b165d2dcc33de40f6ac9d812a"}, - {file = "dulwich-0.21.7-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:c01a735b9a171dcb634a97a3cec1b174cfbfa8e840156870384b633da0460f18"}, - {file = "dulwich-0.21.7-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:fa4d14767cf7a49c9231c2e52cb2a3e90d0c83f843eb6a2ca2b5d81d254cf6b9"}, - {file = "dulwich-0.21.7-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:7bca4b86e96d6ef18c5bc39828ea349efb5be2f9b1f6ac9863f90589bac1084d"}, - {file = "dulwich-0.21.7-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:a7b5624b02ef808cdc62dabd47eb10cd4ac15e8ac6df9e2e88b6ac6b40133673"}, - {file = "dulwich-0.21.7-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:c3a539b4696a42fbdb7412cb7b66a4d4d332761299d3613d90a642923c7560e1"}, - {file = "dulwich-0.21.7-cp311-cp311-win32.whl", hash = "sha256:675a612ce913081beb0f37b286891e795d905691dfccfb9bf73721dca6757cde"}, - {file = "dulwich-0.21.7-cp311-cp311-win_amd64.whl", hash = "sha256:460ba74bdb19f8d498786ae7776745875059b1178066208c0fd509792d7f7bfc"}, - {file = "dulwich-0.21.7-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:4c51058ec4c0b45dc5189225b9e0c671b96ca9713c1daf71d622c13b0ab07681"}, - {file = "dulwich-0.21.7-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:4bc4c5366eaf26dda3fdffe160a3b515666ed27c2419f1d483da285ac1411de0"}, - {file = "dulwich-0.21.7-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:a0650ec77d89cb947e3e4bbd4841c96f74e52b4650830112c3057a8ca891dc2f"}, - {file = "dulwich-0.21.7-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4f18f0a311fb7734b033a3101292b932158cade54b74d1c44db519e42825e5a2"}, - {file = "dulwich-0.21.7-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6c589468e5c0cd84e97eb7ec209ab005a2cb69399e8c5861c3edfe38989ac3a8"}, - {file = "dulwich-0.21.7-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:d62446797163317a397a10080c6397ffaaca51a7804c0120b334f8165736c56a"}, - {file = "dulwich-0.21.7-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:e84cc606b1f581733df4350ca4070e6a8b30be3662bbb81a590b177d0c996c91"}, - {file = "dulwich-0.21.7-cp312-cp312-win32.whl", hash = "sha256:c3d1685f320907a52c40fd5890627945c51f3a5fa4bcfe10edb24fec79caadec"}, - {file = "dulwich-0.21.7-cp312-cp312-win_amd64.whl", hash = "sha256:6bd69921fdd813b7469a3c77bc75c1783cc1d8d72ab15a406598e5a3ba1a1503"}, - {file = "dulwich-0.21.7-cp37-cp37m-macosx_10_9_x86_64.whl", hash = "sha256:7d8ab29c660125db52106775caa1f8f7f77a69ed1fe8bc4b42bdf115731a25bf"}, - {file = "dulwich-0.21.7-cp37-cp37m-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b0d2e4485b98695bf95350ce9d38b1bb0aaac2c34ad00a0df789aa33c934469b"}, - {file = "dulwich-0.21.7-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e138d516baa6b5bafbe8f030eccc544d0d486d6819b82387fc0e285e62ef5261"}, - {file = "dulwich-0.21.7-cp37-cp37m-musllinux_1_1_aarch64.whl", hash = "sha256:f34bf9b9fa9308376263fd9ac43143c7c09da9bc75037bb75c6c2423a151b92c"}, - {file = "dulwich-0.21.7-cp37-cp37m-musllinux_1_1_x86_64.whl", hash = "sha256:2e2c66888207b71cd1daa2acb06d3984a6bc13787b837397a64117aa9fc5936a"}, - {file = "dulwich-0.21.7-cp37-cp37m-win32.whl", hash = "sha256:10893105c6566fc95bc2a67b61df7cc1e8f9126d02a1df6a8b2b82eb59db8ab9"}, - {file = "dulwich-0.21.7-cp37-cp37m-win_amd64.whl", hash = "sha256:460b3849d5c3d3818a80743b4f7a0094c893c559f678e56a02fff570b49a644a"}, - {file = "dulwich-0.21.7-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:74700e4c7d532877355743336c36f51b414d01e92ba7d304c4f8d9a5946dbc81"}, - {file = "dulwich-0.21.7-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:c92e72c43c9e9e936b01a57167e0ea77d3fd2d82416edf9489faa87278a1cdf7"}, - {file = "dulwich-0.21.7-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:d097e963eb6b9fa53266146471531ad9c6765bf390849230311514546ed64db2"}, - {file = "dulwich-0.21.7-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:808e8b9cc0aa9ac74870b49db4f9f39a52fb61694573f84b9c0613c928d4caf8"}, - {file = "dulwich-0.21.7-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e1957b65f96e36c301e419d7adaadcff47647c30eb072468901bb683b1000bc5"}, - {file = "dulwich-0.21.7-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:4b09bc3a64fb70132ec14326ecbe6e0555381108caff3496898962c4136a48c6"}, - {file = "dulwich-0.21.7-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:d5882e70b74ac3c736a42d3fdd4f5f2e6570637f59ad5d3e684760290b58f041"}, - {file = "dulwich-0.21.7-cp38-cp38-win32.whl", hash = "sha256:29bb5c1d70eba155ded41ed8a62be2f72edbb3c77b08f65b89c03976292f6d1b"}, - {file = "dulwich-0.21.7-cp38-cp38-win_amd64.whl", hash = "sha256:25c3ab8fb2e201ad2031ddd32e4c68b7c03cb34b24a5ff477b7a7dcef86372f5"}, - {file = "dulwich-0.21.7-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:8929c37986c83deb4eb500c766ee28b6670285b512402647ee02a857320e377c"}, - {file = "dulwich-0.21.7-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:cc1e11be527ac06316539b57a7688bcb1b6a3e53933bc2f844397bc50734e9ae"}, - {file = "dulwich-0.21.7-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:0fc3078a1ba04c588fabb0969d3530efd5cd1ce2cf248eefb6baf7cbc15fc285"}, - {file = "dulwich-0.21.7-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:40dcbd29ba30ba2c5bfbab07a61a5f20095541d5ac66d813056c122244df4ac0"}, - {file = "dulwich-0.21.7-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8869fc8ec3dda743e03d06d698ad489b3705775fe62825e00fa95aa158097fc0"}, - {file = "dulwich-0.21.7-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:d96ca5e0dde49376fbcb44f10eddb6c30284a87bd03bb577c59bb0a1f63903fa"}, - {file = "dulwich-0.21.7-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:e0064363bd5e814359657ae32517fa8001e8573d9d040bd997908d488ab886ed"}, - {file = "dulwich-0.21.7-cp39-cp39-win32.whl", hash = "sha256:869eb7be48243e695673b07905d18b73d1054a85e1f6e298fe63ba2843bb2ca1"}, - {file = "dulwich-0.21.7-cp39-cp39-win_amd64.whl", hash = "sha256:404b8edeb3c3a86c47c0a498699fc064c93fa1f8bab2ffe919e8ab03eafaaad3"}, - {file = "dulwich-0.21.7-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:e598d743c6c0548ebcd2baf94aa9c8bfacb787ea671eeeb5828cfbd7d56b552f"}, - {file = "dulwich-0.21.7-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d4a2d76c96426e791556836ef43542b639def81be4f1d6d4322cd886c115eae1"}, - {file = "dulwich-0.21.7-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:f6c88acb60a1f4d31bd6d13bfba465853b3df940ee4a0f2a3d6c7a0778c705b7"}, - {file = "dulwich-0.21.7-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:ecd315847dea406a4decfa39d388a2521e4e31acde3bd9c2609c989e817c6d62"}, - {file = "dulwich-0.21.7-pp37-pypy37_pp73-macosx_10_9_x86_64.whl", hash = "sha256:d05d3c781bc74e2c2a2a8f4e4e2ed693540fbe88e6ac36df81deac574a6dad99"}, - {file = "dulwich-0.21.7-pp37-pypy37_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:6de6f8de4a453fdbae8062a6faa652255d22a3d8bce0cd6d2d6701305c75f2b3"}, - {file = "dulwich-0.21.7-pp37-pypy37_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e25953c7acbbe4e19650d0225af1c0c0e6882f8bddd2056f75c1cc2b109b88ad"}, - {file = "dulwich-0.21.7-pp37-pypy37_pp73-win_amd64.whl", hash = "sha256:4637cbd8ed1012f67e1068aaed19fcc8b649bcf3e9e26649826a303298c89b9d"}, - {file = "dulwich-0.21.7-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:858842b30ad6486aacaa607d60bab9c9a29e7c59dc2d9cb77ae5a94053878c08"}, - {file = "dulwich-0.21.7-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:739b191f61e1c4ce18ac7d520e7a7cbda00e182c3489552408237200ce8411ad"}, - {file = "dulwich-0.21.7-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:274c18ec3599a92a9b67abaf110e4f181a4f779ee1aaab9e23a72e89d71b2bd9"}, - {file = "dulwich-0.21.7-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:2590e9b431efa94fc356ae33b38f5e64f1834ec3a94a6ac3a64283b206d07aa3"}, - {file = "dulwich-0.21.7-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:ed60d1f610ef6437586f7768254c2a93820ccbd4cfdac7d182cf2d6e615969bb"}, - {file = "dulwich-0.21.7-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8278835e168dd097089f9e53088c7a69c6ca0841aef580d9603eafe9aea8c358"}, - {file = "dulwich-0.21.7-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:ffc27fb063f740712e02b4d2f826aee8bbed737ed799962fef625e2ce56e2d29"}, - {file = "dulwich-0.21.7-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:61e3451bd3d3844f2dca53f131982553be4d1b1e1ebd9db701843dd76c4dba31"}, - {file = "dulwich-0.21.7.tar.gz", hash = "sha256:a9e9c66833cea580c3ac12927e4b9711985d76afca98da971405d414de60e968"}, -] - -[package.dependencies] -urllib3 = ">=1.25" - -[package.extras] -fastimport = ["fastimport"] -https = ["urllib3 (>=1.24.1)"] -paramiko = ["paramiko"] -pgp = ["gpg"] - -[[package]] -name = "fastjsonschema" -version = "2.20.0" -description = "Fastest Python implementation of JSON schema" -optional = false -python-versions = "*" -files = [ - {file = "fastjsonschema-2.20.0-py3-none-any.whl", hash = "sha256:5875f0b0fa7a0043a91e93a9b8f793bcbbba9691e7fd83dca95c28ba26d21f0a"}, - {file = "fastjsonschema-2.20.0.tar.gz", hash = "sha256:3d48fc5300ee96f5d116f10fe6f28d938e6008f59a6a025c2649475b87f76a23"}, -] - -[package.extras] -devel = ["colorama", "json-spec", "jsonschema", "pylint", "pytest", "pytest-benchmark", "pytest-cache", "validictory"] - -[[package]] -name = "filelock" -version = "3.15.4" -description = "A platform independent file lock." -optional = false -python-versions = ">=3.8" -files = [ - {file = "filelock-3.15.4-py3-none-any.whl", hash = "sha256:6ca1fffae96225dab4c6eaf1c4f4f28cd2568d3ec2a44e15a08520504de468e7"}, - {file = "filelock-3.15.4.tar.gz", hash = "sha256:2207938cbc1844345cb01a5a95524dae30f0ce089eba5b00378295a17e3e90cb"}, -] - -[package.extras] -docs = ["furo (>=2023.9.10)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"] -testing = ["covdefaults (>=2.3)", "coverage (>=7.3.2)", "diff-cover (>=8.0.1)", "pytest (>=7.4.3)", "pytest-asyncio (>=0.21)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)", "pytest-timeout (>=2.2)", "virtualenv (>=20.26.2)"] -typing = ["typing-extensions (>=4.8)"] - -[[package]] -name = "html5lib" -version = "1.1" -description = "HTML parser based on the WHATWG HTML specification" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*" -files = [ - {file = "html5lib-1.1-py2.py3-none-any.whl", hash = "sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d"}, - {file = "html5lib-1.1.tar.gz", hash = "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f"}, -] - -[package.dependencies] -six = ">=1.9" -webencodings = "*" - -[package.extras] -all = ["chardet (>=2.2)", "genshi", "lxml"] -chardet = ["chardet (>=2.2)"] -genshi = ["genshi"] -lxml = ["lxml"] - -[[package]] -name = "idna" -version = "3.8" -description = "Internationalized Domain Names in Applications (IDNA)" -optional = false -python-versions = ">=3.6" -files = [ - {file = "idna-3.8-py3-none-any.whl", hash = "sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac"}, - {file = "idna-3.8.tar.gz", hash = "sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603"}, -] - -[[package]] -name = "importlib-metadata" -version = "8.4.0" -description = "Read metadata from Python packages" -optional = false -python-versions = ">=3.8" -files = [ - {file = "importlib_metadata-8.4.0-py3-none-any.whl", hash = "sha256:66f342cc6ac9818fc6ff340576acd24d65ba0b3efabb2b4ac08b598965a4a2f1"}, - {file = "importlib_metadata-8.4.0.tar.gz", hash = "sha256:9a547d3bc3608b025f93d403fdd1aae741c24fbb8314df4b155675742ce303c5"}, -] - -[package.dependencies] -zipp = ">=0.5" - -[package.extras] -doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] -perf = ["ipython"] -test = ["flufl.flake8", "importlib-resources (>=1.3)", "jaraco.test (>=5.4)", "packaging", "pyfakefs", "pytest (>=6,!=8.1.*)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-perf (>=0.9.2)", "pytest-ruff (>=0.2.1)"] - -[[package]] -name = "iniconfig" -version = "2.0.0" -description = "brain-dead simple config-ini parsing" -optional = false -python-versions = ">=3.7" -files = [ - {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, - {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, -] - -[[package]] -name = "installer" -version = "0.7.0" -description = "A library for installing Python wheels." -optional = false -python-versions = ">=3.7" -files = [ - {file = "installer-0.7.0-py3-none-any.whl", hash = "sha256:05d1933f0a5ba7d8d6296bb6d5018e7c94fa473ceb10cf198a92ccea19c27b53"}, - {file = "installer-0.7.0.tar.gz", hash = "sha256:a26d3e3116289bb08216e0d0f7d925fcef0b0194eedfa0c944bcaaa106c4b631"}, -] - -[[package]] -name = "isort" -version = "5.13.2" -description = "A Python utility / library to sort Python imports." -optional = false -python-versions = ">=3.8.0" -files = [ - {file = "isort-5.13.2-py3-none-any.whl", hash = "sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6"}, - {file = "isort-5.13.2.tar.gz", hash = "sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109"}, -] - -[package.extras] -colors = ["colorama (>=0.4.6)"] - -[[package]] -name = "jaraco-classes" -version = "3.4.0" -description = "Utility functions for Python class constructs" -optional = false -python-versions = ">=3.8" -files = [ - {file = "jaraco.classes-3.4.0-py3-none-any.whl", hash = "sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790"}, - {file = "jaraco.classes-3.4.0.tar.gz", hash = "sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd"}, -] - -[package.dependencies] -more-itertools = "*" - -[package.extras] -docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] -testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-ruff (>=0.2.1)"] - -[[package]] -name = "jeepney" -version = "0.8.0" -description = "Low-level, pure Python DBus protocol wrapper." -optional = false -python-versions = ">=3.7" -files = [ - {file = "jeepney-0.8.0-py3-none-any.whl", hash = "sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755"}, - {file = "jeepney-0.8.0.tar.gz", hash = "sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806"}, -] - -[package.extras] -test = ["async-timeout", "pytest", "pytest-asyncio (>=0.17)", "pytest-trio", "testpath", "trio"] -trio = ["async_generator", "trio"] - -[[package]] -name = "keyring" -version = "24.3.1" -description = "Store and access your passwords safely." -optional = false -python-versions = ">=3.8" -files = [ - {file = "keyring-24.3.1-py3-none-any.whl", hash = "sha256:df38a4d7419a6a60fea5cef1e45a948a3e8430dd12ad88b0f423c5c143906218"}, - {file = "keyring-24.3.1.tar.gz", hash = "sha256:c3327b6ffafc0e8befbdb597cacdb4928ffe5c1212f7645f186e6d9957a898db"}, -] - -[package.dependencies] -importlib-metadata = {version = ">=4.11.4", markers = "python_version < \"3.12\""} -"jaraco.classes" = "*" -jeepney = {version = ">=0.4.2", markers = "sys_platform == \"linux\""} -pywin32-ctypes = {version = ">=0.2.0", markers = "sys_platform == \"win32\""} -SecretStorage = {version = ">=3.2", markers = "sys_platform == \"linux\""} - -[package.extras] -completion = ["shtab (>=1.1.0)"] -docs = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (<7.2.5)", "sphinx (>=3.5)", "sphinx-lint"] -testing = ["pytest (>=6)", "pytest-checkdocs (>=2.4)", "pytest-cov", "pytest-enabler (>=2.2)", "pytest-mypy", "pytest-ruff (>=0.2.1)"] - -[[package]] -name = "license-expression" -version = "30.3.1" -description = "license-expression is a comprehensive utility library to parse, compare, simplify and normalize license expressions (such as SPDX license expressions) using boolean logic." -optional = false -python-versions = ">=3.8" -files = [ - {file = "license_expression-30.3.1-py3-none-any.whl", hash = "sha256:97904b9185c7bbb1e98799606fa7424191c375e70ba63a524b6f7100e42ddc46"}, - {file = "license_expression-30.3.1.tar.gz", hash = "sha256:60d5bec1f3364c256a92b9a08583d7ea933c7aa272c8d36d04144a89a3858c01"}, -] - -[package.dependencies] -"boolean.py" = ">=4.0" - -[package.extras] -docs = ["Sphinx (>=5.0.2)", "doc8 (>=0.11.2)", "sphinx-autobuild", "sphinx-copybutton", "sphinx-reredirects (>=0.1.2)", "sphinx-rtd-dark-mode (>=1.3.0)", "sphinx-rtd-theme (>=1.0.0)", "sphinxcontrib-apidoc (>=0.4.0)"] -testing = ["black", "isort", "pytest (>=6,!=7.0.0)", "pytest-xdist (>=2)", "twine"] - -[[package]] -name = "markdown-it-py" -version = "3.0.0" -description = "Python port of markdown-it. Markdown parsing, done right!" -optional = false -python-versions = ">=3.8" -files = [ - {file = "markdown-it-py-3.0.0.tar.gz", hash = "sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb"}, - {file = "markdown_it_py-3.0.0-py3-none-any.whl", hash = "sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1"}, -] - -[package.dependencies] -mdurl = ">=0.1,<1.0" - -[package.extras] -benchmarking = ["psutil", "pytest", "pytest-benchmark"] -code-style = ["pre-commit (>=3.0,<4.0)"] -compare = ["commonmark (>=0.9,<1.0)", "markdown (>=3.4,<4.0)", "mistletoe (>=1.0,<2.0)", "mistune (>=2.0,<3.0)", "panflute (>=2.3,<3.0)"] -linkify = ["linkify-it-py (>=1,<3)"] -plugins = ["mdit-py-plugins"] -profiling = ["gprof2dot"] -rtd = ["jupyter_sphinx", "mdit-py-plugins", "myst-parser", "pyyaml", "sphinx", "sphinx-copybutton", "sphinx-design", "sphinx_book_theme"] -testing = ["coverage", "pytest", "pytest-cov", "pytest-regressions"] - -[[package]] -name = "mdurl" -version = "0.1.2" -description = "Markdown URL utilities" -optional = false -python-versions = ">=3.7" -files = [ - {file = "mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8"}, - {file = "mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba"}, -] - -[[package]] -name = "more-itertools" -version = "10.4.0" -description = "More routines for operating on iterables, beyond itertools" -optional = false -python-versions = ">=3.8" -files = [ - {file = "more-itertools-10.4.0.tar.gz", hash = "sha256:fe0e63c4ab068eac62410ab05cccca2dc71ec44ba8ef29916a0090df061cf923"}, - {file = "more_itertools-10.4.0-py3-none-any.whl", hash = "sha256:0f7d9f83a0a8dcfa8a2694a770590d98a67ea943e3d9f5298309a484758c4e27"}, -] - -[[package]] -name = "msgpack" -version = "1.0.8" -description = "MessagePack serializer" -optional = false -python-versions = ">=3.8" -files = [ - {file = "msgpack-1.0.8-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:505fe3d03856ac7d215dbe005414bc28505d26f0c128906037e66d98c4e95868"}, - {file = "msgpack-1.0.8-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:e6b7842518a63a9f17107eb176320960ec095a8ee3b4420b5f688e24bf50c53c"}, - {file = "msgpack-1.0.8-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:376081f471a2ef24828b83a641a02c575d6103a3ad7fd7dade5486cad10ea659"}, - {file = "msgpack-1.0.8-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5e390971d082dba073c05dbd56322427d3280b7cc8b53484c9377adfbae67dc2"}, - {file = "msgpack-1.0.8-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:00e073efcba9ea99db5acef3959efa45b52bc67b61b00823d2a1a6944bf45982"}, - {file = "msgpack-1.0.8-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:82d92c773fbc6942a7a8b520d22c11cfc8fd83bba86116bfcf962c2f5c2ecdaa"}, - {file = "msgpack-1.0.8-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:9ee32dcb8e531adae1f1ca568822e9b3a738369b3b686d1477cbc643c4a9c128"}, - {file = "msgpack-1.0.8-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:e3aa7e51d738e0ec0afbed661261513b38b3014754c9459508399baf14ae0c9d"}, - {file = "msgpack-1.0.8-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:69284049d07fce531c17404fcba2bb1df472bc2dcdac642ae71a2d079d950653"}, - {file = "msgpack-1.0.8-cp310-cp310-win32.whl", hash = "sha256:13577ec9e247f8741c84d06b9ece5f654920d8365a4b636ce0e44f15e07ec693"}, - {file = "msgpack-1.0.8-cp310-cp310-win_amd64.whl", hash = "sha256:e532dbd6ddfe13946de050d7474e3f5fb6ec774fbb1a188aaf469b08cf04189a"}, - {file = "msgpack-1.0.8-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:9517004e21664f2b5a5fd6333b0731b9cf0817403a941b393d89a2f1dc2bd836"}, - {file = "msgpack-1.0.8-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d16a786905034e7e34098634b184a7d81f91d4c3d246edc6bd7aefb2fd8ea6ad"}, - {file = "msgpack-1.0.8-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:e2872993e209f7ed04d963e4b4fbae72d034844ec66bc4ca403329db2074377b"}, - {file = "msgpack-1.0.8-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5c330eace3dd100bdb54b5653b966de7f51c26ec4a7d4e87132d9b4f738220ba"}, - {file = "msgpack-1.0.8-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:83b5c044f3eff2a6534768ccfd50425939e7a8b5cf9a7261c385de1e20dcfc85"}, - {file = "msgpack-1.0.8-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:1876b0b653a808fcd50123b953af170c535027bf1d053b59790eebb0aeb38950"}, - {file = "msgpack-1.0.8-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:dfe1f0f0ed5785c187144c46a292b8c34c1295c01da12e10ccddfc16def4448a"}, - {file = "msgpack-1.0.8-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:3528807cbbb7f315bb81959d5961855e7ba52aa60a3097151cb21956fbc7502b"}, - {file = "msgpack-1.0.8-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:e2f879ab92ce502a1e65fce390eab619774dda6a6ff719718069ac94084098ce"}, - {file = "msgpack-1.0.8-cp311-cp311-win32.whl", hash = "sha256:26ee97a8261e6e35885c2ecd2fd4a6d38252246f94a2aec23665a4e66d066305"}, - {file = "msgpack-1.0.8-cp311-cp311-win_amd64.whl", hash = "sha256:eadb9f826c138e6cf3c49d6f8de88225a3c0ab181a9b4ba792e006e5292d150e"}, - {file = "msgpack-1.0.8-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:114be227f5213ef8b215c22dde19532f5da9652e56e8ce969bf0a26d7c419fee"}, - {file = "msgpack-1.0.8-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:d661dc4785affa9d0edfdd1e59ec056a58b3dbb9f196fa43587f3ddac654ac7b"}, - {file = "msgpack-1.0.8-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:d56fd9f1f1cdc8227d7b7918f55091349741904d9520c65f0139a9755952c9e8"}, - {file = "msgpack-1.0.8-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:0726c282d188e204281ebd8de31724b7d749adebc086873a59efb8cf7ae27df3"}, - {file = "msgpack-1.0.8-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8db8e423192303ed77cff4dce3a4b88dbfaf43979d280181558af5e2c3c71afc"}, - {file = "msgpack-1.0.8-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:99881222f4a8c2f641f25703963a5cefb076adffd959e0558dc9f803a52d6a58"}, - {file = "msgpack-1.0.8-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:b5505774ea2a73a86ea176e8a9a4a7c8bf5d521050f0f6f8426afe798689243f"}, - {file = "msgpack-1.0.8-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:ef254a06bcea461e65ff0373d8a0dd1ed3aa004af48839f002a0c994a6f72d04"}, - {file = "msgpack-1.0.8-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:e1dd7839443592d00e96db831eddb4111a2a81a46b028f0facd60a09ebbdd543"}, - {file = "msgpack-1.0.8-cp312-cp312-win32.whl", hash = "sha256:64d0fcd436c5683fdd7c907eeae5e2cbb5eb872fafbc03a43609d7941840995c"}, - {file = "msgpack-1.0.8-cp312-cp312-win_amd64.whl", hash = "sha256:74398a4cf19de42e1498368c36eed45d9528f5fd0155241e82c4082b7e16cffd"}, - {file = "msgpack-1.0.8-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:0ceea77719d45c839fd73abcb190b8390412a890df2f83fb8cf49b2a4b5c2f40"}, - {file = "msgpack-1.0.8-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:1ab0bbcd4d1f7b6991ee7c753655b481c50084294218de69365f8f1970d4c151"}, - {file = "msgpack-1.0.8-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:1cce488457370ffd1f953846f82323cb6b2ad2190987cd4d70b2713e17268d24"}, - {file = "msgpack-1.0.8-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:3923a1778f7e5ef31865893fdca12a8d7dc03a44b33e2a5f3295416314c09f5d"}, - {file = "msgpack-1.0.8-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:a22e47578b30a3e199ab067a4d43d790249b3c0587d9a771921f86250c8435db"}, - {file = "msgpack-1.0.8-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:bd739c9251d01e0279ce729e37b39d49a08c0420d3fee7f2a4968c0576678f77"}, - {file = "msgpack-1.0.8-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:d3420522057ebab1728b21ad473aa950026d07cb09da41103f8e597dfbfaeb13"}, - {file = "msgpack-1.0.8-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:5845fdf5e5d5b78a49b826fcdc0eb2e2aa7191980e3d2cfd2a30303a74f212e2"}, - {file = "msgpack-1.0.8-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:6a0e76621f6e1f908ae52860bdcb58e1ca85231a9b0545e64509c931dd34275a"}, - {file = "msgpack-1.0.8-cp38-cp38-win32.whl", hash = "sha256:374a8e88ddab84b9ada695d255679fb99c53513c0a51778796fcf0944d6c789c"}, - {file = "msgpack-1.0.8-cp38-cp38-win_amd64.whl", hash = "sha256:f3709997b228685fe53e8c433e2df9f0cdb5f4542bd5114ed17ac3c0129b0480"}, - {file = "msgpack-1.0.8-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:f51bab98d52739c50c56658cc303f190785f9a2cd97b823357e7aeae54c8f68a"}, - {file = "msgpack-1.0.8-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:73ee792784d48aa338bba28063e19a27e8d989344f34aad14ea6e1b9bd83f596"}, - {file = "msgpack-1.0.8-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:f9904e24646570539a8950400602d66d2b2c492b9010ea7e965025cb71d0c86d"}, - {file = "msgpack-1.0.8-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e75753aeda0ddc4c28dce4c32ba2f6ec30b1b02f6c0b14e547841ba5b24f753f"}, - {file = "msgpack-1.0.8-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5dbf059fb4b7c240c873c1245ee112505be27497e90f7c6591261c7d3c3a8228"}, - {file = "msgpack-1.0.8-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4916727e31c28be8beaf11cf117d6f6f188dcc36daae4e851fee88646f5b6b18"}, - {file = "msgpack-1.0.8-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:7938111ed1358f536daf311be244f34df7bf3cdedb3ed883787aca97778b28d8"}, - {file = "msgpack-1.0.8-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:493c5c5e44b06d6c9268ce21b302c9ca055c1fd3484c25ba41d34476c76ee746"}, - {file = "msgpack-1.0.8-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:5fbb160554e319f7b22ecf530a80a3ff496d38e8e07ae763b9e82fadfe96f273"}, - {file = "msgpack-1.0.8-cp39-cp39-win32.whl", hash = "sha256:f9af38a89b6a5c04b7d18c492c8ccf2aee7048aff1ce8437c4683bb5a1df893d"}, - {file = "msgpack-1.0.8-cp39-cp39-win_amd64.whl", hash = "sha256:ed59dd52075f8fc91da6053b12e8c89e37aa043f8986efd89e61fae69dc1b011"}, - {file = "msgpack-1.0.8.tar.gz", hash = "sha256:95c02b0e27e706e48d0e5426d1710ca78e0f0628d6e89d5b5a5b91a5f12274f3"}, -] - -[[package]] -name = "packageurl-python" -version = "0.15.6" -description = "A purl aka. Package URL parser and builder" -optional = false -python-versions = ">=3.7" -files = [ - {file = "packageurl_python-0.15.6-py3-none-any.whl", hash = "sha256:a40210652c89022772a6c8340d6066f7d5dc67132141e5284a4db7a27d0a8ab0"}, - {file = "packageurl_python-0.15.6.tar.gz", hash = "sha256:cbc89afd15d5f4d05db4f1b61297e5b97a43f61f28799f6d282aff467ed2ee96"}, -] - -[package.extras] -build = ["setuptools", "wheel"] -lint = ["black", "isort", "mypy"] -sqlalchemy = ["sqlalchemy (>=2.0.0)"] -test = ["pytest"] - -[[package]] -name = "packaging" -version = "24.1" -description = "Core utilities for Python packages" -optional = false -python-versions = ">=3.8" -files = [ - {file = "packaging-24.1-py3-none-any.whl", hash = "sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124"}, - {file = "packaging-24.1.tar.gz", hash = "sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002"}, -] - -[[package]] -name = "pexpect" -version = "4.9.0" -description = "Pexpect allows easy control of interactive console applications." -optional = false -python-versions = "*" -files = [ - {file = "pexpect-4.9.0-py2.py3-none-any.whl", hash = "sha256:7236d1e080e4936be2dc3e326cec0af72acf9212a7e1d060210e70a47e253523"}, - {file = "pexpect-4.9.0.tar.gz", hash = "sha256:ee7d41123f3c9911050ea2c2dac107568dc43b2d3b0c7557a33212c398ead30f"}, -] - -[package.dependencies] -ptyprocess = ">=0.5" - -[[package]] -name = "pip" -version = "24.2" -description = "The PyPA recommended tool for installing Python packages." -optional = false -python-versions = ">=3.8" -files = [ - {file = "pip-24.2-py3-none-any.whl", hash = "sha256:2cd581cf58ab7fcfca4ce8efa6dcacd0de5bf8d0a3eb9ec927e07405f4d9e2a2"}, - {file = "pip-24.2.tar.gz", hash = "sha256:5b5e490b5e9cb275c879595064adce9ebd31b854e3e803740b72f9ccf34a45b8"}, -] - -[[package]] -name = "pip-api" -version = "0.0.34" -description = "An unofficial, importable pip API" -optional = false -python-versions = ">=3.8" -files = [ - {file = "pip_api-0.0.34-py3-none-any.whl", hash = "sha256:8b2d7d7c37f2447373aa2cf8b1f60a2f2b27a84e1e9e0294a3f6ef10eb3ba6bb"}, - {file = "pip_api-0.0.34.tar.gz", hash = "sha256:9b75e958f14c5a2614bae415f2adf7eeb54d50a2cfbe7e24fd4826471bac3625"}, -] - -[package.dependencies] -pip = "*" - -[[package]] -name = "pip-audit" -version = "2.7.3" -description = "A tool for scanning Python environments for known vulnerabilities" -optional = false -python-versions = ">=3.8" -files = [ - {file = "pip_audit-2.7.3-py3-none-any.whl", hash = "sha256:46a11faee3323f76adf7987de8171daeb660e8f57d8088cc27fb1c1e5c7747b0"}, - {file = "pip_audit-2.7.3.tar.gz", hash = "sha256:08891bbf179bffe478521f150818112bae998424f58bf9285c0078965aef38bc"}, -] - -[package.dependencies] -CacheControl = {version = ">=0.13.0", extras = ["filecache"]} -cyclonedx-python-lib = ">=5,<8" -html5lib = ">=1.1" -packaging = ">=23.0.0" -pip-api = ">=0.0.28" -pip-requirements-parser = ">=32.0.0" -requests = ">=2.31.0" -rich = ">=12.4" -toml = ">=0.10" - -[package.extras] -dev = ["build", "bump (>=1.3.2)", "pip-audit[doc,lint,test]"] -doc = ["pdoc"] -lint = ["interrogate", "mypy", "ruff (<0.4.3)", "setuptools", "types-html5lib", "types-requests", "types-toml"] -test = ["coverage[toml] (>=7.0,!=7.3.3,<8.0)", "pretend", "pytest", "pytest-cov"] - -[[package]] -name = "pip-requirements-parser" -version = "32.0.1" -description = "pip requirements parser - a mostly correct pip requirements parsing library because it uses pip's own code." -optional = false -python-versions = ">=3.6.0" -files = [ - {file = "pip-requirements-parser-32.0.1.tar.gz", hash = "sha256:b4fa3a7a0be38243123cf9d1f3518da10c51bdb165a2b2985566247f9155a7d3"}, - {file = "pip_requirements_parser-32.0.1-py3-none-any.whl", hash = "sha256:4659bc2a667783e7a15d190f6fccf8b2486685b6dba4c19c3876314769c57526"}, -] - -[package.dependencies] -packaging = "*" -pyparsing = "*" - -[package.extras] -docs = ["Sphinx (>=3.3.1)", "doc8 (>=0.8.1)", "sphinx-rtd-theme (>=0.5.0)"] -testing = ["aboutcode-toolkit (>=6.0.0)", "black", "pytest (>=6,!=7.0.0)", "pytest-xdist (>=2)"] - -[[package]] -name = "pkginfo" -version = "1.11.1" -description = "Query metadata from sdists / bdists / installed packages." -optional = false -python-versions = ">=3.8" -files = [ - {file = "pkginfo-1.11.1-py3-none-any.whl", hash = "sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573"}, - {file = "pkginfo-1.11.1.tar.gz", hash = "sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa"}, -] - -[package.extras] -testing = ["pytest", "pytest-cov", "wheel"] - -[[package]] -name = "platformdirs" -version = "4.2.2" -description = "A small Python package for determining appropriate platform-specific dirs, e.g. a `user data dir`." -optional = false -python-versions = ">=3.8" -files = [ - {file = "platformdirs-4.2.2-py3-none-any.whl", hash = "sha256:2d7a1657e36a80ea911db832a8a6ece5ee53d8de21edd5cc5879af6530b1bfee"}, - {file = "platformdirs-4.2.2.tar.gz", hash = "sha256:38b7b51f512eed9e84a22788b4bce1de17c0adb134d6becb09836e37d8654cd3"}, -] - -[package.extras] -docs = ["furo (>=2023.9.10)", "proselint (>=0.13)", "sphinx (>=7.2.6)", "sphinx-autodoc-typehints (>=1.25.2)"] -test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=7.4.3)", "pytest-cov (>=4.1)", "pytest-mock (>=3.12)"] -type = ["mypy (>=1.8)"] - -[[package]] -name = "pluggy" -version = "1.5.0" -description = "plugin and hook calling mechanisms for python" -optional = false -python-versions = ">=3.8" -files = [ - {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, - {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, -] - -[package.extras] -dev = ["pre-commit", "tox"] -testing = ["pytest", "pytest-benchmark"] - -[[package]] -name = "poetry" -version = "1.8.3" -description = "Python dependency management and packaging made easy." -optional = false -python-versions = "<4.0,>=3.8" -files = [ - {file = "poetry-1.8.3-py3-none-any.whl", hash = "sha256:88191c69b08d06f9db671b793d68f40048e8904c0718404b63dcc2b5aec62d13"}, - {file = "poetry-1.8.3.tar.gz", hash = "sha256:67f4eb68288eab41e841cc71a00d26cf6bdda9533022d0189a145a34d0a35f48"}, -] - -[package.dependencies] -build = ">=1.0.3,<2.0.0" -cachecontrol = {version = ">=0.14.0,<0.15.0", extras = ["filecache"]} -cleo = ">=2.1.0,<3.0.0" -crashtest = ">=0.4.1,<0.5.0" -dulwich = ">=0.21.2,<0.22.0" -fastjsonschema = ">=2.18.0,<3.0.0" -installer = ">=0.7.0,<0.8.0" -keyring = ">=24.0.0,<25.0.0" -packaging = ">=23.1" -pexpect = ">=4.7.0,<5.0.0" -pkginfo = ">=1.10,<2.0" -platformdirs = ">=3.0.0,<5" -poetry-core = "1.9.0" -poetry-plugin-export = ">=1.6.0,<2.0.0" -pyproject-hooks = ">=1.0.0,<2.0.0" -requests = ">=2.26,<3.0" -requests-toolbelt = ">=1.0.0,<2.0.0" -shellingham = ">=1.5,<2.0" -tomlkit = ">=0.11.4,<1.0.0" -trove-classifiers = ">=2022.5.19" -virtualenv = ">=20.23.0,<21.0.0" -xattr = {version = ">=1.0.0,<2.0.0", markers = "sys_platform == \"darwin\""} - -[[package]] -name = "poetry-core" -version = "1.9.0" -description = "Poetry PEP 517 Build Backend" -optional = false -python-versions = ">=3.8,<4.0" -files = [ - {file = "poetry_core-1.9.0-py3-none-any.whl", hash = "sha256:4e0c9c6ad8cf89956f03b308736d84ea6ddb44089d16f2adc94050108ec1f5a1"}, - {file = "poetry_core-1.9.0.tar.gz", hash = "sha256:fa7a4001eae8aa572ee84f35feb510b321bd652e5cf9293249d62853e1f935a2"}, -] - -[[package]] -name = "poetry-plugin-export" -version = "1.8.0" -description = "Poetry plugin to export the dependencies to various formats" -optional = false -python-versions = "<4.0,>=3.8" -files = [ - {file = "poetry_plugin_export-1.8.0-py3-none-any.whl", hash = "sha256:adbe232cfa0cc04991ea3680c865cf748bff27593b9abcb1f35fb50ed7ba2c22"}, - {file = "poetry_plugin_export-1.8.0.tar.gz", hash = "sha256:1fa6168a85d59395d835ca564bc19862a7c76061e60c3e7dfaec70d50937fc61"}, -] - -[package.dependencies] -poetry = ">=1.8.0,<3.0.0" -poetry-core = ">=1.7.0,<3.0.0" - -[[package]] -name = "ptyprocess" -version = "0.7.0" -description = "Run a subprocess in a pseudo terminal" -optional = false -python-versions = "*" -files = [ - {file = "ptyprocess-0.7.0-py2.py3-none-any.whl", hash = "sha256:4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35"}, - {file = "ptyprocess-0.7.0.tar.gz", hash = "sha256:5c5d0a3b48ceee0b48485e0c26037c0acd7d29765ca3fbb5cb3831d347423220"}, -] - -[[package]] -name = "py-serializable" -version = "1.1.0" -description = "Library for serializing and deserializing Python Objects to and from JSON and XML." -optional = false -python-versions = "<4.0,>=3.8" -files = [ - {file = "py_serializable-1.1.0-py3-none-any.whl", hash = "sha256:ae7ae4326b0d037b7e710f6e8bb1a97ece4ac2895a1f443a17ffd17f85547d76"}, - {file = "py_serializable-1.1.0.tar.gz", hash = "sha256:3311ab39063b131caca0fb75e2038153682e55576c67f24a2de72d402dccb6e0"}, -] - -[package.dependencies] -defusedxml = ">=0.7.1,<0.8.0" - -[[package]] -name = "pycparser" -version = "2.22" -description = "C parser in Python" -optional = false -python-versions = ">=3.8" -files = [ - {file = "pycparser-2.22-py3-none-any.whl", hash = "sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc"}, - {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"}, -] - -[[package]] -name = "pygments" -version = "2.18.0" -description = "Pygments is a syntax highlighting package written in Python." -optional = false -python-versions = ">=3.8" -files = [ - {file = "pygments-2.18.0-py3-none-any.whl", hash = "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a"}, - {file = "pygments-2.18.0.tar.gz", hash = "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199"}, -] - -[package.extras] -windows-terminal = ["colorama (>=0.4.6)"] - -[[package]] -name = "pyparsing" -version = "3.1.4" -description = "pyparsing module - Classes and methods to define and execute parsing grammars" -optional = false -python-versions = ">=3.6.8" -files = [ - {file = "pyparsing-3.1.4-py3-none-any.whl", hash = "sha256:a6a7ee4235a3f944aa1fa2249307708f893fe5717dc603503c6c7969c070fb7c"}, - {file = "pyparsing-3.1.4.tar.gz", hash = "sha256:f86ec8d1a83f11977c9a6ea7598e8c27fc5cddfa5b07ea2241edbbde1d7bc032"}, -] - -[package.extras] -diagrams = ["jinja2", "railroad-diagrams"] - -[[package]] -name = "pyproject-hooks" -version = "1.1.0" -description = "Wrappers to call pyproject.toml-based build backend hooks." -optional = false -python-versions = ">=3.7" -files = [ - {file = "pyproject_hooks-1.1.0-py3-none-any.whl", hash = "sha256:7ceeefe9aec63a1064c18d939bdc3adf2d8aa1988a510afec15151578b232aa2"}, - {file = "pyproject_hooks-1.1.0.tar.gz", hash = "sha256:4b37730834edbd6bd37f26ece6b44802fb1c1ee2ece0e54ddff8bfc06db86965"}, -] - -[[package]] -name = "pytest" -version = "8.3.2" -description = "pytest: simple powerful testing with Python" -optional = false -python-versions = ">=3.8" -files = [ - {file = "pytest-8.3.2-py3-none-any.whl", hash = "sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5"}, - {file = "pytest-8.3.2.tar.gz", hash = "sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce"}, -] - -[package.dependencies] -colorama = {version = "*", markers = "sys_platform == \"win32\""} -iniconfig = "*" -packaging = "*" -pluggy = ">=1.5,<2" - -[package.extras] -dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] - -[[package]] -name = "pytest-cov" -version = "5.0.0" -description = "Pytest plugin for measuring coverage." -optional = false -python-versions = ">=3.8" -files = [ - {file = "pytest-cov-5.0.0.tar.gz", hash = "sha256:5837b58e9f6ebd335b0f8060eecce69b662415b16dc503883a02f45dfeb14857"}, - {file = "pytest_cov-5.0.0-py3-none-any.whl", hash = "sha256:4f0764a1219df53214206bf1feea4633c3b558a2925c8b59f144f682861ce652"}, -] - -[package.dependencies] -coverage = {version = ">=5.2.1", extras = ["toml"]} -pytest = ">=4.6" - -[package.extras] -testing = ["fields", "hunter", "process-tests", "pytest-xdist", "virtualenv"] - -[[package]] -name = "pywin32-ctypes" -version = "0.2.3" -description = "A (partial) reimplementation of pywin32 using ctypes/cffi" -optional = false -python-versions = ">=3.6" -files = [ - {file = "pywin32-ctypes-0.2.3.tar.gz", hash = "sha256:d162dc04946d704503b2edc4d55f3dba5c1d539ead017afa00142c38b9885755"}, - {file = "pywin32_ctypes-0.2.3-py3-none-any.whl", hash = "sha256:8a1513379d709975552d202d942d9837758905c8d01eb82b8bcc30918929e7b8"}, -] - -[[package]] -name = "rapidfuzz" -version = "3.9.7" -description = "rapid fuzzy string matching" -optional = false -python-versions = ">=3.8" -files = [ - {file = "rapidfuzz-3.9.7-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:ccf68e30b80e903f2309f90a438dbd640dd98e878eeb5ad361a288051ee5b75c"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:696a79018ef989bf1c9abd9005841cee18005ccad4748bad8a4c274c47b6241a"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c4eebf6c93af0ae866c22b403a84747580bb5c10f0d7b51c82a87f25405d4dcb"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:0e9125377fa3d21a8abd4fbdbcf1c27be73e8b1850f0b61b5b711364bf3b59db"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c12d180b17a22d107c8747de9c68d0b9c1d15dcda5445ff9bf9f4ccfb67c3e16"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:c1318d42610c26dcd68bd3279a1bf9e3605377260867c9a8ed22eafc1bd93a7c"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dd5fa6e3c6e0333051c1f3a49f0807b3366f4131c8d6ac8c3e05fd0d0ce3755c"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:fcf79b686962d7bec458a0babc904cb4fa319808805e036b9d5a531ee6b9b835"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-musllinux_1_2_i686.whl", hash = "sha256:8b01153c7466d0bad48fba77a303d5a768e66f24b763853469f47220b3de4661"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-musllinux_1_2_ppc64le.whl", hash = "sha256:94baaeea0b4f8632a6da69348b1e741043eba18d4e3088d674d3f76586b6223d"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-musllinux_1_2_s390x.whl", hash = "sha256:6c5b32875646cb7f60c193ade99b2e4b124f19583492115293cd00f6fb198b17"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:110b6294396bc0a447648627479c9320f095c2034c0537f687592e0f58622638"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-win32.whl", hash = "sha256:3445a35c4c8d288f2b2011eb61bce1227c633ce85a3154e727170f37c0266bb2"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-win_amd64.whl", hash = "sha256:0d1415a732ee75e74a90af12020b77a0b396b36c60afae1bde3208a78cd2c9fc"}, - {file = "rapidfuzz-3.9.7-cp310-cp310-win_arm64.whl", hash = "sha256:836f4d88b8bd0fff2ebe815dcaab8aa6c8d07d1d566a7e21dd137cf6fe11ed5b"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:d098ce6162eb5e48fceb0745455bc950af059df6113eec83e916c129fca11408"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:048d55d36c02c6685a2b2741688503c3d15149694506655b6169dcfd3b6c2585"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:c33211cfff9aec425bb1bfedaf94afcf337063aa273754f22779d6dadebef4c2"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e6d9db2fa4e9be171e9bb31cf2d2575574774966b43f5b951062bb2e67885852"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:d4e049d5ad61448c9a020d1061eba20944c4887d720c4069724beb6ea1692507"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cfa74aac64c85898b93d9c80bb935a96bf64985e28d4ee0f1a3d1f3bf11a5106"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:965693c2e9efd425b0f059f5be50ef830129f82892fa1858e220e424d9d0160f"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:8501000a5eb8037c4b56857724797fe5a8b01853c363de91c8d0d0ad56bef319"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8d92c552c6b7577402afdd547dcf5d31ea6c8ae31ad03f78226e055cfa37f3c6"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:1ee2086f490cb501d86b7e386c1eb4e3a0ccbb0c99067089efaa8c79012c8952"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:1de91e7fd7f525e10ea79a6e62c559d1b0278ec097ad83d9da378b6fab65a265"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:a4da514d13f4433e16960a17f05b67e0af30ac771719c9a9fb877e5004f74477"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-win32.whl", hash = "sha256:a40184c67db8252593ec518e17fb8a6e86d7259dc9f2d6c0bf4ff4db8cf1ad4b"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-win_amd64.whl", hash = "sha256:c4f28f1930b09a2c300357d8465b388cecb7e8b2f454a5d5425561710b7fd07f"}, - {file = "rapidfuzz-3.9.7-cp311-cp311-win_arm64.whl", hash = "sha256:675b75412a943bb83f1f53e2e54fd18c80ef15ed642dc6eb0382d1949419d904"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:1ef6a1a8f0b12f8722f595f15c62950c9a02d5abc64742561299ffd49f6c6944"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:32532af1d70c6ec02ea5ac7ee2766dfff7c8ae8c761abfe8da9e527314e634e8"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ae1a38bade755aa9dd95a81cda949e1bf9cd92b79341ccc5e2189c9e7bdfc5ec"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d73ee2df41224c87336448d279b5b6a3a75f36e41dd3dcf538c0c9cce36360d8"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:be3a1fc3e2ab3bdf93dc0c83c00acca8afd2a80602297d96cf4a0ba028333cdf"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:603f48f621272a448ff58bb556feb4371252a02156593303391f5c3281dfaeac"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:268f8e1ca50fc61c0736f3fe9d47891424adf62d96ed30196f30f4bd8216b41f"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:5f8bf3f0d02935751d8660abda6044821a861f6229f7d359f98bcdcc7e66c39b"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:b997ff3b39d4cee9fb025d6c46b0a24bd67595ce5a5b652a97fb3a9d60beb651"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:ca66676c8ef6557f9b81c5b2b519097817a7c776a6599b8d6fcc3e16edd216fe"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:35d3044cb635ca6b1b2b7b67b3597bd19f34f1753b129eb6d2ae04cf98cd3945"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:5a93c9e60904cb76e7aefef67afffb8b37c4894f81415ed513db090f29d01101"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-win32.whl", hash = "sha256:579d107102c0725f7c79b4e79f16d3cf4d7c9208f29c66b064fa1fd4641d5155"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-win_amd64.whl", hash = "sha256:953b3780765c8846866faf891ee4290f6a41a6dacf4fbcd3926f78c9de412ca6"}, - {file = "rapidfuzz-3.9.7-cp312-cp312-win_arm64.whl", hash = "sha256:7c20c1474b068c4bd45bf2fd0ad548df284f74e9a14a68b06746c56e3aa8eb70"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:fde81b1da9a947f931711febe2e2bee694e891f6d3e6aa6bc02c1884702aea19"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:47e92c155a14f44511ea8ebcc6bc1535a1fe8d0a7d67ad3cc47ba61606df7bcf"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8772b745668260c5c4d069c678bbaa68812e6c69830f3771eaad521af7bc17f8"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:578302828dd97ee2ba507d2f71d62164e28d2fc7bc73aad0d2d1d2afc021a5d5"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:fc3e6081069eea61593f1d6839029da53d00c8c9b205c5534853eaa3f031085c"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0b1c2d504eddf97bc0f2eba422c8915576dbf025062ceaca2d68aecd66324ad9"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6fb76e5a21034f0307c51c5a2fc08856f698c53a4c593b17d291f7d6e9d09ca3"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:d4ba2318ef670ce505f42881a5d2af70f948124646947341a3c6ccb33cd70369"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:057bb03f39e285047d7e9412e01ecf31bb2d42b9466a5409d715d587460dd59b"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:a8feac9006d5c9758438906f093befffc4290de75663dbb2098461df7c7d28dd"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:95b8292383e717e10455f2c917df45032b611141e43d1adf70f71b1566136b11"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:e9fbf659537d246086d0297628b3795dc3e4a384101ecc01e5791c827b8d7345"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-win32.whl", hash = "sha256:1dc516ac6d32027be2b0196bedf6d977ac26debd09ca182376322ad620460feb"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-win_amd64.whl", hash = "sha256:b4f86e09d3064dca0b014cd48688964036a904a2d28048f00c8f4640796d06a8"}, - {file = "rapidfuzz-3.9.7-cp313-cp313-win_arm64.whl", hash = "sha256:19c64d8ddb2940b42a4567b23f1681af77f50a5ff6c9b8e85daba079c210716e"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:fbda3dd68d8b28ccb20ffb6f756fefd9b5ba570a772bedd7643ed441f5793308"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:2379e0b2578ad3ac7004f223251550f08bca873ff76c169b09410ec562ad78d8"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d1eff95362f993b0276fd3839aee48625b09aac8938bb0c23b40d219cba5dc5"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:cd9360e30041690912525a210e48a897b49b230768cc8af1c702e5395690464f"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:a93cd834b3c315ab437f0565ee3a2f42dd33768dc885ccbabf9710b131cf70d2"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:4ff196996240db7075f62c7bc4506f40a3c80cd4ae3ab0e79ac6892283a90859"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:948dcee7aaa1cd14358b2a7ef08bf0be42bf89049c3a906669874a715fc2c937"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-musllinux_1_2_aarch64.whl", hash = "sha256:d95751f505a301af1aaf086c19f34536056d6c8efa91b2240de532a3db57b543"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-musllinux_1_2_i686.whl", hash = "sha256:90db86fa196eecf96cb6db09f1083912ea945c50c57188039392d810d0b784e1"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-musllinux_1_2_ppc64le.whl", hash = "sha256:3171653212218a162540a3c8eb8ae7d3dcc8548540b69eaecaf3b47c14d89c90"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-musllinux_1_2_s390x.whl", hash = "sha256:36dd6e820379c37a1ffefc8a52b648758e867cd9d78ee5b5dc0c9a6a10145378"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-musllinux_1_2_x86_64.whl", hash = "sha256:7b702de95666a1f7d5c6b47eacadfe2d2794af3742d63d2134767d13e5d1c713"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-win32.whl", hash = "sha256:9030e7238c0df51aed5c9c5ed8eee2bdd47a2ae788e562c1454af2851c3d1906"}, - {file = "rapidfuzz-3.9.7-cp38-cp38-win_amd64.whl", hash = "sha256:f847fb0fbfb72482b1c05c59cbb275c58a55b73708a7f77a83f8035ee3c86497"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:97f2ce529d2a70a60c290f6ab269a2bbf1d3b47b9724dccc84339b85f7afb044"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e2957fdad10bb83b1982b02deb3604a3f6911a5e545f518b59c741086f92d152"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:5d5262383634626eb45c536017204b8163a03bc43bda880cf1bdd7885db9a163"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:364587827d7cbd41afa0782adc2d2d19e3f07d355b0750a02a8e33ad27a9c368"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ecc24af7f905f3d6efb371a01680116ffea8d64e266618fb9ad1602a9b4f7934"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9dc86aa6b29d174713c5f4caac35ffb7f232e3e649113e8d13812b35ab078228"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e3dcfbe7266e74a707173a12a7b355a531f2dcfbdb32f09468e664330da14874"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-musllinux_1_2_aarch64.whl", hash = "sha256:b23806fbdd6b510ba9ac93bb72d503066263b0fba44b71b835be9f063a84025f"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-musllinux_1_2_i686.whl", hash = "sha256:5551d68264c1bb6943f542da83a4dc8940ede52c5847ef158698799cc28d14f5"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-musllinux_1_2_ppc64le.whl", hash = "sha256:13d8675a1fa7e2b19650ca7ef9a6ec01391d4bb12ab9e0793e8eb024538b4a34"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-musllinux_1_2_s390x.whl", hash = "sha256:9b6a5de507b9be6de688dae40143b656f7a93b10995fb8bd90deb555e7875c60"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-musllinux_1_2_x86_64.whl", hash = "sha256:111a20a3c090cf244d9406e60500b6c34b2375ba3a5009e2b38fd806fe38e337"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-win32.whl", hash = "sha256:22589c0b8ccc6c391ce7f776c93a8c92c96ab8d34e1a19f1bd2b12a235332632"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-win_amd64.whl", hash = "sha256:6f83221db5755b8f34222e40607d87f1176a8d5d4dbda4a55a0f0b67d588a69c"}, - {file = "rapidfuzz-3.9.7-cp39-cp39-win_arm64.whl", hash = "sha256:3665b92e788578c3bb334bd5b5fa7ee1a84bafd68be438e3110861d1578c63a0"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-macosx_10_15_x86_64.whl", hash = "sha256:d7df9c2194c7ec930b33c991c55dbd0c10951bd25800c0b7a7b571994ebbced5"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-macosx_11_0_arm64.whl", hash = "sha256:68bd888eafd07b09585dcc8bc2716c5ecdb7eed62827470664d25588982b2873"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:d1230e0f9026851a6a432beaa0ce575dda7b39fe689b576f99a0704fbb81fc9c"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a3b36e1c61b796ae1777f3e9e11fd39898b09d351c9384baf6e3b7e6191d8ced"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9dba13d86806fcf3fe9c9919f58575e0090eadfb89c058bde02bcc7ab24e4548"}, - {file = "rapidfuzz-3.9.7-pp310-pypy310_pp73-win_amd64.whl", hash = "sha256:1f1a33e84056b7892c721d84475d3bde49a145126bc4c6efe0d6d0d59cb31c29"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:3492c7a42b7fa9f0051d7fcce9893e95ed91c97c9ec7fb64346f3e070dd318ed"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-macosx_11_0_arm64.whl", hash = "sha256:ece45eb2af8b00f90d10f7419322e8804bd42fb1129026f9bfe712c37508b514"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9dcd14cf4876f04b488f6e54a7abd3e9b31db5f5a6aba0ce90659917aaa8c088"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:521c58c72ed8a612b25cda378ff10dee17e6deb4ee99a070b723519a345527b9"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:18669bb6cdf7d40738526d37e550df09ba065b5a7560f3d802287988b6cb63cf"}, - {file = "rapidfuzz-3.9.7-pp38-pypy38_pp73-win_amd64.whl", hash = "sha256:7abe2dbae81120a64bb4f8d3fcafe9122f328c9f86d7f327f174187a5af4ed86"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-macosx_10_15_x86_64.whl", hash = "sha256:a3c0783910911f4f24655826d007c9f4360f08107410952c01ee3df98c713eb2"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-macosx_11_0_arm64.whl", hash = "sha256:03126f9a040ff21d2a110610bfd6b93b79377ce8b4121edcb791d61b7df6eec5"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:591908240f4085e2ade5b685c6e8346e2ed44932cffeaac2fb32ddac95b55c7f"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e9012d86c6397edbc9da4ac0132de7f8ee9d6ce857f4194d5684c4ddbcdd1c5c"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:df596ddd3db38aa513d4c0995611267b3946e7cbe5a8761b50e9306dfec720ee"}, - {file = "rapidfuzz-3.9.7-pp39-pypy39_pp73-win_amd64.whl", hash = "sha256:3ed5adb752f4308fcc8f4fb6f8eb7aa4082f9d12676fda0a74fa5564242a8107"}, - {file = "rapidfuzz-3.9.7.tar.gz", hash = "sha256:f1c7296534c1afb6f495aa95871f14ccdc197c6db42965854e483100df313030"}, -] - -[package.extras] -full = ["numpy"] - -[[package]] -name = "requests" -version = "2.32.3" -description = "Python HTTP for Humans." -optional = false -python-versions = ">=3.8" -files = [ - {file = "requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6"}, - {file = "requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760"}, -] - -[package.dependencies] -certifi = ">=2017.4.17" -charset-normalizer = ">=2,<4" -idna = ">=2.5,<4" -urllib3 = ">=1.21.1,<3" - -[package.extras] -socks = ["PySocks (>=1.5.6,!=1.5.7)"] -use-chardet-on-py3 = ["chardet (>=3.0.2,<6)"] - -[[package]] -name = "requests-toolbelt" -version = "1.0.0" -description = "A utility belt for advanced users of python-requests" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*" -files = [ - {file = "requests-toolbelt-1.0.0.tar.gz", hash = "sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6"}, - {file = "requests_toolbelt-1.0.0-py2.py3-none-any.whl", hash = "sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06"}, -] - -[package.dependencies] -requests = ">=2.0.1,<3.0.0" - -[[package]] -name = "rich" -version = "13.8.0" -description = "Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal" -optional = false -python-versions = ">=3.7.0" -files = [ - {file = "rich-13.8.0-py3-none-any.whl", hash = "sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc"}, - {file = "rich-13.8.0.tar.gz", hash = "sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4"}, -] - -[package.dependencies] -markdown-it-py = ">=2.2.0" -pygments = ">=2.13.0,<3.0.0" - -[package.extras] -jupyter = ["ipywidgets (>=7.5.1,<9)"] - -[[package]] -name = "ruff" -version = "0.6.4" -description = "An extremely fast Python linter and code formatter, written in Rust." -optional = false -python-versions = ">=3.7" -files = [ - {file = "ruff-0.6.4-py3-none-linux_armv6l.whl", hash = "sha256:c4b153fc152af51855458e79e835fb6b933032921756cec9af7d0ba2aa01a258"}, - {file = "ruff-0.6.4-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:bedff9e4f004dad5f7f76a9d39c4ca98af526c9b1695068198b3bda8c085ef60"}, - {file = "ruff-0.6.4-py3-none-macosx_11_0_arm64.whl", hash = "sha256:d02a4127a86de23002e694d7ff19f905c51e338c72d8e09b56bfb60e1681724f"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:7862f42fc1a4aca1ea3ffe8a11f67819d183a5693b228f0bb3a531f5e40336fc"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:eebe4ff1967c838a1a9618a5a59a3b0a00406f8d7eefee97c70411fefc353617"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:932063a03bac394866683e15710c25b8690ccdca1cf192b9a98260332ca93408"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:50e30b437cebef547bd5c3edf9ce81343e5dd7c737cb36ccb4fe83573f3d392e"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:c44536df7b93a587de690e124b89bd47306fddd59398a0fb12afd6133c7b3818"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:0ea086601b22dc5e7693a78f3fcfc460cceabfdf3bdc36dc898792aba48fbad6"}, - {file = "ruff-0.6.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0b52387d3289ccd227b62102c24714ed75fbba0b16ecc69a923a37e3b5e0aaaa"}, - {file = "ruff-0.6.4-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:0308610470fcc82969082fc83c76c0d362f562e2f0cdab0586516f03a4e06ec6"}, - {file = "ruff-0.6.4-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:803b96dea21795a6c9d5bfa9e96127cc9c31a1987802ca68f35e5c95aed3fc0d"}, - {file = "ruff-0.6.4-py3-none-musllinux_1_2_i686.whl", hash = "sha256:66dbfea86b663baab8fcae56c59f190caba9398df1488164e2df53e216248baa"}, - {file = "ruff-0.6.4-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:34d5efad480193c046c86608dbba2bccdc1c5fd11950fb271f8086e0c763a5d1"}, - {file = "ruff-0.6.4-py3-none-win32.whl", hash = "sha256:f0f8968feea5ce3777c0d8365653d5e91c40c31a81d95824ba61d871a11b8523"}, - {file = "ruff-0.6.4-py3-none-win_amd64.whl", hash = "sha256:549daccee5227282289390b0222d0fbee0275d1db6d514550d65420053021a58"}, - {file = "ruff-0.6.4-py3-none-win_arm64.whl", hash = "sha256:ac4b75e898ed189b3708c9ab3fc70b79a433219e1e87193b4f2b77251d058d14"}, - {file = "ruff-0.6.4.tar.gz", hash = "sha256:ac3b5bfbee99973f80aa1b7cbd1c9cbce200883bdd067300c22a6cc1c7fba212"}, -] - -[[package]] -name = "secretstorage" -version = "3.3.3" -description = "Python bindings to FreeDesktop.org Secret Service API" -optional = false -python-versions = ">=3.6" -files = [ - {file = "SecretStorage-3.3.3-py3-none-any.whl", hash = "sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99"}, - {file = "SecretStorage-3.3.3.tar.gz", hash = "sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77"}, -] - -[package.dependencies] -cryptography = ">=2.0" -jeepney = ">=0.6" - -[[package]] -name = "setuptools" -version = "74.1.1" -description = "Easily download, build, install, upgrade, and uninstall Python packages" -optional = false -python-versions = ">=3.8" -files = [ - {file = "setuptools-74.1.1-py3-none-any.whl", hash = "sha256:fc91b5f89e392ef5b77fe143b17e32f65d3024744fba66dc3afe07201684d766"}, - {file = "setuptools-74.1.1.tar.gz", hash = "sha256:2353af060c06388be1cecbf5953dcdb1f38362f87a2356c480b6b4d5fcfc8847"}, -] - -[package.extras] -check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)", "ruff (>=0.5.2)"] -core = ["importlib-metadata (>=6)", "importlib-resources (>=5.10.2)", "jaraco.text (>=3.7)", "more-itertools (>=8.8)", "packaging (>=24)", "platformdirs (>=2.6.2)", "tomli (>=2.0.1)", "wheel (>=0.43.0)"] -cover = ["pytest-cov"] -doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "pygments-github-lexers (==0.0.5)", "pyproject-hooks (!=1.1)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-favicon", "sphinx-inline-tabs", "sphinx-lint", "sphinx-notfound-page (>=1,<2)", "sphinx-reredirects", "sphinxcontrib-towncrier", "towncrier (<24.7)"] -enabler = ["pytest-enabler (>=2.2)"] -test = ["build[virtualenv] (>=1.0.3)", "filelock (>=3.4.0)", "ini2toml[lite] (>=0.14)", "jaraco.develop (>=7.21)", "jaraco.envs (>=2.2)", "jaraco.path (>=3.2.0)", "jaraco.test", "packaging (>=23.2)", "pip (>=19.1)", "pyproject-hooks (!=1.1)", "pytest (>=6,!=8.1.*)", "pytest-home (>=0.5)", "pytest-perf", "pytest-subprocess", "pytest-timeout", "pytest-xdist (>=3)", "tomli-w (>=1.0.0)", "virtualenv (>=13.0.0)", "wheel (>=0.44.0)"] -type = ["importlib-metadata (>=7.0.2)", "jaraco.develop (>=7.21)", "mypy (==1.11.*)", "pytest-mypy"] - -[[package]] -name = "shellingham" -version = "1.5.4" -description = "Tool to Detect Surrounding Shell" -optional = false -python-versions = ">=3.7" -files = [ - {file = "shellingham-1.5.4-py2.py3-none-any.whl", hash = "sha256:7ecfff8f2fd72616f7481040475a65b2bf8af90a56c89140852d1120324e8686"}, - {file = "shellingham-1.5.4.tar.gz", hash = "sha256:8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de"}, -] - -[[package]] -name = "six" -version = "1.16.0" -description = "Python 2 and 3 compatibility utilities" -optional = false -python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*" -files = [ - {file = "six-1.16.0-py2.py3-none-any.whl", hash = "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254"}, - {file = "six-1.16.0.tar.gz", hash = "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926"}, -] - -[[package]] -name = "sortedcontainers" -version = "2.4.0" -description = "Sorted Containers -- Sorted List, Sorted Dict, Sorted Set" -optional = false -python-versions = "*" -files = [ - {file = "sortedcontainers-2.4.0-py2.py3-none-any.whl", hash = "sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0"}, - {file = "sortedcontainers-2.4.0.tar.gz", hash = "sha256:25caa5a06cc30b6b83d11423433f65d1f9d76c4c6a0c90e3379eaa43b9bfdb88"}, -] - -[[package]] -name = "toml" -version = "0.10.2" -description = "Python Library for Tom's Obvious, Minimal Language" -optional = false -python-versions = ">=2.6, !=3.0.*, !=3.1.*, !=3.2.*" -files = [ - {file = "toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b"}, - {file = "toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f"}, -] - -[[package]] -name = "tomlkit" -version = "0.13.2" -description = "Style preserving TOML library" -optional = false -python-versions = ">=3.8" -files = [ - {file = "tomlkit-0.13.2-py3-none-any.whl", hash = "sha256:7a974427f6e119197f670fbbbeae7bef749a6c14e793db934baefc1b5f03efde"}, - {file = "tomlkit-0.13.2.tar.gz", hash = "sha256:fff5fe59a87295b278abd31bec92c15d9bc4a06885ab12bcea52c71119392e79"}, -] - -[[package]] -name = "trove-classifiers" -version = "2024.7.2" -description = "Canonical source for classifiers on PyPI (pypi.org)." -optional = false -python-versions = "*" -files = [ - {file = "trove_classifiers-2024.7.2-py3-none-any.whl", hash = "sha256:ccc57a33717644df4daca018e7ec3ef57a835c48e96a1e71fc07eb7edac67af6"}, - {file = "trove_classifiers-2024.7.2.tar.gz", hash = "sha256:8328f2ac2ce3fd773cbb37c765a0ed7a83f89dc564c7d452f039b69249d0ac35"}, -] - -[[package]] -name = "urllib3" -version = "2.2.2" -description = "HTTP library with thread-safe connection pooling, file post, and more." -optional = false -python-versions = ">=3.8" -files = [ - {file = "urllib3-2.2.2-py3-none-any.whl", hash = "sha256:a448b2f64d686155468037e1ace9f2d2199776e17f0a46610480d311f73e3472"}, - {file = "urllib3-2.2.2.tar.gz", hash = "sha256:dd505485549a7a552833da5e6063639d0d177c04f23bc3864e41e5dc5f612168"}, -] - -[package.extras] -brotli = ["brotli (>=1.0.9)", "brotlicffi (>=0.8.0)"] -h2 = ["h2 (>=4,<5)"] -socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"] -zstd = ["zstandard (>=0.18.0)"] - -[[package]] -name = "uv" -version = "0.4.4" -description = "An extremely fast Python package and project manager, written in Rust." -optional = false -python-versions = ">=3.8" -files = [ - {file = "uv-0.4.4-py3-none-linux_armv6l.whl", hash = "sha256:918d4da22f9ff4403dc72dfb4c58c994400a64797a3a17f00f5c0d3717d1cb8c"}, - {file = "uv-0.4.4-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:c1b7db1db176e46184c974ed30687671ec5d67cfcce34c7ed4a63141ecb6c70e"}, - {file = "uv-0.4.4-py3-none-macosx_11_0_arm64.whl", hash = "sha256:0c9ada2fbfe3ca29c50914acd714fe35100ab56fdb83510d1aadd00d55191d1b"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_aarch64.manylinux2014_aarch64.musllinux_1_1_aarch64.whl", hash = "sha256:dc881ea11dcb443940bbac5d7601cd7c74f80e7086c2e310e86ebf10d1c8816b"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:433c69a6e7f35c865172d69e51bf78521a9d87eac6f8772af04667f5d25cc9a9"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:dd94e5be00a0a06ab5cbba7014720440a12bae73150d8146bc3535f3a22ff069"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_ppc64.manylinux2014_ppc64.whl", hash = "sha256:0d51db6bf89b7b0a4aae229f7efee00fc52a1d7391605f3b789996f9c7986653"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:3e9139f171329b6fa40a064f9e7923848d44e60bc31da138758695ec34d8200d"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:9ba6abad0a531181bcb90b9af818e2490211f2d4b3eb83eb2a27df1f07f299fb"}, - {file = "uv-0.4.4-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8ba084d6d5baf92a3cfe41a20fd912dea4e2ea3eca8401f1892394c5c2b79c92"}, - {file = "uv-0.4.4-py3-none-manylinux_2_28_aarch64.whl", hash = "sha256:0d0af47198dc4ca635540b72c933219c6c967885788fd1f651112f168fcade0a"}, - {file = "uv-0.4.4-py3-none-musllinux_1_1_armv7l.whl", hash = "sha256:d66242bba1bbec847b77fcdc7d3191eab733189213a5d2717dbda1ff04e24b46"}, - {file = "uv-0.4.4-py3-none-musllinux_1_1_i686.whl", hash = "sha256:f866f9a44982ef8041a982c3197a17e18d4a8ac7717b4462477ea0ca6a088a52"}, - {file = "uv-0.4.4-py3-none-musllinux_1_1_ppc64le.whl", hash = "sha256:14f06ed0e0f163c9ec8b26f4fc2df14530080e405d7348ad0c59f9c296c55918"}, - {file = "uv-0.4.4-py3-none-musllinux_1_1_x86_64.whl", hash = "sha256:051589ab42bfdb2997ea61a56a78a2bab0b6ae7d014f96a578dcc5f9d8766757"}, - {file = "uv-0.4.4-py3-none-win32.whl", hash = "sha256:d2e2c9db83efd81b0b8dcaa45533b461b058d5aec49a6ed6cc98832e56e45856"}, - {file = "uv-0.4.4-py3-none-win_amd64.whl", hash = "sha256:da3a77ad858be5239ae33509ddfeaf097d7bda77fc0b2a42994cbec32cef4769"}, - {file = "uv-0.4.4.tar.gz", hash = "sha256:718bbdf0675eab8d15f52041725b60743a9496fde3dc493d34913aa4a15f0a81"}, -] - -[[package]] -name = "virtualenv" -version = "20.26.3" -description = "Virtual Python Environment builder" -optional = false -python-versions = ">=3.7" -files = [ - {file = "virtualenv-20.26.3-py3-none-any.whl", hash = "sha256:8cc4a31139e796e9a7de2cd5cf2489de1217193116a8fd42328f1bd65f434589"}, - {file = "virtualenv-20.26.3.tar.gz", hash = "sha256:4c43a2a236279d9ea36a0d76f98d84bd6ca94ac4e0f4a3b9d46d05e10fea542a"}, -] - -[package.dependencies] -distlib = ">=0.3.7,<1" -filelock = ">=3.12.2,<4" -platformdirs = ">=3.9.1,<5" - -[package.extras] -docs = ["furo (>=2023.7.26)", "proselint (>=0.13)", "sphinx (>=7.1.2,!=7.3)", "sphinx-argparse (>=0.4)", "sphinxcontrib-towncrier (>=0.2.1a0)", "towncrier (>=23.6)"] -test = ["covdefaults (>=2.3)", "coverage (>=7.2.7)", "coverage-enable-subprocess (>=1)", "flaky (>=3.7)", "packaging (>=23.1)", "pytest (>=7.4)", "pytest-env (>=0.8.2)", "pytest-freezer (>=0.4.8)", "pytest-mock (>=3.11.1)", "pytest-randomly (>=3.12)", "pytest-timeout (>=2.1)", "setuptools (>=68)", "time-machine (>=2.10)"] - -[[package]] -name = "webencodings" -version = "0.5.1" -description = "Character encoding aliases for legacy web content" -optional = false -python-versions = "*" -files = [ - {file = "webencodings-0.5.1-py2.py3-none-any.whl", hash = "sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78"}, - {file = "webencodings-0.5.1.tar.gz", hash = "sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923"}, -] - -[[package]] -name = "xattr" -version = "1.1.0" -description = "Python wrapper for extended filesystem attributes" -optional = false -python-versions = ">=3.8" -files = [ - {file = "xattr-1.1.0-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:ef2fa0f85458736178fd3dcfeb09c3cf423f0843313e25391db2cfd1acec8888"}, - {file = "xattr-1.1.0-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:ccab735d0632fe71f7d72e72adf886f45c18b7787430467ce0070207882cfe25"}, - {file = "xattr-1.1.0-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:9013f290387f1ac90bccbb1926555ca9aef75651271098d99217284d9e010f7c"}, - {file = "xattr-1.1.0-cp310-cp310-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9dcd5dfbcee73c7be057676ecb900cabb46c691aff4397bf48c579ffb30bb963"}, - {file = "xattr-1.1.0-cp310-cp310-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6480589c1dac7785d1f851347a32c4a97305937bf7b488b857fe8b28a25de9e9"}, - {file = "xattr-1.1.0-cp310-cp310-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:08f61cbed52dc6f7c181455826a9ff1e375ad86f67dd9d5eb7663574abb32451"}, - {file = "xattr-1.1.0-cp310-cp310-musllinux_1_1_aarch64.whl", hash = "sha256:918e1f83f2e8a072da2671eac710871ee5af337e9bf8554b5ce7f20cdb113186"}, - {file = "xattr-1.1.0-cp310-cp310-musllinux_1_1_i686.whl", hash = "sha256:0f06e0c1e4d06b4e0e49aaa1184b6f0e81c3758c2e8365597918054890763b53"}, - {file = "xattr-1.1.0-cp310-cp310-musllinux_1_1_x86_64.whl", hash = "sha256:46a641ac038a9f53d2f696716147ca4dbd6a01998dc9cd4bc628801bc0df7f4d"}, - {file = "xattr-1.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:7e4ca0956fd11679bb2e0c0d6b9cdc0f25470cc00d8da173bb7656cc9a9cf104"}, - {file = "xattr-1.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:6881b120f9a4b36ccd8a28d933bc0f6e1de67218b6ce6e66874e0280fc006844"}, - {file = "xattr-1.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:dab29d9288aa28e68a6f355ddfc3f0a7342b40c9012798829f3e7bd765e85c2c"}, - {file = "xattr-1.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:e0c80bbf55339c93770fc294b4b6586b5bf8e85ec00a4c2d585c33dbd84b5006"}, - {file = "xattr-1.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:d1418705f253b6b6a7224b69773842cac83fcbcd12870354b6e11dd1cd54630f"}, - {file = "xattr-1.1.0-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:687e7d18611ef8d84a6ecd8f4d1ab6757500c1302f4c2046ce0aa3585e13da3f"}, - {file = "xattr-1.1.0-cp311-cp311-musllinux_1_1_aarch64.whl", hash = "sha256:b6ceb9efe0657a982ccb8b8a2efe96b690891779584c901d2f920784e5d20ae3"}, - {file = "xattr-1.1.0-cp311-cp311-musllinux_1_1_i686.whl", hash = "sha256:b489b7916f239100956ea0b39c504f3c3a00258ba65677e4c8ba1bd0b5513446"}, - {file = "xattr-1.1.0-cp311-cp311-musllinux_1_1_x86_64.whl", hash = "sha256:0a9c431b0e66516a078125e9a273251d4b8e5ba84fe644b619f2725050d688a0"}, - {file = "xattr-1.1.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:1a5921ea3313cc1c57f2f53b63ea8ca9a91e48f4cc7ebec057d2447ec82c7efe"}, - {file = "xattr-1.1.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:f6ad2a7bd5e6cf71d4a862413234a067cf158ca0ae94a40d4b87b98b62808498"}, - {file = "xattr-1.1.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:0683dae7609f7280b0c89774d00b5957e6ffcb181c6019c46632b389706b77e6"}, - {file = "xattr-1.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:54cb15cd94e5ef8a0ef02309f1bf973ba0e13c11e87686e983f371948cfee6af"}, - {file = "xattr-1.1.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff6223a854229055e803c2ad0c0ea9a6da50c6be30d92c198cf5f9f28819a921"}, - {file = "xattr-1.1.0-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:d44e8f955218638c9ab222eed21e9bd9ab430d296caf2176fb37abe69a714e5c"}, - {file = "xattr-1.1.0-cp312-cp312-musllinux_1_1_aarch64.whl", hash = "sha256:caab2c2986c30f92301f12e9c50415d324412e8e6a739a52a603c3e6a54b3610"}, - {file = "xattr-1.1.0-cp312-cp312-musllinux_1_1_i686.whl", hash = "sha256:d6eb7d5f281014cd44e2d847a9107491af1bf3087f5afeded75ed3e37ec87239"}, - {file = "xattr-1.1.0-cp312-cp312-musllinux_1_1_x86_64.whl", hash = "sha256:47a3bdfe034b4fdb70e5941d97037405e3904accc28e10dbef6d1c9061fb6fd7"}, - {file = "xattr-1.1.0-cp38-cp38-macosx_10_9_universal2.whl", hash = "sha256:00d2b415cf9d6a24112d019e721aa2a85652f7bbc9f3b9574b2d1cd8668eb491"}, - {file = "xattr-1.1.0-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:78b377832dd0ee408f9f121a354082c6346960f7b6b1480483ed0618b1912120"}, - {file = "xattr-1.1.0-cp38-cp38-macosx_11_0_arm64.whl", hash = "sha256:6461a43b585e5f2e049b39bcbfcb6391bfef3c5118231f1b15d10bdb89ef17fe"}, - {file = "xattr-1.1.0-cp38-cp38-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:24d97f0d28f63695e3344ffdabca9fcc30c33e5c8ccc198c7524361a98d526f2"}, - {file = "xattr-1.1.0-cp38-cp38-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:6ad47d89968c9097900607457a0c89160b4771601d813e769f68263755516065"}, - {file = "xattr-1.1.0-cp38-cp38-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dc53cab265f6e8449bd683d5ee3bc5a191e6dd940736f3de1a188e6da66b0653"}, - {file = "xattr-1.1.0-cp38-cp38-musllinux_1_1_aarch64.whl", hash = "sha256:cd11e917f5b89f2a0ad639d9875943806c6c9309a3dd02da5a3e8ef92db7bed9"}, - {file = "xattr-1.1.0-cp38-cp38-musllinux_1_1_i686.whl", hash = "sha256:9c5a78c7558989492c4cb7242e490ffb03482437bf782967dfff114e44242343"}, - {file = "xattr-1.1.0-cp38-cp38-musllinux_1_1_x86_64.whl", hash = "sha256:cebcf8a303a44fbc439b68321408af7267507c0d8643229dbb107f6c132d389c"}, - {file = "xattr-1.1.0-cp39-cp39-macosx_10_9_universal2.whl", hash = "sha256:b0d73150f2f9655b4da01c2369eb33a294b7f9d56eccb089819eafdbeb99f896"}, - {file = "xattr-1.1.0-cp39-cp39-macosx_10_9_x86_64.whl", hash = "sha256:793c01deaadac50926c0e1481702133260c7cb5e62116762f6fe1543d07b826f"}, - {file = "xattr-1.1.0-cp39-cp39-macosx_11_0_arm64.whl", hash = "sha256:e189e440bcd04ccaad0474720abee6ee64890823ec0db361fb0a4fb5e843a1bf"}, - {file = "xattr-1.1.0-cp39-cp39-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:afacebbc1fa519f41728f8746a92da891c7755e6745164bd0d5739face318e86"}, - {file = "xattr-1.1.0-cp39-cp39-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:9b1664edf003153ac8d1911e83a0fc60db1b1b374ee8ac943f215f93754a1102"}, - {file = "xattr-1.1.0-cp39-cp39-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:dda2684228798e937a7c29b0e1c7ef3d70e2b85390a69b42a1c61b2039ba81de"}, - {file = "xattr-1.1.0-cp39-cp39-musllinux_1_1_aarch64.whl", hash = "sha256:b735ac2625a4fc2c9343b19f806793db6494336338537d2911c8ee4c390dda46"}, - {file = "xattr-1.1.0-cp39-cp39-musllinux_1_1_i686.whl", hash = "sha256:fa6a7af7a4ada43f15ccc58b6f9adcdbff4c36ba040013d2681e589e07ae280a"}, - {file = "xattr-1.1.0-cp39-cp39-musllinux_1_1_x86_64.whl", hash = "sha256:d1059b2f726e2702c8bbf9bbf369acfc042202a4cc576c2dec6791234ad5e948"}, - {file = "xattr-1.1.0-pp310-pypy310_pp73-macosx_10_9_x86_64.whl", hash = "sha256:e2255f36ebf2cb2dbf772a7437ad870836b7396e60517211834cf66ce678b595"}, - {file = "xattr-1.1.0-pp310-pypy310_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dba4f80b9855cc98513ddf22b7ad8551bc448c70d3147799ea4f6c0b758fb466"}, - {file = "xattr-1.1.0-pp310-pypy310_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:4cb70c16e7c3ae6ba0ab6c6835c8448c61d8caf43ea63b813af1f4dbe83dd156"}, - {file = "xattr-1.1.0-pp310-pypy310_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:83652910ef6a368b77b00825ad67815e5c92bfab551a848ca66e9981d14a7519"}, - {file = "xattr-1.1.0-pp38-pypy38_pp73-macosx_10_9_x86_64.whl", hash = "sha256:7a92aff66c43fa3e44cbeab7cbeee66266c91178a0f595e044bf3ce51485743b"}, - {file = "xattr-1.1.0-pp38-pypy38_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:9d4f71b673339aeaae1f6ea9ef8ea6c9643c8cd0df5003b9a0eaa75403e2e06c"}, - {file = "xattr-1.1.0-pp38-pypy38_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a20de1c47b5cd7b47da61799a3b34e11e5815d716299351f82a88627a43f9a96"}, - {file = "xattr-1.1.0-pp38-pypy38_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:23705c7079b05761ff2fa778ad17396e7599c8759401abc05b312dfb3bc99f69"}, - {file = "xattr-1.1.0-pp39-pypy39_pp73-macosx_10_9_x86_64.whl", hash = "sha256:27272afeba8422f2a9d27e1080a9a7b807394e88cce73db9ed8d2dde3afcfb87"}, - {file = "xattr-1.1.0-pp39-pypy39_pp73-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:dd43978966de3baf4aea367c99ffa102b289d6c2ea5f3d9ce34a203dc2f2ab73"}, - {file = "xattr-1.1.0-pp39-pypy39_pp73-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ded771eaf27bb4eb3c64c0d09866460ee8801d81dc21097269cf495b3cac8657"}, - {file = "xattr-1.1.0-pp39-pypy39_pp73-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:96ca300c0acca4f0cddd2332bb860ef58e1465d376364f0e72a1823fdd58e90d"}, - {file = "xattr-1.1.0.tar.gz", hash = "sha256:fecbf3b05043ed3487a28190dec3e4c4d879b2fcec0e30bafd8ec5d4b6043630"}, -] - -[package.dependencies] -cffi = ">=1.16.0" - -[package.extras] -test = ["pytest"] - -[[package]] -name = "zipp" -version = "3.20.1" -description = "Backport of pathlib-compatible object wrapper for zip files" -optional = false -python-versions = ">=3.8" -files = [ - {file = "zipp-3.20.1-py3-none-any.whl", hash = "sha256:9960cd8967c8f85a56f920d5d507274e74f9ff813a0ab8889a5b5be2daf44064"}, - {file = "zipp-3.20.1.tar.gz", hash = "sha256:c22b14cc4763c5a5b04134207736c107db42e9d3ef2d9779d465f5f1bcba572b"}, -] - -[package.extras] -check = ["pytest-checkdocs (>=2.4)", "pytest-ruff (>=0.2.1)"] -cover = ["pytest-cov"] -doc = ["furo", "jaraco.packaging (>=9.3)", "jaraco.tidelift (>=1.4)", "rst.linker (>=1.9)", "sphinx (>=3.5)", "sphinx-lint"] -enabler = ["pytest-enabler (>=2.2)"] -test = ["big-O", "importlib-resources", "jaraco.functools", "jaraco.itertools", "jaraco.test", "more-itertools", "pytest (>=6,!=8.1.*)", "pytest-ignore-flaky"] -type = ["pytest-mypy"] - -[metadata] -lock-version = "2.0" -python-versions = "^3.11" -content-hash = "2b7d0839074040e51ed2f30877b51557a8feefa6ca16b43074d8b8e11fe4d74d" diff --git a/pyproject.toml b/pyproject.toml index 1f65be5..4fc92cc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,27 +1,24 @@ -[tool.poetry] +[project] name = "ssvc" -version = "1.0.10" +version = "1.0.11" description = "A Python implementation of the Stakeholder-Specific Vulnerability Categorization framework." -authors = ["Christopher Langton "] +authors = [{name = "Christopher Langton", email = "chris@vulnetix.app"}] readme = "PYPI.md" +requires-python = ">=3.11" +dependencies = [ +] +license = {file = "LICENSE"} -[tool.poetry.dependencies] -python = "^3.11" +[project.optional-dependencies] +test = [ + "pytest-cov>=6.0.0", + "pytest>=8.3.4", + "coverage-badge>=1.1.2", +] +sec = [ + "pip-audit>=2.7.3", +] -[tool.poetry.group.dev.dependencies] -setuptools = ">=69.5.1,<75.0.0" -uv = ">=0.2.4,<0.5.0" -isort = "^5.13.2" -pytest = "^8.3.2" -pytest-cov = "^5.0.0" -coverage-badge = "^1.1.2" -ruff = ">=0.4.5,<0.7.0" -pip-audit = "^2.7.3" -poetry = "^1.8.3" - -[build-system] -requires = ["poetry-core>=1.0.0"] -build-backend = "poetry.core.masonry.api" - -[tool.poetry.urls] -"Repository" = "https://github.com/chrisdlangton/python-ssvc.git" +[project.urls] +Homepage = "https://www.vulnetix.com" +Repository = "https://github.com/vulnetix/python-ssvc.git" diff --git a/requirements-dev.txt b/requirements-dev.txt deleted file mode 100644 index d0ba072..0000000 --- a/requirements-dev.txt +++ /dev/null @@ -1,790 +0,0 @@ -# This file was autogenerated by uv via the following command: -# uv pip compile --generate-hashes -o requirements-dev.txt --all-extras pyproject.toml -boolean-py==4.0 \ - --hash=sha256:17b9a181630e43dde1851d42bef546d616d5d9b4480357514597e78b203d06e4 \ - --hash=sha256:2876f2051d7d6394a531d82dc6eb407faa0b01a0a0b3083817ccd7323b8d96bd - # via license-expression -build==1.2.2 \ - --hash=sha256:119b2fb462adef986483438377a13b2f42064a2a3a4161f24a0cca698a07ac8c \ - --hash=sha256:277ccc71619d98afdd841a0e96ac9fe1593b823af481d3b0cea748e8894e0613 - # via poetry -cachecontrol==0.14.0 \ - --hash=sha256:7db1195b41c81f8274a7bbd97c956f44e8348265a1bc7641c37dfebc39f0c938 \ - --hash=sha256:f5bf3f0620c38db2e5122c0726bdebb0d16869de966ea6a2befe92470b740ea0 - # via - # pip-audit - # poetry -certifi==2024.8.30 \ - --hash=sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8 \ - --hash=sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9 - # via requests -cffi==1.17.1 \ - --hash=sha256:045d61c734659cc045141be4bae381a41d89b741f795af1dd018bfb532fd0df8 \ - --hash=sha256:0984a4925a435b1da406122d4d7968dd861c1385afe3b45ba82b750f229811e2 \ - --hash=sha256:0e2b1fac190ae3ebfe37b979cc1ce69c81f4e4fe5746bb401dca63a9062cdaf1 \ - --hash=sha256:0f048dcf80db46f0098ccac01132761580d28e28bc0f78ae0d58048063317e15 \ - --hash=sha256:1257bdabf294dceb59f5e70c64a3e2f462c30c7ad68092d01bbbfb1c16b1ba36 \ - --hash=sha256:1c39c6016c32bc48dd54561950ebd6836e1670f2ae46128f67cf49e789c52824 \ - --hash=sha256:1d599671f396c4723d016dbddb72fe8e0397082b0a77a4fab8028923bec050e8 \ - --hash=sha256:28b16024becceed8c6dfbc75629e27788d8a3f9030691a1dbf9821a128b22c36 \ - --hash=sha256:2bb1a08b8008b281856e5971307cc386a8e9c5b625ac297e853d36da6efe9c17 \ - --hash=sha256:30c5e0cb5ae493c04c8b42916e52ca38079f1b235c2f8ae5f4527b963c401caf \ - --hash=sha256:31000ec67d4221a71bd3f67df918b1f88f676f1c3b535a7eb473255fdc0b83fc \ - --hash=sha256:386c8bf53c502fff58903061338ce4f4950cbdcb23e2902d86c0f722b786bbe3 \ - --hash=sha256:3edc8d958eb099c634dace3c7e16560ae474aa3803a5df240542b305d14e14ed \ - --hash=sha256:45398b671ac6d70e67da8e4224a065cec6a93541bb7aebe1b198a61b58c7b702 \ - --hash=sha256:46bf43160c1a35f7ec506d254e5c890f3c03648a4dbac12d624e4490a7046cd1 \ - --hash=sha256:4ceb10419a9adf4460ea14cfd6bc43d08701f0835e979bf821052f1805850fe8 \ - --hash=sha256:51392eae71afec0d0c8fb1a53b204dbb3bcabcb3c9b807eedf3e1e6ccf2de903 \ - --hash=sha256:5da5719280082ac6bd9aa7becb3938dc9f9cbd57fac7d2871717b1feb0902ab6 \ - --hash=sha256:610faea79c43e44c71e1ec53a554553fa22321b65fae24889706c0a84d4ad86d \ - --hash=sha256:636062ea65bd0195bc012fea9321aca499c0504409f413dc88af450b57ffd03b \ - --hash=sha256:6883e737d7d9e4899a8a695e00ec36bd4e5e4f18fabe0aca0efe0a4b44cdb13e \ - --hash=sha256:6b8b4a92e1c65048ff98cfe1f735ef8f1ceb72e3d5f0c25fdb12087a23da22be \ - --hash=sha256:6f17be4345073b0a7b8ea599688f692ac3ef23ce28e5df79c04de519dbc4912c \ - --hash=sha256:706510fe141c86a69c8ddc029c7910003a17353970cff3b904ff0686a5927683 \ - --hash=sha256:72e72408cad3d5419375fc87d289076ee319835bdfa2caad331e377589aebba9 \ - --hash=sha256:733e99bc2df47476e3848417c5a4540522f234dfd4ef3ab7fafdf555b082ec0c \ - --hash=sha256:7596d6620d3fa590f677e9ee430df2958d2d6d6de2feeae5b20e82c00b76fbf8 \ - --hash=sha256:78122be759c3f8a014ce010908ae03364d00a1f81ab5c7f4a7a5120607ea56e1 \ - --hash=sha256:805b4371bf7197c329fcb3ead37e710d1bca9da5d583f5073b799d5c5bd1eee4 \ - --hash=sha256:85a950a4ac9c359340d5963966e3e0a94a676bd6245a4b55bc43949eee26a655 \ - --hash=sha256:8f2cdc858323644ab277e9bb925ad72ae0e67f69e804f4898c070998d50b1a67 \ - --hash=sha256:9755e4345d1ec879e3849e62222a18c7174d65a6a92d5b346b1863912168b595 \ - --hash=sha256:98e3969bcff97cae1b2def8ba499ea3d6f31ddfdb7635374834cf89a1a08ecf0 \ - --hash=sha256:a08d7e755f8ed21095a310a693525137cfe756ce62d066e53f502a83dc550f65 \ - --hash=sha256:a1ed2dd2972641495a3ec98445e09766f077aee98a1c896dcb4ad0d303628e41 \ - --hash=sha256:a24ed04c8ffd54b0729c07cee15a81d964e6fee0e3d4d342a27b020d22959dc6 \ - --hash=sha256:a45e3c6913c5b87b3ff120dcdc03f6131fa0065027d0ed7ee6190736a74cd401 \ - --hash=sha256:a9b15d491f3ad5d692e11f6b71f7857e7835eb677955c00cc0aefcd0669adaf6 \ - --hash=sha256:ad9413ccdeda48c5afdae7e4fa2192157e991ff761e7ab8fdd8926f40b160cc3 \ - --hash=sha256:b2ab587605f4ba0bf81dc0cb08a41bd1c0a5906bd59243d56bad7668a6fc6c16 \ - --hash=sha256:b62ce867176a75d03a665bad002af8e6d54644fad99a3c70905c543130e39d93 \ - --hash=sha256:c03e868a0b3bc35839ba98e74211ed2b05d2119be4e8a0f224fba9384f1fe02e \ - --hash=sha256:c59d6e989d07460165cc5ad3c61f9fd8f1b4796eacbd81cee78957842b834af4 \ - --hash=sha256:c7eac2ef9b63c79431bc4b25f1cd649d7f061a28808cbc6c47b534bd789ef964 \ - --hash=sha256:c9c3d058ebabb74db66e431095118094d06abf53284d9c81f27300d0e0d8bc7c \ - --hash=sha256:ca74b8dbe6e8e8263c0ffd60277de77dcee6c837a3d0881d8c1ead7268c9e576 \ - --hash=sha256:caaf0640ef5f5517f49bc275eca1406b0ffa6aa184892812030f04c2abf589a0 \ - --hash=sha256:cdf5ce3acdfd1661132f2a9c19cac174758dc2352bfe37d98aa7512c6b7178b3 \ - --hash=sha256:d016c76bdd850f3c626af19b0542c9677ba156e4ee4fccfdd7848803533ef662 \ - --hash=sha256:d01b12eeeb4427d3110de311e1774046ad344f5b1a7403101878976ecd7a10f3 \ - --hash=sha256:d63afe322132c194cf832bfec0dc69a99fb9bb6bbd550f161a49e9e855cc78ff \ - --hash=sha256:da95af8214998d77a98cc14e3a3bd00aa191526343078b530ceb0bd710fb48a5 \ - --hash=sha256:dd398dbc6773384a17fe0d3e7eeb8d1a21c2200473ee6806bb5e6a8e62bb73dd \ - --hash=sha256:de2ea4b5833625383e464549fec1bc395c1bdeeb5f25c4a3a82b5a8c756ec22f \ - --hash=sha256:de55b766c7aa2e2a3092c51e0483d700341182f08e67c63630d5b6f200bb28e5 \ - --hash=sha256:df8b1c11f177bc2313ec4b2d46baec87a5f3e71fc8b45dab2ee7cae86d9aba14 \ - --hash=sha256:e03eab0a8677fa80d646b5ddece1cbeaf556c313dcfac435ba11f107ba117b5d \ - --hash=sha256:e221cf152cff04059d011ee126477f0d9588303eb57e88923578ace7baad17f9 \ - --hash=sha256:e31ae45bc2e29f6b2abd0de1cc3b9d5205aa847cafaecb8af1476a609a2f6eb7 \ - --hash=sha256:edae79245293e15384b51f88b00613ba9f7198016a5948b5dddf4917d4d26382 \ - --hash=sha256:f1e22e8c4419538cb197e4dd60acc919d7696e5ef98ee4da4e01d3f8cfa4cc5a \ - --hash=sha256:f3a2b4222ce6b60e2e8b337bb9596923045681d71e5a082783484d845390938e \ - --hash=sha256:f6a16c31041f09ead72d69f583767292f750d24913dadacf5756b966aacb3f1a \ - --hash=sha256:f75c7ab1f9e4aca5414ed4d8e5c0e303a34f4421f8a0d47a4d019ceff0ab6af4 \ - --hash=sha256:f79fc4fc25f1c8698ff97788206bb3c2598949bfe0fef03d299eb1b5356ada99 \ - --hash=sha256:f7f5baafcc48261359e14bcd6d9bff6d4b28d9103847c9e136694cb0501aef87 \ - --hash=sha256:fc48c783f9c87e60831201f2cce7f3b2e4846bf4d8728eabe54d60700b318a0b - # via cryptography -charset-normalizer==3.3.2 \ - --hash=sha256:06435b539f889b1f6f4ac1758871aae42dc3a8c0e24ac9e60c2384973ad73027 \ - --hash=sha256:06a81e93cd441c56a9b65d8e1d043daeb97a3d0856d177d5c90ba85acb3db087 \ - --hash=sha256:0a55554a2fa0d408816b3b5cedf0045f4b8e1a6065aec45849de2d6f3f8e9786 \ - --hash=sha256:0b2b64d2bb6d3fb9112bafa732def486049e63de9618b5843bcdd081d8144cd8 \ - --hash=sha256:10955842570876604d404661fbccbc9c7e684caf432c09c715ec38fbae45ae09 \ - --hash=sha256:122c7fa62b130ed55f8f285bfd56d5f4b4a5b503609d181f9ad85e55c89f4185 \ - --hash=sha256:1ceae2f17a9c33cb48e3263960dc5fc8005351ee19db217e9b1bb15d28c02574 \ - --hash=sha256:1d3193f4a680c64b4b6a9115943538edb896edc190f0b222e73761716519268e \ - --hash=sha256:1f79682fbe303db92bc2b1136016a38a42e835d932bab5b3b1bfcfbf0640e519 \ - --hash=sha256:2127566c664442652f024c837091890cb1942c30937add288223dc895793f898 \ - --hash=sha256:22afcb9f253dac0696b5a4be4a1c0f8762f8239e21b99680099abd9b2b1b2269 \ - --hash=sha256:25baf083bf6f6b341f4121c2f3c548875ee6f5339300e08be3f2b2ba1721cdd3 \ - --hash=sha256:2e81c7b9c8979ce92ed306c249d46894776a909505d8f5a4ba55b14206e3222f \ - --hash=sha256:3287761bc4ee9e33561a7e058c72ac0938c4f57fe49a09eae428fd88aafe7bb6 \ - --hash=sha256:34d1c8da1e78d2e001f363791c98a272bb734000fcef47a491c1e3b0505657a8 \ - --hash=sha256:37e55c8e51c236f95b033f6fb391d7d7970ba5fe7ff453dad675e88cf303377a \ - --hash=sha256:3d47fa203a7bd9c5b6cee4736ee84ca03b8ef23193c0d1ca99b5089f72645c73 \ - --hash=sha256:3e4d1f6587322d2788836a99c69062fbb091331ec940e02d12d179c1d53e25fc \ - --hash=sha256:42cb296636fcc8b0644486d15c12376cb9fa75443e00fb25de0b8602e64c1714 \ - --hash=sha256:45485e01ff4d3630ec0d9617310448a8702f70e9c01906b0d0118bdf9d124cf2 \ - --hash=sha256:4a78b2b446bd7c934f5dcedc588903fb2f5eec172f3d29e52a9096a43722adfc \ - --hash=sha256:4ab2fe47fae9e0f9dee8c04187ce5d09f48eabe611be8259444906793ab7cbce \ - --hash=sha256:4d0d1650369165a14e14e1e47b372cfcb31d6ab44e6e33cb2d4e57265290044d \ - --hash=sha256:549a3a73da901d5bc3ce8d24e0600d1fa85524c10287f6004fbab87672bf3e1e \ - --hash=sha256:55086ee1064215781fff39a1af09518bc9255b50d6333f2e4c74ca09fac6a8f6 \ - --hash=sha256:572c3763a264ba47b3cf708a44ce965d98555f618ca42c926a9c1616d8f34269 \ - --hash=sha256:573f6eac48f4769d667c4442081b1794f52919e7edada77495aaed9236d13a96 \ - --hash=sha256:5b4c145409bef602a690e7cfad0a15a55c13320ff7a3ad7ca59c13bb8ba4d45d \ - --hash=sha256:6463effa3186ea09411d50efc7d85360b38d5f09b870c48e4600f63af490e56a \ - --hash=sha256:65f6f63034100ead094b8744b3b97965785388f308a64cf8d7c34f2f2e5be0c4 \ - --hash=sha256:663946639d296df6a2bb2aa51b60a2454ca1cb29835324c640dafb5ff2131a77 \ - --hash=sha256:6897af51655e3691ff853668779c7bad41579facacf5fd7253b0133308cf000d \ - --hash=sha256:68d1f8a9e9e37c1223b656399be5d6b448dea850bed7d0f87a8311f1ff3dabb0 \ - --hash=sha256:6ac7ffc7ad6d040517be39eb591cac5ff87416c2537df6ba3cba3bae290c0fed \ - --hash=sha256:6b3251890fff30ee142c44144871185dbe13b11bab478a88887a639655be1068 \ - --hash=sha256:6c4caeef8fa63d06bd437cd4bdcf3ffefe6738fb1b25951440d80dc7df8c03ac \ - --hash=sha256:6ef1d82a3af9d3eecdba2321dc1b3c238245d890843e040e41e470ffa64c3e25 \ - --hash=sha256:753f10e867343b4511128c6ed8c82f7bec3bd026875576dfd88483c5c73b2fd8 \ - --hash=sha256:7cd13a2e3ddeed6913a65e66e94b51d80a041145a026c27e6bb76c31a853c6ab \ - --hash=sha256:7ed9e526742851e8d5cc9e6cf41427dfc6068d4f5a3bb03659444b4cabf6bc26 \ - --hash=sha256:7f04c839ed0b6b98b1a7501a002144b76c18fb1c1850c8b98d458ac269e26ed2 \ - --hash=sha256:802fe99cca7457642125a8a88a084cef28ff0cf9407060f7b93dca5aa25480db \ - --hash=sha256:80402cd6ee291dcb72644d6eac93785fe2c8b9cb30893c1af5b8fdd753b9d40f \ - --hash=sha256:8465322196c8b4d7ab6d1e049e4c5cb460d0394da4a27d23cc242fbf0034b6b5 \ - --hash=sha256:86216b5cee4b06df986d214f664305142d9c76df9b6512be2738aa72a2048f99 \ - --hash=sha256:87d1351268731db79e0f8e745d92493ee2841c974128ef629dc518b937d9194c \ - --hash=sha256:8bdb58ff7ba23002a4c5808d608e4e6c687175724f54a5dade5fa8c67b604e4d \ - --hash=sha256:8c622a5fe39a48f78944a87d4fb8a53ee07344641b0562c540d840748571b811 \ - --hash=sha256:8d756e44e94489e49571086ef83b2bb8ce311e730092d2c34ca8f7d925cb20aa \ - --hash=sha256:8f4a014bc36d3c57402e2977dada34f9c12300af536839dc38c0beab8878f38a \ - --hash=sha256:9063e24fdb1e498ab71cb7419e24622516c4a04476b17a2dab57e8baa30d6e03 \ - --hash=sha256:90d558489962fd4918143277a773316e56c72da56ec7aa3dc3dbbe20fdfed15b \ - --hash=sha256:923c0c831b7cfcb071580d3f46c4baf50f174be571576556269530f4bbd79d04 \ - --hash=sha256:95f2a5796329323b8f0512e09dbb7a1860c46a39da62ecb2324f116fa8fdc85c \ - --hash=sha256:96b02a3dc4381e5494fad39be677abcb5e6634bf7b4fa83a6dd3112607547001 \ - --hash=sha256:9f96df6923e21816da7e0ad3fd47dd8f94b2a5ce594e00677c0013018b813458 \ - --hash=sha256:a10af20b82360ab00827f916a6058451b723b4e65030c5a18577c8b2de5b3389 \ - --hash=sha256:a50aebfa173e157099939b17f18600f72f84eed3049e743b68ad15bd69b6bf99 \ - --hash=sha256:a981a536974bbc7a512cf44ed14938cf01030a99e9b3a06dd59578882f06f985 \ - --hash=sha256:a9a8e9031d613fd2009c182b69c7b2c1ef8239a0efb1df3f7c8da66d5dd3d537 \ - --hash=sha256:ae5f4161f18c61806f411a13b0310bea87f987c7d2ecdbdaad0e94eb2e404238 \ - --hash=sha256:aed38f6e4fb3f5d6bf81bfa990a07806be9d83cf7bacef998ab1a9bd660a581f \ - --hash=sha256:b01b88d45a6fcb69667cd6d2f7a9aeb4bf53760d7fc536bf679ec94fe9f3ff3d \ - --hash=sha256:b261ccdec7821281dade748d088bb6e9b69e6d15b30652b74cbbac25e280b796 \ - --hash=sha256:b2b0a0c0517616b6869869f8c581d4eb2dd83a4d79e0ebcb7d373ef9956aeb0a \ - --hash=sha256:b4a23f61ce87adf89be746c8a8974fe1c823c891d8f86eb218bb957c924bb143 \ - --hash=sha256:bd8f7df7d12c2db9fab40bdd87a7c09b1530128315d047a086fa3ae3435cb3a8 \ - --hash=sha256:beb58fe5cdb101e3a055192ac291b7a21e3b7ef4f67fa1d74e331a7f2124341c \ - --hash=sha256:c002b4ffc0be611f0d9da932eb0f704fe2602a9a949d1f738e4c34c75b0863d5 \ - --hash=sha256:c083af607d2515612056a31f0a8d9e0fcb5876b7bfc0abad3ecd275bc4ebc2d5 \ - --hash=sha256:c180f51afb394e165eafe4ac2936a14bee3eb10debc9d9e4db8958fe36afe711 \ - --hash=sha256:c235ebd9baae02f1b77bcea61bce332cb4331dc3617d254df3323aa01ab47bd4 \ - --hash=sha256:cd70574b12bb8a4d2aaa0094515df2463cb429d8536cfb6c7ce983246983e5a6 \ - --hash=sha256:d0eccceffcb53201b5bfebb52600a5fb483a20b61da9dbc885f8b103cbe7598c \ - --hash=sha256:d965bba47ddeec8cd560687584e88cf699fd28f192ceb452d1d7ee807c5597b7 \ - --hash=sha256:db364eca23f876da6f9e16c9da0df51aa4f104a972735574842618b8c6d999d4 \ - --hash=sha256:ddbb2551d7e0102e7252db79ba445cdab71b26640817ab1e3e3648dad515003b \ - --hash=sha256:deb6be0ac38ece9ba87dea880e438f25ca3eddfac8b002a2ec3d9183a454e8ae \ - --hash=sha256:e06ed3eb3218bc64786f7db41917d4e686cc4856944f53d5bdf83a6884432e12 \ - --hash=sha256:e27ad930a842b4c5eb8ac0016b0a54f5aebbe679340c26101df33424142c143c \ - --hash=sha256:e537484df0d8f426ce2afb2d0f8e1c3d0b114b83f8850e5f2fbea0e797bd82ae \ - --hash=sha256:eb00ed941194665c332bf8e078baf037d6c35d7c4f3102ea2d4f16ca94a26dc8 \ - --hash=sha256:eb6904c354526e758fda7167b33005998fb68c46fbc10e013ca97f21ca5c8887 \ - --hash=sha256:eb8821e09e916165e160797a6c17edda0679379a4be5c716c260e836e122f54b \ - --hash=sha256:efcb3f6676480691518c177e3b465bcddf57cea040302f9f4e6e191af91174d4 \ - --hash=sha256:f27273b60488abe721a075bcca6d7f3964f9f6f067c8c4c605743023d7d3944f \ - --hash=sha256:f30c3cb33b24454a82faecaf01b19c18562b1e89558fb6c56de4d9118a032fd5 \ - --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \ - --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \ - --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561 - # via requests -cleo==2.1.0 \ - --hash=sha256:0b2c880b5d13660a7ea651001fb4acb527696c01f15c9ee650f377aa543fd523 \ - --hash=sha256:4a31bd4dd45695a64ee3c4758f583f134267c2bc518d8ae9a29cf237d009b07e - # via poetry -coverage==7.6.1 \ - --hash=sha256:06a737c882bd26d0d6ee7269b20b12f14a8704807a01056c80bb881a4b2ce6ca \ - --hash=sha256:07e2ca0ad381b91350c0ed49d52699b625aab2b44b65e1b4e02fa9df0e92ad2d \ - --hash=sha256:0c0420b573964c760df9e9e86d1a9a622d0d27f417e1a949a8a66dd7bcee7bc6 \ - --hash=sha256:0dbde0f4aa9a16fa4d754356a8f2e36296ff4d83994b2c9d8398aa32f222f989 \ - --hash=sha256:1125ca0e5fd475cbbba3bb67ae20bd2c23a98fac4e32412883f9bcbaa81c314c \ - --hash=sha256:13b0a73a0896988f053e4fbb7de6d93388e6dd292b0d87ee51d106f2c11b465b \ - --hash=sha256:166811d20dfea725e2e4baa71fffd6c968a958577848d2131f39b60043400223 \ - --hash=sha256:170d444ab405852903b7d04ea9ae9b98f98ab6d7e63e1115e82620807519797f \ - --hash=sha256:1f4aa8219db826ce6be7099d559f8ec311549bfc4046f7f9fe9b5cea5c581c56 \ - --hash=sha256:225667980479a17db1048cb2bf8bfb39b8e5be8f164b8f6628b64f78a72cf9d3 \ - --hash=sha256:260933720fdcd75340e7dbe9060655aff3af1f0c5d20f46b57f262ab6c86a5e8 \ - --hash=sha256:2bdb062ea438f22d99cba0d7829c2ef0af1d768d1e4a4f528087224c90b132cb \ - --hash=sha256:2c09f4ce52cb99dd7505cd0fc8e0e37c77b87f46bc9c1eb03fe3bc9991085388 \ - --hash=sha256:3115a95daa9bdba70aea750db7b96b37259a81a709223c8448fa97727d546fe0 \ - --hash=sha256:3e0cadcf6733c09154b461f1ca72d5416635e5e4ec4e536192180d34ec160f8a \ - --hash=sha256:3f1156e3e8f2872197af3840d8ad307a9dd18e615dc64d9ee41696f287c57ad8 \ - --hash=sha256:4421712dbfc5562150f7554f13dde997a2e932a6b5f352edcce948a815efee6f \ - --hash=sha256:44df346d5215a8c0e360307d46ffaabe0f5d3502c8a1cefd700b34baf31d411a \ - --hash=sha256:502753043567491d3ff6d08629270127e0c31d4184c4c8d98f92c26f65019962 \ - --hash=sha256:547f45fa1a93154bd82050a7f3cddbc1a7a4dd2a9bf5cb7d06f4ae29fe94eaf8 \ - --hash=sha256:5621a9175cf9d0b0c84c2ef2b12e9f5f5071357c4d2ea6ca1cf01814f45d2391 \ - --hash=sha256:609b06f178fe8e9f89ef676532760ec0b4deea15e9969bf754b37f7c40326dbc \ - --hash=sha256:645786266c8f18a931b65bfcefdbf6952dd0dea98feee39bd188607a9d307ed2 \ - --hash=sha256:6878ef48d4227aace338d88c48738a4258213cd7b74fd9a3d4d7582bb1d8a155 \ - --hash=sha256:6a89ecca80709d4076b95f89f308544ec8f7b4727e8a547913a35f16717856cb \ - --hash=sha256:6db04803b6c7291985a761004e9060b2bca08da6d04f26a7f2294b8623a0c1a0 \ - --hash=sha256:6e2cd258d7d927d09493c8df1ce9174ad01b381d4729a9d8d4e38670ca24774c \ - --hash=sha256:6e81d7a3e58882450ec4186ca59a3f20a5d4440f25b1cff6f0902ad890e6748a \ - --hash=sha256:702855feff378050ae4f741045e19a32d57d19f3e0676d589df0575008ea5004 \ - --hash=sha256:78b260de9790fd81e69401c2dc8b17da47c8038176a79092a89cb2b7d945d060 \ - --hash=sha256:7bb65125fcbef8d989fa1dd0e8a060999497629ca5b0efbca209588a73356232 \ - --hash=sha256:7dea0889685db8550f839fa202744652e87c60015029ce3f60e006f8c4462c93 \ - --hash=sha256:8284cf8c0dd272a247bc154eb6c95548722dce90d098c17a883ed36e67cdb129 \ - --hash=sha256:877abb17e6339d96bf08e7a622d05095e72b71f8afd8a9fefc82cf30ed944163 \ - --hash=sha256:8929543a7192c13d177b770008bc4e8119f2e1f881d563fc6b6305d2d0ebe9de \ - --hash=sha256:8ae539519c4c040c5ffd0632784e21b2f03fc1340752af711f33e5be83a9d6c6 \ - --hash=sha256:8f59d57baca39b32db42b83b2a7ba6f47ad9c394ec2076b084c3f029b7afca23 \ - --hash=sha256:9054a0754de38d9dbd01a46621636689124d666bad1936d76c0341f7d71bf569 \ - --hash=sha256:953510dfb7b12ab69d20135a0662397f077c59b1e6379a768e97c59d852ee51d \ - --hash=sha256:95cae0efeb032af8458fc27d191f85d1717b1d4e49f7cb226cf526ff28179778 \ - --hash=sha256:9bc572be474cafb617672c43fe989d6e48d3c83af02ce8de73fff1c6bb3c198d \ - --hash=sha256:9c56863d44bd1c4fe2abb8a4d6f5371d197f1ac0ebdee542f07f35895fc07f36 \ - --hash=sha256:9e0b2df163b8ed01d515807af24f63de04bebcecbd6c3bfeff88385789fdf75a \ - --hash=sha256:a09ece4a69cf399510c8ab25e0950d9cf2b42f7b3cb0374f95d2e2ff594478a6 \ - --hash=sha256:a1ac0ae2b8bd743b88ed0502544847c3053d7171a3cff9228af618a068ed9c34 \ - --hash=sha256:a318d68e92e80af8b00fa99609796fdbcdfef3629c77c6283566c6f02c6d6704 \ - --hash=sha256:a4acd025ecc06185ba2b801f2de85546e0b8ac787cf9d3b06e7e2a69f925b106 \ - --hash=sha256:a6d3adcf24b624a7b778533480e32434a39ad8fa30c315208f6d3e5542aeb6e9 \ - --hash=sha256:a78d169acd38300060b28d600344a803628c3fd585c912cacc9ea8790fe96862 \ - --hash=sha256:a95324a9de9650a729239daea117df21f4b9868ce32e63f8b650ebe6cef5595b \ - --hash=sha256:abd5fd0db5f4dc9289408aaf34908072f805ff7792632250dcb36dc591d24255 \ - --hash=sha256:b06079abebbc0e89e6163b8e8f0e16270124c154dc6e4a47b413dd538859af16 \ - --hash=sha256:b43c03669dc4618ec25270b06ecd3ee4fa94c7f9b3c14bae6571ca00ef98b0d3 \ - --hash=sha256:b48f312cca9621272ae49008c7f613337c53fadca647d6384cc129d2996d1133 \ - --hash=sha256:b5d7b556859dd85f3a541db6a4e0167b86e7273e1cdc973e5b175166bb634fdb \ - --hash=sha256:b9f222de8cded79c49bf184bdbc06630d4c58eec9459b939b4a690c82ed05657 \ - --hash=sha256:c3c02d12f837d9683e5ab2f3d9844dc57655b92c74e286c262e0fc54213c216d \ - --hash=sha256:c44fee9975f04b33331cb8eb272827111efc8930cfd582e0320613263ca849ca \ - --hash=sha256:cf4b19715bccd7ee27b6b120e7e9dd56037b9c0681dcc1adc9ba9db3d417fa36 \ - --hash=sha256:d0c212c49b6c10e6951362f7c6df3329f04c2b1c28499563d4035d964ab8e08c \ - --hash=sha256:d3296782ca4eab572a1a4eca686d8bfb00226300dcefdf43faa25b5242ab8a3e \ - --hash=sha256:d85f5e9a5f8b73e2350097c3756ef7e785f55bd71205defa0bfdaf96c31616ff \ - --hash=sha256:da511e6ad4f7323ee5702e6633085fb76c2f893aaf8ce4c51a0ba4fc07580ea7 \ - --hash=sha256:e05882b70b87a18d937ca6768ff33cc3f72847cbc4de4491c8e73880766718e5 \ - --hash=sha256:e61c0abb4c85b095a784ef23fdd4aede7a2628478e7baba7c5e3deba61070a02 \ - --hash=sha256:e6a08c0be454c3b3beb105c0596ebdc2371fab6bb90c0c0297f4e58fd7e1012c \ - --hash=sha256:e9a6e0eb86070e8ccaedfbd9d38fec54864f3125ab95419970575b42af7541df \ - --hash=sha256:ed37bd3c3b063412f7620464a9ac1314d33100329f39799255fb8d3027da50d3 \ - --hash=sha256:f1adfc8ac319e1a348af294106bc6a8458a0f1633cc62a1446aebc30c5fa186a \ - --hash=sha256:f5796e664fe802da4f57a168c85359a8fbf3eab5e55cd4e4569fbacecc903959 \ - --hash=sha256:fc5a77d0c516700ebad189b587de289a20a78324bc54baee03dd486f0855d234 \ - --hash=sha256:fd21f6ae3f08b41004dfb433fa895d858f3f5979e7762d052b12aef444e29afc - # via - # coverage-badge - # pytest-cov -coverage-badge==1.1.2 \ - --hash=sha256:d8413ce51c91043a1692b943616b450868cbeeb0ea6a0c54a32f8318c9c96ff7 \ - --hash=sha256:fe7ed58a3b72dad85a553b64a99e963dea3847dcd0b8ddd2b38a00333618642c - # via ssvc (pyproject.toml) -crashtest==0.4.1 \ - --hash=sha256:80d7b1f316ebfbd429f648076d6275c877ba30ba48979de4191714a75266f0ce \ - --hash=sha256:8d23eac5fa660409f57472e3851dab7ac18aba459a8d19cbbba86d3d5aecd2a5 - # via - # cleo - # poetry -cryptography==43.0.1 \ - --hash=sha256:014f58110f53237ace6a408b5beb6c427b64e084eb451ef25a28308270086494 \ - --hash=sha256:1bbcce1a551e262dfbafb6e6252f1ae36a248e615ca44ba302df077a846a8806 \ - --hash=sha256:203e92a75716d8cfb491dc47c79e17d0d9207ccffcbcb35f598fbe463ae3444d \ - --hash=sha256:27e613d7077ac613e399270253259d9d53872aaf657471473ebfc9a52935c062 \ - --hash=sha256:2bd51274dcd59f09dd952afb696bf9c61a7a49dfc764c04dd33ef7a6b502a1e2 \ - --hash=sha256:38926c50cff6f533f8a2dae3d7f19541432610d114a70808f0926d5aaa7121e4 \ - --hash=sha256:511f4273808ab590912a93ddb4e3914dfd8a388fed883361b02dea3791f292e1 \ - --hash=sha256:58d4e9129985185a06d849aa6df265bdd5a74ca6e1b736a77959b498e0505b85 \ - --hash=sha256:5b43d1ea6b378b54a1dc99dd8a2b5be47658fe9a7ce0a58ff0b55f4b43ef2b84 \ - --hash=sha256:61ec41068b7b74268fa86e3e9e12b9f0c21fcf65434571dbb13d954bceb08042 \ - --hash=sha256:666ae11966643886c2987b3b721899d250855718d6d9ce41b521252a17985f4d \ - --hash=sha256:68aaecc4178e90719e95298515979814bda0cbada1256a4485414860bd7ab962 \ - --hash=sha256:7c05650fe8023c5ed0d46793d4b7d7e6cd9c04e68eabe5b0aeea836e37bdcec2 \ - --hash=sha256:80eda8b3e173f0f247f711eef62be51b599b5d425c429b5d4ca6a05e9e856baa \ - --hash=sha256:8385d98f6a3bf8bb2d65a73e17ed87a3ba84f6991c155691c51112075f9ffc5d \ - --hash=sha256:88cce104c36870d70c49c7c8fd22885875d950d9ee6ab54df2745f83ba0dc365 \ - --hash=sha256:9d3cdb25fa98afdd3d0892d132b8d7139e2c087da1712041f6b762e4f807cc96 \ - --hash=sha256:a575913fb06e05e6b4b814d7f7468c2c660e8bb16d8d5a1faf9b33ccc569dd47 \ - --hash=sha256:ac119bb76b9faa00f48128b7f5679e1d8d437365c5d26f1c2c3f0da4ce1b553d \ - --hash=sha256:c1332724be35d23a854994ff0b66530119500b6053d0bd3363265f7e5e77288d \ - --hash=sha256:d03a475165f3134f773d1388aeb19c2d25ba88b6a9733c5c590b9ff7bbfa2e0c \ - --hash=sha256:d75601ad10b059ec832e78823b348bfa1a59f6b8d545db3a24fd44362a1564cb \ - --hash=sha256:de41fd81a41e53267cb020bb3a7212861da53a7d39f863585d13ea11049cf277 \ - --hash=sha256:e710bf40870f4db63c3d7d929aa9e09e4e7ee219e703f949ec4073b4294f6172 \ - --hash=sha256:ea25acb556320250756e53f9e20a4177515f012c9eaea17eb7587a8c4d8ae034 \ - --hash=sha256:f98bf604c82c416bc829e490c700ca1553eafdf2912a91e23a79d97d9801372a \ - --hash=sha256:fba1007b3ef89946dbbb515aeeb41e30203b004f0b4b00e5e16078b518563289 - # via secretstorage -cyclonedx-python-lib==7.6.0 \ - --hash=sha256:30655e89e5f987dc8d57835919748d71589fafeb33ff1dec45048eb72eda3cf9 \ - --hash=sha256:fa481d5f0d82728cb6a32e55f8ba9c666ba75a2bd99eb643228e3011c56bb5c4 - # via pip-audit -defusedxml==0.7.1 \ - --hash=sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69 \ - --hash=sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61 - # via py-serializable -distlib==0.3.8 \ - --hash=sha256:034db59a0b96f8ca18035f36290806a9a6e6bd9d1ff91e45a7f172eb17e51784 \ - --hash=sha256:1530ea13e350031b6312d8580ddb6b27a104275a31106523b8f123787f494f64 - # via virtualenv -dulwich==0.22.1 \ - --hash=sha256:0d72a88c7af8fafa14c8743e8923c8d46bd0b850a0b7f5e34eb49201f1ead88e \ - --hash=sha256:0ea4c5feedd35e8bde175a9ab91ef6705c3cef5ee209eeb2f67dd0b59ff1825f \ - --hash=sha256:12482e318895da9acabea7c0cc70b35d36833e7cb2def511ab3a63617f5c1af3 \ - --hash=sha256:155124219e6ce4b116d30ed1b9cc63c88021966b29ce761d3ce3caba064f9a13 \ - --hash=sha256:1bc6575476539c0b4924abab3896fc76be2f413d5baa6b083c4dfc4abc59329e \ - --hash=sha256:20f61f6dc0b075ca6459acbfb9527ee0e1ee02dccbed126dc492600bb7310d86 \ - --hash=sha256:3a366cdba24b8df31ad70b82bae55baa696c453678c1346da8390396a1d5cce4 \ - --hash=sha256:3ad3462d070b678fe61d3bdd7c6ac3fdbd25cca66f32b6edf589dd88fff251d2 \ - --hash=sha256:3ae006498fea11515027a417e6e68b82e1c195d3516188ba2cc08210e3022d14 \ - --hash=sha256:3de7a2eba26ff13a79670f78f73fc86fb8c87100508119f3b6bd61451bfdd4bf \ - --hash=sha256:3fb61891b2675664dc89d486eb5199e3659179ae04fc0a863ffc7e16b782b624 \ - --hash=sha256:41dfc52db29a06fe23a5029abc3bc13503e28233b1c3a9614bc1e5c4d6adc1ce \ - --hash=sha256:454d073e628043dde4f9bd34517736c1889dbe6417099bbae2119873b8d4d5da \ - --hash=sha256:467ff87fc4c61a23424b32acd952476ba17e7f7eeb8090e5957f68129784a35f \ - --hash=sha256:4c509e8172b9438536946097768413f297229b03eff064e4e06749cf5c28df78 \ - --hash=sha256:524d3497a86f79959c9c1d729715d60d8171ed3f71621d45afb4faee5a47e8a1 \ - --hash=sha256:52a8ddd1d9b5681de216a7af718720f5202d3c093ecc10dd4dfac6d25da605a6 \ - --hash=sha256:5e36c8a3bb09db5730b3d5014d087bce977e878825cdd7ba8285abcd81c43bc0 \ - --hash=sha256:6386165c64ba5f61c416301f7f32bb899f8200ca575d76888697a42fda8a92d2 \ - --hash=sha256:64eebe1d709539d6e80440fa1185f1eeb260d53bcb6435b1f753b4ce90a65e82 \ - --hash=sha256:6dc42afedc8cda4f2fd15a06d2e9e41281074a02cdf31bb2e0dde4d80766a408 \ - --hash=sha256:7244b796dd7e191753b822ac0ca871a4b9139b0b850770ac5bd347d5f8c76768 \ - --hash=sha256:739ef91aeb13fa2aa187d0efd46d0ac168301f54a6ef748565c42876b4b3ce71 \ - --hash=sha256:7579429e89deac6659b4ea70eb3de9063bb40508fd4a8a020fa67b02e0b59f4f \ - --hash=sha256:82f26e592e9a36ab33bcdb419c7d53320e26c85dfc254cdb84f5f561a2fcaabf \ - --hash=sha256:84db8aef08df6431b017cc3abe57b3d6885fd7436eec8d715603c309353b233c \ - --hash=sha256:86be1e283d78cc3f7daee1dcd0254122160cde71ca8c5348315156045f8ac2bb \ - --hash=sha256:892914dc2e80403d16e59a3b440044f6092fde5ffd4ec1fdf36d6ff20a8e624d \ - --hash=sha256:91966b7b48ec939e5083b03c9154fc450508056f01650ecb58724095307427f5 \ - --hash=sha256:926d671654a2f8cfa0b2fcb6b0c46833af95b5265d27a5c56c49c5a10f3ff3ba \ - --hash=sha256:9d19f04ecd4628a0e4587b4c4e98e040b87924c1362ae5aa27420435f05d5dd8 \ - --hash=sha256:a18d1392eabd02f337dcba23d723a4dcca87274ce8693cf88e6320f38bc3fdcd \ - --hash=sha256:a2c790517ed884bc1b1590806222ab44989eeb7e7f14dfa915561c7ee3b9ac73 \ - --hash=sha256:ac9fcf7c5cf1e9d0bcc643672f81bf43ec81f6495b99809649f5bfcdff633ab0 \ - --hash=sha256:b03092399f0f5d3e112405b890128afdb9e1f203eafb812f5d9105b0f5fac9d4 \ - --hash=sha256:b069639757b2f287f9cd0daf6765b536558c5e28263bbbb28e3d1925bce75400 \ - --hash=sha256:b2054e1f2c7041857ce129443bde23298ca37592ce82f0fb5ed5704d5f3708dd \ - --hash=sha256:b2c3186cf76d598a9d42b35e09ef35d499118b4197624ba5bba1b3a39ac6a75f \ - --hash=sha256:d3146843b972f744aed551e8ac9fac5714baa864393e480586d467b7b4488426 \ - --hash=sha256:e1b51d26108a832f151da8856a93676cc1a5cd8dd0bc20f06f4aee5774a7f0f9 \ - --hash=sha256:e346c1b86c5e5f175ca8f87f3873eea8b2e0eeb5d52033b475cf85641cb200c2 \ - --hash=sha256:e36d85967cfbf25da1c7bc3d6921adc5baa976969d926aaf1582bd5fd7e94758 \ - --hash=sha256:e3c7774232a2c9b195bde4fb72ad71455e877a9e4e9c0b17a57b1d9bd478838c \ - --hash=sha256:e7798e842ec506d25f21e825259b70109325ac1c9b43c2e287aad7559455951b \ - --hash=sha256:e90b8a2f24149c5803b733a24f1a016a2943b1f5a9ab2360db545e4638354c35 \ - --hash=sha256:f9e10678fe0692c5167553981d97cbe342ed055c49016aef10da336e2962b1f2 \ - --hash=sha256:fd51e77ff1b4ca08bc9b09b85646a3e77f275827b7b30180d76d769ce608e64d - # via poetry -fastjsonschema==2.20.0 \ - --hash=sha256:3d48fc5300ee96f5d116f10fe6f28d938e6008f59a6a025c2649475b87f76a23 \ - --hash=sha256:5875f0b0fa7a0043a91e93a9b8f793bcbbba9691e7fd83dca95c28ba26d21f0a - # via poetry -filelock==3.15.4 \ - --hash=sha256:2207938cbc1844345cb01a5a95524dae30f0ce089eba5b00378295a17e3e90cb \ - --hash=sha256:6ca1fffae96225dab4c6eaf1c4f4f28cd2568d3ec2a44e15a08520504de468e7 - # via - # cachecontrol - # virtualenv -html5lib==1.1 \ - --hash=sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d \ - --hash=sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f - # via pip-audit -idna==3.8 \ - --hash=sha256:050b4e5baadcd44d760cedbd2b8e639f2ff89bbc7a5730fcc662954303377aac \ - --hash=sha256:d838c2c0ed6fced7693d5e8ab8e734d5f8fda53a039c0164afb0b82e771e3603 - # via requests -iniconfig==2.0.0 \ - --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \ - --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374 - # via pytest -installer==0.7.0 \ - --hash=sha256:05d1933f0a5ba7d8d6296bb6d5018e7c94fa473ceb10cf198a92ccea19c27b53 \ - --hash=sha256:a26d3e3116289bb08216e0d0f7d925fcef0b0194eedfa0c944bcaaa106c4b631 - # via poetry -isort==5.13.2 \ - --hash=sha256:48fdfcb9face5d58a4f6dde2e72a1fb8dcaf8ab26f95ab49fab84c2ddefb0109 \ - --hash=sha256:8ca5e72a8d85860d5a3fa69b8745237f2939afe12dbf656afbcb47fe72d947a6 - # via ssvc (pyproject.toml) -jaraco-classes==3.4.0 \ - --hash=sha256:47a024b51d0239c0dd8c8540c6c7f484be3b8fcf0b2d85c13825780d3b3f3acd \ - --hash=sha256:f662826b6bed8cace05e7ff873ce0f9283b5c924470fe664fff1c2f00f581790 - # via keyring -jeepney==0.8.0 \ - --hash=sha256:5efe48d255973902f6badc3ce55e2aa6c5c3b3bc642059ef3a91247bcfcc5806 \ - --hash=sha256:c0a454ad016ca575060802ee4d590dd912e35c122fa04e70306de3d076cce755 - # via - # keyring - # secretstorage -keyring==25.3.0 \ - --hash=sha256:8d85a1ea5d6db8515b59e1c5d1d1678b03cf7fc8b8dcfb1651e8c4a524eb42ef \ - --hash=sha256:8d963da00ccdf06e356acd9bf3b743208878751032d8599c6cc89eb51310ffae - # via poetry -license-expression==30.3.1 \ - --hash=sha256:60d5bec1f3364c256a92b9a08583d7ea933c7aa272c8d36d04144a89a3858c01 \ - --hash=sha256:97904b9185c7bbb1e98799606fa7424191c375e70ba63a524b6f7100e42ddc46 - # via cyclonedx-python-lib -markdown-it-py==3.0.0 \ - --hash=sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1 \ - --hash=sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb - # via rich -mdurl==0.1.2 \ - --hash=sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8 \ - --hash=sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba - # via markdown-it-py -more-itertools==10.5.0 \ - --hash=sha256:037b0d3203ce90cca8ab1defbbdac29d5f993fc20131f3664dc8d6acfa872aef \ - --hash=sha256:5482bfef7849c25dc3c6dd53a6173ae4795da2a41a80faea6700d9f5846c5da6 - # via jaraco-classes -msgpack==1.0.8 \ - --hash=sha256:00e073efcba9ea99db5acef3959efa45b52bc67b61b00823d2a1a6944bf45982 \ - --hash=sha256:0726c282d188e204281ebd8de31724b7d749adebc086873a59efb8cf7ae27df3 \ - --hash=sha256:0ceea77719d45c839fd73abcb190b8390412a890df2f83fb8cf49b2a4b5c2f40 \ - --hash=sha256:114be227f5213ef8b215c22dde19532f5da9652e56e8ce969bf0a26d7c419fee \ - --hash=sha256:13577ec9e247f8741c84d06b9ece5f654920d8365a4b636ce0e44f15e07ec693 \ - --hash=sha256:1876b0b653a808fcd50123b953af170c535027bf1d053b59790eebb0aeb38950 \ - --hash=sha256:1ab0bbcd4d1f7b6991ee7c753655b481c50084294218de69365f8f1970d4c151 \ - --hash=sha256:1cce488457370ffd1f953846f82323cb6b2ad2190987cd4d70b2713e17268d24 \ - --hash=sha256:26ee97a8261e6e35885c2ecd2fd4a6d38252246f94a2aec23665a4e66d066305 \ - --hash=sha256:3528807cbbb7f315bb81959d5961855e7ba52aa60a3097151cb21956fbc7502b \ - --hash=sha256:374a8e88ddab84b9ada695d255679fb99c53513c0a51778796fcf0944d6c789c \ - --hash=sha256:376081f471a2ef24828b83a641a02c575d6103a3ad7fd7dade5486cad10ea659 \ - --hash=sha256:3923a1778f7e5ef31865893fdca12a8d7dc03a44b33e2a5f3295416314c09f5d \ - --hash=sha256:4916727e31c28be8beaf11cf117d6f6f188dcc36daae4e851fee88646f5b6b18 \ - --hash=sha256:493c5c5e44b06d6c9268ce21b302c9ca055c1fd3484c25ba41d34476c76ee746 \ - --hash=sha256:505fe3d03856ac7d215dbe005414bc28505d26f0c128906037e66d98c4e95868 \ - --hash=sha256:5845fdf5e5d5b78a49b826fcdc0eb2e2aa7191980e3d2cfd2a30303a74f212e2 \ - --hash=sha256:5c330eace3dd100bdb54b5653b966de7f51c26ec4a7d4e87132d9b4f738220ba \ - --hash=sha256:5dbf059fb4b7c240c873c1245ee112505be27497e90f7c6591261c7d3c3a8228 \ - --hash=sha256:5e390971d082dba073c05dbd56322427d3280b7cc8b53484c9377adfbae67dc2 \ - --hash=sha256:5fbb160554e319f7b22ecf530a80a3ff496d38e8e07ae763b9e82fadfe96f273 \ - --hash=sha256:64d0fcd436c5683fdd7c907eeae5e2cbb5eb872fafbc03a43609d7941840995c \ - --hash=sha256:69284049d07fce531c17404fcba2bb1df472bc2dcdac642ae71a2d079d950653 \ - --hash=sha256:6a0e76621f6e1f908ae52860bdcb58e1ca85231a9b0545e64509c931dd34275a \ - --hash=sha256:73ee792784d48aa338bba28063e19a27e8d989344f34aad14ea6e1b9bd83f596 \ - --hash=sha256:74398a4cf19de42e1498368c36eed45d9528f5fd0155241e82c4082b7e16cffd \ - --hash=sha256:7938111ed1358f536daf311be244f34df7bf3cdedb3ed883787aca97778b28d8 \ - --hash=sha256:82d92c773fbc6942a7a8b520d22c11cfc8fd83bba86116bfcf962c2f5c2ecdaa \ - --hash=sha256:83b5c044f3eff2a6534768ccfd50425939e7a8b5cf9a7261c385de1e20dcfc85 \ - --hash=sha256:8db8e423192303ed77cff4dce3a4b88dbfaf43979d280181558af5e2c3c71afc \ - --hash=sha256:9517004e21664f2b5a5fd6333b0731b9cf0817403a941b393d89a2f1dc2bd836 \ - --hash=sha256:95c02b0e27e706e48d0e5426d1710ca78e0f0628d6e89d5b5a5b91a5f12274f3 \ - --hash=sha256:99881222f4a8c2f641f25703963a5cefb076adffd959e0558dc9f803a52d6a58 \ - --hash=sha256:9ee32dcb8e531adae1f1ca568822e9b3a738369b3b686d1477cbc643c4a9c128 \ - --hash=sha256:a22e47578b30a3e199ab067a4d43d790249b3c0587d9a771921f86250c8435db \ - --hash=sha256:b5505774ea2a73a86ea176e8a9a4a7c8bf5d521050f0f6f8426afe798689243f \ - --hash=sha256:bd739c9251d01e0279ce729e37b39d49a08c0420d3fee7f2a4968c0576678f77 \ - --hash=sha256:d16a786905034e7e34098634b184a7d81f91d4c3d246edc6bd7aefb2fd8ea6ad \ - --hash=sha256:d3420522057ebab1728b21ad473aa950026d07cb09da41103f8e597dfbfaeb13 \ - --hash=sha256:d56fd9f1f1cdc8227d7b7918f55091349741904d9520c65f0139a9755952c9e8 \ - --hash=sha256:d661dc4785affa9d0edfdd1e59ec056a58b3dbb9f196fa43587f3ddac654ac7b \ - --hash=sha256:dfe1f0f0ed5785c187144c46a292b8c34c1295c01da12e10ccddfc16def4448a \ - --hash=sha256:e1dd7839443592d00e96db831eddb4111a2a81a46b028f0facd60a09ebbdd543 \ - --hash=sha256:e2872993e209f7ed04d963e4b4fbae72d034844ec66bc4ca403329db2074377b \ - --hash=sha256:e2f879ab92ce502a1e65fce390eab619774dda6a6ff719718069ac94084098ce \ - --hash=sha256:e3aa7e51d738e0ec0afbed661261513b38b3014754c9459508399baf14ae0c9d \ - --hash=sha256:e532dbd6ddfe13946de050d7474e3f5fb6ec774fbb1a188aaf469b08cf04189a \ - --hash=sha256:e6b7842518a63a9f17107eb176320960ec095a8ee3b4420b5f688e24bf50c53c \ - --hash=sha256:e75753aeda0ddc4c28dce4c32ba2f6ec30b1b02f6c0b14e547841ba5b24f753f \ - --hash=sha256:eadb9f826c138e6cf3c49d6f8de88225a3c0ab181a9b4ba792e006e5292d150e \ - --hash=sha256:ed59dd52075f8fc91da6053b12e8c89e37aa043f8986efd89e61fae69dc1b011 \ - --hash=sha256:ef254a06bcea461e65ff0373d8a0dd1ed3aa004af48839f002a0c994a6f72d04 \ - --hash=sha256:f3709997b228685fe53e8c433e2df9f0cdb5f4542bd5114ed17ac3c0129b0480 \ - --hash=sha256:f51bab98d52739c50c56658cc303f190785f9a2cd97b823357e7aeae54c8f68a \ - --hash=sha256:f9904e24646570539a8950400602d66d2b2c492b9010ea7e965025cb71d0c86d \ - --hash=sha256:f9af38a89b6a5c04b7d18c492c8ccf2aee7048aff1ce8437c4683bb5a1df893d - # via cachecontrol -packageurl-python==0.15.6 \ - --hash=sha256:a40210652c89022772a6c8340d6066f7d5dc67132141e5284a4db7a27d0a8ab0 \ - --hash=sha256:cbc89afd15d5f4d05db4f1b61297e5b97a43f61f28799f6d282aff467ed2ee96 - # via cyclonedx-python-lib -packaging==24.1 \ - --hash=sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002 \ - --hash=sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124 - # via - # build - # pip-audit - # pip-requirements-parser - # poetry - # pytest -pexpect==4.9.0 \ - --hash=sha256:7236d1e080e4936be2dc3e326cec0af72acf9212a7e1d060210e70a47e253523 \ - --hash=sha256:ee7d41123f3c9911050ea2c2dac107568dc43b2d3b0c7557a33212c398ead30f - # via poetry -pip==24.2 \ - --hash=sha256:2cd581cf58ab7fcfca4ce8efa6dcacd0de5bf8d0a3eb9ec927e07405f4d9e2a2 \ - --hash=sha256:5b5e490b5e9cb275c879595064adce9ebd31b854e3e803740b72f9ccf34a45b8 - # via pip-api -pip-api==0.0.34 \ - --hash=sha256:8b2d7d7c37f2447373aa2cf8b1f60a2f2b27a84e1e9e0294a3f6ef10eb3ba6bb \ - --hash=sha256:9b75e958f14c5a2614bae415f2adf7eeb54d50a2cfbe7e24fd4826471bac3625 - # via pip-audit -pip-audit==2.7.3 \ - --hash=sha256:08891bbf179bffe478521f150818112bae998424f58bf9285c0078965aef38bc \ - --hash=sha256:46a11faee3323f76adf7987de8171daeb660e8f57d8088cc27fb1c1e5c7747b0 - # via ssvc (pyproject.toml) -pip-requirements-parser==32.0.1 \ - --hash=sha256:4659bc2a667783e7a15d190f6fccf8b2486685b6dba4c19c3876314769c57526 \ - --hash=sha256:b4fa3a7a0be38243123cf9d1f3518da10c51bdb165a2b2985566247f9155a7d3 - # via pip-audit -pkginfo==1.11.1 \ - --hash=sha256:2e0dca1cf4c8e39644eed32408ea9966ee15e0d324c62ba899a393b3c6b467aa \ - --hash=sha256:bfa76a714fdfc18a045fcd684dbfc3816b603d9d075febef17cb6582bea29573 - # via poetry -platformdirs==4.3.3 \ - --hash=sha256:50a5450e2e84f44539718293cbb1da0a0885c9d14adf21b77bae4e66fc99d9b5 \ - --hash=sha256:d4e0b7d8ec176b341fb03cb11ca12d0276faa8c485f9cd218f613840463fc2c0 - # via - # poetry - # virtualenv -pluggy==1.5.0 \ - --hash=sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1 \ - --hash=sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669 - # via pytest -poetry==1.8.3 \ - --hash=sha256:67f4eb68288eab41e841cc71a00d26cf6bdda9533022d0189a145a34d0a35f48 \ - --hash=sha256:88191c69b08d06f9db671b793d68f40048e8904c0718404b63dcc2b5aec62d13 - # via - # ssvc (pyproject.toml) - # poetry-plugin-export -poetry-core==1.9.0 \ - --hash=sha256:4e0c9c6ad8cf89956f03b308736d84ea6ddb44089d16f2adc94050108ec1f5a1 \ - --hash=sha256:fa7a4001eae8aa572ee84f35feb510b321bd652e5cf9293249d62853e1f935a2 - # via - # poetry - # poetry-plugin-export -poetry-plugin-export==1.8.0 \ - --hash=sha256:1fa6168a85d59395d835ca564bc19862a7c76061e60c3e7dfaec70d50937fc61 \ - --hash=sha256:adbe232cfa0cc04991ea3680c865cf748bff27593b9abcb1f35fb50ed7ba2c22 - # via poetry -ptyprocess==0.7.0 \ - --hash=sha256:4b41f3967fce3af57cc7e94b888626c18bf37a083e3651ca8feeb66d492fef35 \ - --hash=sha256:5c5d0a3b48ceee0b48485e0c26037c0acd7d29765ca3fbb5cb3831d347423220 - # via pexpect -py-serializable==1.1.0 \ - --hash=sha256:3311ab39063b131caca0fb75e2038153682e55576c67f24a2de72d402dccb6e0 \ - --hash=sha256:ae7ae4326b0d037b7e710f6e8bb1a97ece4ac2895a1f443a17ffd17f85547d76 - # via cyclonedx-python-lib -pycparser==2.22 \ - --hash=sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6 \ - --hash=sha256:c3702b6d3dd8c7abc1afa565d7e63d53a1d0bd86cdc24edd75470f4de499cfcc - # via cffi -pygments==2.18.0 \ - --hash=sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199 \ - --hash=sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a - # via rich -pyparsing==3.1.4 \ - --hash=sha256:a6a7ee4235a3f944aa1fa2249307708f893fe5717dc603503c6c7969c070fb7c \ - --hash=sha256:f86ec8d1a83f11977c9a6ea7598e8c27fc5cddfa5b07ea2241edbbde1d7bc032 - # via pip-requirements-parser -pyproject-hooks==1.1.0 \ - --hash=sha256:4b37730834edbd6bd37f26ece6b44802fb1c1ee2ece0e54ddff8bfc06db86965 \ - --hash=sha256:7ceeefe9aec63a1064c18d939bdc3adf2d8aa1988a510afec15151578b232aa2 - # via - # build - # poetry -pytest==8.3.2 \ - --hash=sha256:4ba08f9ae7dcf84ded419494d229b48d0903ea6407b030eaec46df5e6a73bba5 \ - --hash=sha256:c132345d12ce551242c87269de812483f5bcc87cdbb4722e48487ba194f9fdce - # via - # ssvc (pyproject.toml) - # pytest-cov -pytest-cov==5.0.0 \ - --hash=sha256:4f0764a1219df53214206bf1feea4633c3b558a2925c8b59f144f682861ce652 \ - --hash=sha256:5837b58e9f6ebd335b0f8060eecce69b662415b16dc503883a02f45dfeb14857 - # via ssvc (pyproject.toml) -rapidfuzz==3.9.7 \ - --hash=sha256:03126f9a040ff21d2a110610bfd6b93b79377ce8b4121edcb791d61b7df6eec5 \ - --hash=sha256:048d55d36c02c6685a2b2741688503c3d15149694506655b6169dcfd3b6c2585 \ - --hash=sha256:057bb03f39e285047d7e9412e01ecf31bb2d42b9466a5409d715d587460dd59b \ - --hash=sha256:0b1c2d504eddf97bc0f2eba422c8915576dbf025062ceaca2d68aecd66324ad9 \ - --hash=sha256:0d1415a732ee75e74a90af12020b77a0b396b36c60afae1bde3208a78cd2c9fc \ - --hash=sha256:0e9125377fa3d21a8abd4fbdbcf1c27be73e8b1850f0b61b5b711364bf3b59db \ - --hash=sha256:110b6294396bc0a447648627479c9320f095c2034c0537f687592e0f58622638 \ - --hash=sha256:111a20a3c090cf244d9406e60500b6c34b2375ba3a5009e2b38fd806fe38e337 \ - --hash=sha256:13d8675a1fa7e2b19650ca7ef9a6ec01391d4bb12ab9e0793e8eb024538b4a34 \ - --hash=sha256:18669bb6cdf7d40738526d37e550df09ba065b5a7560f3d802287988b6cb63cf \ - --hash=sha256:19c64d8ddb2940b42a4567b23f1681af77f50a5ff6c9b8e85daba079c210716e \ - --hash=sha256:1dc516ac6d32027be2b0196bedf6d977ac26debd09ca182376322ad620460feb \ - --hash=sha256:1de91e7fd7f525e10ea79a6e62c559d1b0278ec097ad83d9da378b6fab65a265 \ - --hash=sha256:1ee2086f490cb501d86b7e386c1eb4e3a0ccbb0c99067089efaa8c79012c8952 \ - --hash=sha256:1ef6a1a8f0b12f8722f595f15c62950c9a02d5abc64742561299ffd49f6c6944 \ - --hash=sha256:1f1a33e84056b7892c721d84475d3bde49a145126bc4c6efe0d6d0d59cb31c29 \ - --hash=sha256:22589c0b8ccc6c391ce7f776c93a8c92c96ab8d34e1a19f1bd2b12a235332632 \ - --hash=sha256:2379e0b2578ad3ac7004f223251550f08bca873ff76c169b09410ec562ad78d8 \ - --hash=sha256:268f8e1ca50fc61c0736f3fe9d47891424adf62d96ed30196f30f4bd8216b41f \ - --hash=sha256:3171653212218a162540a3c8eb8ae7d3dcc8548540b69eaecaf3b47c14d89c90 \ - --hash=sha256:32532af1d70c6ec02ea5ac7ee2766dfff7c8ae8c761abfe8da9e527314e634e8 \ - --hash=sha256:3445a35c4c8d288f2b2011eb61bce1227c633ce85a3154e727170f37c0266bb2 \ - --hash=sha256:3492c7a42b7fa9f0051d7fcce9893e95ed91c97c9ec7fb64346f3e070dd318ed \ - --hash=sha256:35d3044cb635ca6b1b2b7b67b3597bd19f34f1753b129eb6d2ae04cf98cd3945 \ - --hash=sha256:364587827d7cbd41afa0782adc2d2d19e3f07d355b0750a02a8e33ad27a9c368 \ - --hash=sha256:3665b92e788578c3bb334bd5b5fa7ee1a84bafd68be438e3110861d1578c63a0 \ - --hash=sha256:36dd6e820379c37a1ffefc8a52b648758e867cd9d78ee5b5dc0c9a6a10145378 \ - --hash=sha256:3ed5adb752f4308fcc8f4fb6f8eb7aa4082f9d12676fda0a74fa5564242a8107 \ - --hash=sha256:47e92c155a14f44511ea8ebcc6bc1535a1fe8d0a7d67ad3cc47ba61606df7bcf \ - --hash=sha256:4ff196996240db7075f62c7bc4506f40a3c80cd4ae3ab0e79ac6892283a90859 \ - --hash=sha256:521c58c72ed8a612b25cda378ff10dee17e6deb4ee99a070b723519a345527b9 \ - --hash=sha256:5551d68264c1bb6943f542da83a4dc8940ede52c5847ef158698799cc28d14f5 \ - --hash=sha256:578302828dd97ee2ba507d2f71d62164e28d2fc7bc73aad0d2d1d2afc021a5d5 \ - --hash=sha256:579d107102c0725f7c79b4e79f16d3cf4d7c9208f29c66b064fa1fd4641d5155 \ - --hash=sha256:591908240f4085e2ade5b685c6e8346e2ed44932cffeaac2fb32ddac95b55c7f \ - --hash=sha256:5a93c9e60904cb76e7aefef67afffb8b37c4894f81415ed513db090f29d01101 \ - --hash=sha256:5d1eff95362f993b0276fd3839aee48625b09aac8938bb0c23b40d219cba5dc5 \ - --hash=sha256:5d5262383634626eb45c536017204b8163a03bc43bda880cf1bdd7885db9a163 \ - --hash=sha256:5f8bf3f0d02935751d8660abda6044821a861f6229f7d359f98bcdcc7e66c39b \ - --hash=sha256:603f48f621272a448ff58bb556feb4371252a02156593303391f5c3281dfaeac \ - --hash=sha256:675b75412a943bb83f1f53e2e54fd18c80ef15ed642dc6eb0382d1949419d904 \ - --hash=sha256:68bd888eafd07b09585dcc8bc2716c5ecdb7eed62827470664d25588982b2873 \ - --hash=sha256:696a79018ef989bf1c9abd9005841cee18005ccad4748bad8a4c274c47b6241a \ - --hash=sha256:6c5b32875646cb7f60c193ade99b2e4b124f19583492115293cd00f6fb198b17 \ - --hash=sha256:6f83221db5755b8f34222e40607d87f1176a8d5d4dbda4a55a0f0b67d588a69c \ - --hash=sha256:6fb76e5a21034f0307c51c5a2fc08856f698c53a4c593b17d291f7d6e9d09ca3 \ - --hash=sha256:7abe2dbae81120a64bb4f8d3fcafe9122f328c9f86d7f327f174187a5af4ed86 \ - --hash=sha256:7b702de95666a1f7d5c6b47eacadfe2d2794af3742d63d2134767d13e5d1c713 \ - --hash=sha256:7c20c1474b068c4bd45bf2fd0ad548df284f74e9a14a68b06746c56e3aa8eb70 \ - --hash=sha256:836f4d88b8bd0fff2ebe815dcaab8aa6c8d07d1d566a7e21dd137cf6fe11ed5b \ - --hash=sha256:8501000a5eb8037c4b56857724797fe5a8b01853c363de91c8d0d0ad56bef319 \ - --hash=sha256:8772b745668260c5c4d069c678bbaa68812e6c69830f3771eaad521af7bc17f8 \ - --hash=sha256:8b01153c7466d0bad48fba77a303d5a768e66f24b763853469f47220b3de4661 \ - --hash=sha256:8d92c552c6b7577402afdd547dcf5d31ea6c8ae31ad03f78226e055cfa37f3c6 \ - --hash=sha256:9030e7238c0df51aed5c9c5ed8eee2bdd47a2ae788e562c1454af2851c3d1906 \ - --hash=sha256:90db86fa196eecf96cb6db09f1083912ea945c50c57188039392d810d0b784e1 \ - --hash=sha256:948dcee7aaa1cd14358b2a7ef08bf0be42bf89049c3a906669874a715fc2c937 \ - --hash=sha256:94baaeea0b4f8632a6da69348b1e741043eba18d4e3088d674d3f76586b6223d \ - --hash=sha256:953b3780765c8846866faf891ee4290f6a41a6dacf4fbcd3926f78c9de412ca6 \ - --hash=sha256:95b8292383e717e10455f2c917df45032b611141e43d1adf70f71b1566136b11 \ - --hash=sha256:965693c2e9efd425b0f059f5be50ef830129f82892fa1858e220e424d9d0160f \ - --hash=sha256:97f2ce529d2a70a60c290f6ab269a2bbf1d3b47b9724dccc84339b85f7afb044 \ - --hash=sha256:9b6a5de507b9be6de688dae40143b656f7a93b10995fb8bd90deb555e7875c60 \ - --hash=sha256:9dba13d86806fcf3fe9c9919f58575e0090eadfb89c058bde02bcc7ab24e4548 \ - --hash=sha256:9dc86aa6b29d174713c5f4caac35ffb7f232e3e649113e8d13812b35ab078228 \ - --hash=sha256:9dcd14cf4876f04b488f6e54a7abd3e9b31db5f5a6aba0ce90659917aaa8c088 \ - --hash=sha256:a3b36e1c61b796ae1777f3e9e11fd39898b09d351c9384baf6e3b7e6191d8ced \ - --hash=sha256:a3c0783910911f4f24655826d007c9f4360f08107410952c01ee3df98c713eb2 \ - --hash=sha256:a40184c67db8252593ec518e17fb8a6e86d7259dc9f2d6c0bf4ff4db8cf1ad4b \ - --hash=sha256:a4da514d13f4433e16960a17f05b67e0af30ac771719c9a9fb877e5004f74477 \ - --hash=sha256:a8feac9006d5c9758438906f093befffc4290de75663dbb2098461df7c7d28dd \ - --hash=sha256:a93cd834b3c315ab437f0565ee3a2f42dd33768dc885ccbabf9710b131cf70d2 \ - --hash=sha256:ae1a38bade755aa9dd95a81cda949e1bf9cd92b79341ccc5e2189c9e7bdfc5ec \ - --hash=sha256:b23806fbdd6b510ba9ac93bb72d503066263b0fba44b71b835be9f063a84025f \ - --hash=sha256:b4f86e09d3064dca0b014cd48688964036a904a2d28048f00c8f4640796d06a8 \ - --hash=sha256:b997ff3b39d4cee9fb025d6c46b0a24bd67595ce5a5b652a97fb3a9d60beb651 \ - --hash=sha256:be3a1fc3e2ab3bdf93dc0c83c00acca8afd2a80602297d96cf4a0ba028333cdf \ - --hash=sha256:c12d180b17a22d107c8747de9c68d0b9c1d15dcda5445ff9bf9f4ccfb67c3e16 \ - --hash=sha256:c1318d42610c26dcd68bd3279a1bf9e3605377260867c9a8ed22eafc1bd93a7c \ - --hash=sha256:c33211cfff9aec425bb1bfedaf94afcf337063aa273754f22779d6dadebef4c2 \ - --hash=sha256:c4eebf6c93af0ae866c22b403a84747580bb5c10f0d7b51c82a87f25405d4dcb \ - --hash=sha256:c4f28f1930b09a2c300357d8465b388cecb7e8b2f454a5d5425561710b7fd07f \ - --hash=sha256:ca66676c8ef6557f9b81c5b2b519097817a7c776a6599b8d6fcc3e16edd216fe \ - --hash=sha256:ccf68e30b80e903f2309f90a438dbd640dd98e878eeb5ad361a288051ee5b75c \ - --hash=sha256:cd9360e30041690912525a210e48a897b49b230768cc8af1c702e5395690464f \ - --hash=sha256:cfa74aac64c85898b93d9c80bb935a96bf64985e28d4ee0f1a3d1f3bf11a5106 \ - --hash=sha256:d098ce6162eb5e48fceb0745455bc950af059df6113eec83e916c129fca11408 \ - --hash=sha256:d1230e0f9026851a6a432beaa0ce575dda7b39fe689b576f99a0704fbb81fc9c \ - --hash=sha256:d4ba2318ef670ce505f42881a5d2af70f948124646947341a3c6ccb33cd70369 \ - --hash=sha256:d4e049d5ad61448c9a020d1061eba20944c4887d720c4069724beb6ea1692507 \ - --hash=sha256:d73ee2df41224c87336448d279b5b6a3a75f36e41dd3dcf538c0c9cce36360d8 \ - --hash=sha256:d7df9c2194c7ec930b33c991c55dbd0c10951bd25800c0b7a7b571994ebbced5 \ - --hash=sha256:d95751f505a301af1aaf086c19f34536056d6c8efa91b2240de532a3db57b543 \ - --hash=sha256:dd5fa6e3c6e0333051c1f3a49f0807b3366f4131c8d6ac8c3e05fd0d0ce3755c \ - --hash=sha256:df596ddd3db38aa513d4c0995611267b3946e7cbe5a8761b50e9306dfec720ee \ - --hash=sha256:e2957fdad10bb83b1982b02deb3604a3f6911a5e545f518b59c741086f92d152 \ - --hash=sha256:e3dcfbe7266e74a707173a12a7b355a531f2dcfbdb32f09468e664330da14874 \ - --hash=sha256:e6d9db2fa4e9be171e9bb31cf2d2575574774966b43f5b951062bb2e67885852 \ - --hash=sha256:e9012d86c6397edbc9da4ac0132de7f8ee9d6ce857f4194d5684c4ddbcdd1c5c \ - --hash=sha256:e9fbf659537d246086d0297628b3795dc3e4a384101ecc01e5791c827b8d7345 \ - --hash=sha256:ecc24af7f905f3d6efb371a01680116ffea8d64e266618fb9ad1602a9b4f7934 \ - --hash=sha256:ece45eb2af8b00f90d10f7419322e8804bd42fb1129026f9bfe712c37508b514 \ - --hash=sha256:f1c7296534c1afb6f495aa95871f14ccdc197c6db42965854e483100df313030 \ - --hash=sha256:f847fb0fbfb72482b1c05c59cbb275c58a55b73708a7f77a83f8035ee3c86497 \ - --hash=sha256:fbda3dd68d8b28ccb20ffb6f756fefd9b5ba570a772bedd7643ed441f5793308 \ - --hash=sha256:fc3e6081069eea61593f1d6839029da53d00c8c9b205c5534853eaa3f031085c \ - --hash=sha256:fcf79b686962d7bec458a0babc904cb4fa319808805e036b9d5a531ee6b9b835 \ - --hash=sha256:fde81b1da9a947f931711febe2e2bee694e891f6d3e6aa6bc02c1884702aea19 - # via cleo -requests==2.32.3 \ - --hash=sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760 \ - --hash=sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6 - # via - # cachecontrol - # pip-audit - # poetry - # requests-toolbelt -requests-toolbelt==1.0.0 \ - --hash=sha256:7681a0a3d047012b5bdc0ee37d7f8f07ebe76ab08caeccfc3921ce23c88d5bc6 \ - --hash=sha256:cccfdd665f0a24fcf4726e690f65639d272bb0637b9b92dfd91a5568ccf6bd06 - # via poetry -rich==13.8.0 \ - --hash=sha256:2e85306a063b9492dffc86278197a60cbece75bcb766022f3436f567cae11bdc \ - --hash=sha256:a5ac1f1cd448ade0d59cc3356f7db7a7ccda2c8cbae9c7a90c28ff463d3e91f4 - # via pip-audit -ruff==0.6.5 \ - --hash=sha256:005256d977021790cc52aa23d78f06bb5090dc0bfbd42de46d49c201533982ae \ - --hash=sha256:09c72a833fd3551135ceddcba5ebdb68ff89225d30758027280968c9acdc7810 \ - --hash=sha256:381413ec47f71ce1d1c614f7779d88886f406f1fd53d289c77e4e533dc6ea200 \ - --hash=sha256:3a8d42d11fff8d3143ff4da41742a98f8f233bf8890e9fe23077826818f8d680 \ - --hash=sha256:3e42a57b58e3612051a636bc1ac4e6b838679530235520e8f095f7c44f706ff9 \ - --hash=sha256:482c1e6bfeb615eafc5899127b805d28e387bd87db38b2c0c41d271f5e58d8cc \ - --hash=sha256:4d32d87fab433c0cf285c3683dd4dae63be05fd7a1d65b3f5bf7cdd05a6b96fb \ - --hash=sha256:51935067740773afdf97493ba9b8231279e9beef0f2a8079188c4776c25688e0 \ - --hash=sha256:52e75a82bbc9b42e63c08d22ad0ac525117e72aee9729a069d7c4f235fc4d276 \ - --hash=sha256:7291e64d7129f24d1b0c947ec3ec4c0076e958d1475c61202497c6aced35dd19 \ - --hash=sha256:794ada3400a0d0b89e3015f1a7e01f4c97320ac665b7bc3ade24b50b54cb2972 \ - --hash=sha256:7e4e308f16e07c95fc7753fc1aaac690a323b2bb9f4ec5e844a97bb7fbebd748 \ - --hash=sha256:800c50371bdcb99b3c1551d5691e14d16d6f07063a518770254227f7f6e8c178 \ - --hash=sha256:8e25ddd9cd63ba1f3bd51c1f09903904a6adf8429df34f17d728a8fa11174253 \ - --hash=sha256:932cd69eefe4daf8c7d92bd6689f7e8182571cb934ea720af218929da7bd7d69 \ - --hash=sha256:9ad7dfbd138d09d9a7e6931e6a7e797651ce29becd688be8a0d4d5f8177b4b0c \ - --hash=sha256:a50af6e828ee692fb10ff2dfe53f05caecf077f4210fae9677e06a808275754f \ - --hash=sha256:cf4d3fa53644137f6a4a27a2b397381d16454a1566ae5335855c187fbf67e4f5 - # via ssvc (pyproject.toml) -secretstorage==3.3.3 \ - --hash=sha256:2403533ef369eca6d2ba81718576c5e0f564d5cca1b58f73a8b23e7d4eeebd77 \ - --hash=sha256:f356e6628222568e3af06f2eba8df495efa13b3b63081dafd4f7d9a7b7bc9f99 - # via keyring -setuptools==74.1.2 \ - --hash=sha256:5f4c08aa4d3ebcb57a50c33b1b07e94315d7fc7230f7115e47fc99776c8ce308 \ - --hash=sha256:95b40ed940a1c67eb70fc099094bd6e99c6ee7c23aa2306f4d2697ba7916f9c6 - # via ssvc (pyproject.toml) -shellingham==1.5.4 \ - --hash=sha256:7ecfff8f2fd72616f7481040475a65b2bf8af90a56c89140852d1120324e8686 \ - --hash=sha256:8dbca0739d487e5bd35ab3ca4b36e11c4078f3a234bfce294b0a0291363404de - # via poetry -six==1.16.0 \ - --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \ - --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 - # via html5lib -sortedcontainers==2.4.0 \ - --hash=sha256:25caa5a06cc30b6b83d11423433f65d1f9d76c4c6a0c90e3379eaa43b9bfdb88 \ - --hash=sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0 - # via cyclonedx-python-lib -toml==0.10.2 \ - --hash=sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b \ - --hash=sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f - # via pip-audit -tomlkit==0.13.2 \ - --hash=sha256:7a974427f6e119197f670fbbbeae7bef749a6c14e793db934baefc1b5f03efde \ - --hash=sha256:fff5fe59a87295b278abd31bec92c15d9bc4a06885ab12bcea52c71119392e79 - # via poetry -trove-classifiers==2024.9.12 \ - --hash=sha256:4b46b3e134a4d01999ac5bc6e528afcc10cc48f0f724f185f267e276005768f4 \ - --hash=sha256:f88a27a892891c87c5f8bbdf110710ae9e0a4725ea8e0fb45f1bcadf088a491f - # via poetry -urllib3==2.2.3 \ - --hash=sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac \ - --hash=sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9 - # via - # dulwich - # requests -uv==0.4.2 \ - --hash=sha256:0b508e7c93dc60b184c82a3bc73dcacf5fa5141c7b8bfef29968615157d206b6 \ - --hash=sha256:0b54932a0d341db3c8bfc4ec56960e3e082559a944fc5c0fc9dba3fb2c088e17 \ - --hash=sha256:1374b17da794decdea2bcf4ffd4e54c2d07c610f54dd6f0dbbdef66fb1c49c32 \ - --hash=sha256:2150130c4a4b7058ffbad5dc31dc83bbaf0f023ff7f6652415357b80b3e34632 \ - --hash=sha256:22db3b707c7e22be67d6ba5209795584bb0890cec5c5d64c751f311252731787 \ - --hash=sha256:4f4f673ba445394c9d189915463da89692fe3b7378ce3dd51b03b9c1e34a04eb \ - --hash=sha256:505aa8f21ca3e28af96dc2985e25db93593690d83a70126d7ca105ad7e108a7d \ - --hash=sha256:51213d541dd1603d938ef8b27dcda97350d8dba2438b2a9a627c2c7f009fdc5a \ - --hash=sha256:5b33e48d06eef2d2c1f7db08426c6df87e47d475812a8b1c177eaa279a356d6a \ - --hash=sha256:63a18737aca1a6804d3f670e1bf47c91812d56fb668c577a3405c09bd2d6fbe9 \ - --hash=sha256:69ae75af5dcaec17f89be07ae04c86021b2ecb9e6596b113f04f730f2ddfdb3c \ - --hash=sha256:6f3b407a7ea601f92212e99ae15c9d460731c2c9d6376470ce2576152e6726fa \ - --hash=sha256:721f5d0f3bc79c8fe080474459f4c43dcad60ba2901a83c8854b9d27f6f99b3b \ - --hash=sha256:8289141779aeccddb72be3a541c973db5c00ae9838d4fd76e79a9b27ae95968d \ - --hash=sha256:90c0a2267443e9a257c0b543f63b8a908fbfda692da2e921c350a804f394d311 \ - --hash=sha256:d669eabd18cf7f2c1fb7dab2699c9a7cb2b3fc51f461503a17220d79994ae258 \ - --hash=sha256:e34e63761ec3ce921d17e73e5584b9398c4192d7439489d8ca6a87366ced89b3 \ - --hash=sha256:f7e9e465d01cd7f4e8d40243db5683815eba851a15c310fb83b301adb5297629 - # via ssvc (pyproject.toml) -virtualenv==20.26.3 \ - --hash=sha256:4c43a2a236279d9ea36a0d76f98d84bd6ca94ac4e0f4a3b9d46d05e10fea542a \ - --hash=sha256:8cc4a31139e796e9a7de2cd5cf2489de1217193116a8fd42328f1bd65f434589 - # via poetry -webencodings==0.5.1 \ - --hash=sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78 \ - --hash=sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923 - # via html5lib diff --git a/sbom.cdx.json b/sbom.cdx.json deleted file mode 100644 index 9b3dc1a..0000000 --- a/sbom.cdx.json +++ /dev/null @@ -1,51 +0,0 @@ -{ - "metadata": { - "timestamp": "2024-09-04T13:24:57.417257+00:00", - "tools": [ - { - "externalReferences": [ - { - "type": "build-system", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" - }, - { - "type": "distribution", - "url": "https://pypi.org/project/cyclonedx-python-lib/" - }, - { - "type": "documentation", - "url": "https://cyclonedx-python-library.readthedocs.io/" - }, - { - "type": "issue-tracker", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" - }, - { - "type": "license", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" - }, - { - "type": "release-notes", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" - }, - { - "type": "vcs", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib" - }, - { - "type": "website", - "url": "https://github.com/CycloneDX/cyclonedx-python-lib/#readme" - } - ], - "name": "cyclonedx-python-lib", - "vendor": "CycloneDX", - "version": "7.6.0" - } - ] - }, - "serialNumber": "urn:uuid:7d01ccc5-7c1a-494c-9ca2-1faea52cf0fd", - "version": 1, - "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", - "bomFormat": "CycloneDX", - "specVersion": "1.4" -} diff --git a/sbom.spdx.json b/sbom.spdx.json deleted file mode 100644 index 1424fb2..0000000 --- a/sbom.spdx.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "SPDXID": "SPDXRef-DOCUMENT", - "spdxVersion": "SPDX-2.2", - "creationInfo": { - "comment": "This SPDX document has been converted from CycloneDX format.", - "created": "2024-09-04T13:24:57.417257Z", - "creators": [ - "Tool: cyclonedx-python-lib-7.6.0" - ] - }, - "name": "CycloneDX BOM", - "dataLicense": "CC0-1.0", - "documentNamespace": "http://spdx.org/spdxdocs/CycloneDX BOM-7d01ccc5-7c1a-494c-9ca2-1faea52cf0fd" -} \ No newline at end of file diff --git a/semgrep.sarif.json b/semgrep.sarif.json deleted file mode 100644 index 5f200dc..0000000 --- a/semgrep.sarif.json +++ /dev/null @@ -1,60002 +0,0 @@ -{ - "version": "2.1.0", - "runs": [ - { - "invocations": [ - { - "executionSuccessful": true, - "toolExecutionNotifications": [ - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.injection.apexsoqlinjectionfromunescapedurlparam.soql-injection-unescaped-url-param:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.endpoints.namedcredentialsstringmatch.named-credentials-string-match:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.dml.dmlnativestatements.dml-native-statements:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.best-practice.ncino.urls.absoluteurls.absolute-urls:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.sharing.specifysharinglevel.specify-sharing-level:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.system.systemdebug.system-debug:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.best-practice.ncino.accessmodifiers.globalaccessmodifiers.global-access-modifiers:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.dml.apexcsrfconstructor.apex-csrf-constructor:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.encryption.badcrypto.bad-crypto:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.injection.apexsoqlinjectionunescapedparam.soql-injection-unescaped-param:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.endpoints.namedcredentialsconstantmatch.named-credentials-constant-match:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Missing plugin" - }, - "level": "note", - "message": { - "text": "Missing plugin for rule apex.lang.security.ncino.endpoints.insecurehttprequest.insecure-http-request:\n Missing Semgrep extension needed for parsing Apex target. Try adding `--pro` to your command." - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-urllib3.tainted-django-http-request-urllib3:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.xml.tainted-django-xml-xpath-stdlib.tainted-django-xml-xpath-stdlib:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-toml-django.tainted-path-traversal-toml-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-httplib2.tainted-django-http-request-httplib2:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-torch-pickle-django.tainted-torch-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-pyyaml-django.tainted-pyyaml-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-fs-django.tainted-path-traversal-fs-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-requests.tainted-django-http-request-requests:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-openpyxl-django.tainted-path-traversal-openpyxl-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.regex.tainted-regex-stdlib-django.tainted-regex-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.aiosqlite-django.aiosqlite-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-pycurl.tainted-django-http-request-pycurl:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.xml.tainted-django-xml-stdlib.tainted-django-xml-stdlib:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.pymongo-django.pymongo-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.sqlalchemy-django-relationship.sqlalchemy-django-relationship:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-pickleshare-django.tainted-pickleshare-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.peewee-django.peewee-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.sqlobject-django.sqlobject-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.os.tainted-os-command-stdlib-django.tainted-os-command-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-aiofile-django.tainted-path-traversal-aiofile-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-paramiko.tainted-django-http-request-paramiko:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.xml.tainted-django-xml-libxml2.tainted-django-xml-libxml2:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-marshal-django.tainted-marshal-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.ai.prompt-injection-django.prompt-injection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.os.tainted-dotenv-variable-django.tainted-dotenv-variable-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-crispy-forms-disable-csrf.django-crispy-forms-disable-csrf:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.os.tainted-os-command-stdlib-django-secure-default.tainted-os-command-stdlib-django-secure-default:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-pickle-django.tainted-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-httpx.tainted-django-http-request-httpx:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.sqlalchemy-django.sqlalchemy-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-stdlib-django.tainted-path-traversal-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.xml.tainted-django-xml-lxml.tainted-django-xml-lxml:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-shelve-django.tainted-shelve-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-dill-django.tainted-dill-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.os.tainted-os-command-paramiko-django.tainted-os-command-paramiko-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.ponyorm-django.ponyorm-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-pandas-pickle-django.tainted-pandas-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-aiohttp.tainted-django-http-request-aiohttp:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-path-traversal-pillow-django.tainted-path-traversal-pillow-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-jsonpickle-django.tainted-jsonpickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.sqlobject-connection-django.sqlobject-connection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-numpy-pickle-django.tainted-numpy-pickle-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-ruamel-django.tainted-ruamel-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.log.tainted-log-injection-stdlib-django.tainted-log-injection-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.sqlalchemy-connection-django.sqlalchemy-connection-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.code.tainted-code-stdlib-django.tainted-code-stdlib-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.net.tainted-django-http-request-boto3.tainted-django-http-request-boto3:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.deserialization.tainted-pandas-hdf-django.tainted-pandas-hdf-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.generic-sql-django.generic-sql-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-samesite-missing.django-cookie-samesite-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-secure-missing.django-cookie-secure-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.db.djangoorm-django.djangoorm-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-httponly-false.django-cookie-httponly-false:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-samesite-none.django-cookie-samesite-none:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.file.tainted-file-response-django.tainted-filename-response-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.tainted-direct-response-django.tainted-direct-response-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-httponly-missing.django-cookie-httponly-missing:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.django-cookie-secure-false.django-cookie-secure-false:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Incompatible rule" - }, - "level": "note", - "message": { - "text": "Incompatible rule python.django.web.tainted-redirect-django.tainted-redirect-django:\n This rule requires upgrading Semgrep from version 1.74.0 to at least 1.81.0" - } - }, - { - "descriptor": { - "id": "Syntax error" - }, - "level": "warning", - "message": { - "text": "Syntax error at line semgrep.sarif.json:1:\n missing element" - } - }, - { - "descriptor": { - "id": "Syntax error" - }, - "level": "warning", - "message": { - "text": "Syntax error at line .github/workflows/action.yml:100:\n When parsing a snippet as Bash for metavariable-pattern in rule 'yaml.github-actions.security.curl-eval.curl-eval', `${{` was unexpected" - } - }, - { - "descriptor": { - "id": "Syntax error" - }, - "level": "warning", - "message": { - "text": "Syntax error at line sbom.cdx.json:1:\n missing element" - } - }, - { - "descriptor": { - "id": "Syntax error" - }, - "level": "warning", - "message": { - "text": "Syntax error at line sbom.spdx.json:1:\n missing element" - } - } - ] - } - ], - "results": [], - "tool": { - "driver": { - "name": "Semgrep OSS", - "rules": [ - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret", - "id": "swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret", - "name": "swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.cryptoswift.pkcs5-hardcoded-secret.pkcs5-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)." - }, - "help": { - "markdown": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name)." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-request.ssrf", - "id": "csharp.lang.security.ssrf.web-request.ssrf", - "name": "csharp.lang.security.ssrf.web-request.ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.ssrf.web-request.ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret", - "id": "swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret", - "name": "swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.cryptoswift.scrypt-hardcoded-secret.scrypt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hardcoded Key is identified." - }, - "help": { - "markdown": "A hardcoded Key is identified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_api_key)\n", - "text": "A hardcoded Key is identified." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_api_key", - "id": "mobsf.mobsfscan.android.secrets.hardcoded_api_key", - "name": "mobsf.mobsfscan.android.secrets.hardcoded_api_key", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-798", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.secrets.hardcoded_api_key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false." - }, - "help": { - "markdown": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n", - "text": "External entities are allowed for $DBFACTORY. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://xml.org/sax/features/external-general-entities\" to false." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", - "id": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", - "name": "java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-external-general-entities-true.documentbuilderfactory-external-general-entities-true" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host", - "id": "go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host", - "name": "go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.ssrf.grpc-tainted-url-host.grpc-tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher." - }, - "help": { - "markdown": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n", - "text": "Detected an insufficient key size for RSA. NIST recommends a key size of 2048 or higher." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "id": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "name": "python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.insufficient-rsa-key-size.insufficient-rsa-key-size" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead." - }, - "help": { - "markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py](https://github.com/PyCQA/bandit/blob/d5f8fa0d89d7b11442fc6ec80ca42953974354c8/bandit/plugins/injection_paramiko.py)\n", - "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context()' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command", - "id": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command", - "name": "python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.paramiko.paramiko-exec-command.paramiko-exec-command" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path." - }, - "help": { - "markdown": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/](https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/)\n - [https://www.youtube.com/watch?v=CIhHpkybYsY](https://www.youtube.com/watch?v=CIhHpkybYsY)\n - [https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf](https://github.com/orangetw/My-Presentation-Slides/blob/main/data/2018-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out.pdf)\n", - "text": "The alias in this location block is subject to a path traversal because the location path does not end in a path separator (e.g., '/'). To fix, add a path separator to the end of the path." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.alias-path-traversal.alias-path-traversal", - "id": "generic.nginx.security.alias-path-traversal.alias-path-traversal", - "name": "generic.nginx.security.alias-path-traversal.alias-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.alias-path-traversal.alias-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks droneci-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks droneci-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.droneci-access-token.droneci-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks droneci-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.droneci-access-token.droneci-access-token", - "id": "generic.secrets.gitleaks.droneci-access-token.droneci-access-token", - "name": "generic.secrets.gitleaks.droneci-access-token.droneci-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.droneci-access-token.droneci-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "help": { - "markdown": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.exec-detected.exec-detected", - "id": "python.lang.security.audit.exec-detected.exec-detected", - "name": "python.lang.security.audit.exec-detected.exec-detected", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file." - }, - "help": { - "markdown": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#security)\n - [https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration](https://www.playframework.com/documentation/2.8.x/SettingsSession#Session-Configuration)\n", - "text": "Session cookie `Secure` flag is explicitly disabled. The `secure` flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the `Secure` flag by setting `secure` to `true` in configuration file." - }, - "helpUri": "https://semgrep.dev/r/scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings", - "id": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings", - "name": "scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.play.security.conf-insecure-cookie-settings.conf-insecure-cookie-settings" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource." - }, - "help": { - "markdown": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#master_password)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/rds_cluster#master_password)\n - [https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password)\n", - "text": "RDS instance or cluster with hardcoded credentials in source code. It is recommended to pass the credentials at runtime, or generate random credentials using the random_password resource." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code", - "id": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code", - "name": "terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.rds-insecure-password-storage-in-source-code.rds-insecure-password-storage-in-source-code" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token", - "id": "javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token", - "name": "javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.superagent.hardcoded-bearer-token.hardcoded-bearer-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "help": { - "markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "id": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "name": "kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload." - }, - "help": { - "markdown": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "The object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload." - }, - "helpUri": "https://semgrep.dev/r/javascript.jose.security.audit.jose-exposed-data.jose-exposed-data", - "id": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data", - "name": "javascript.jose.security.audit.jose-exposed-data.jose-exposed-data", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jose.security.audit.jose-exposed-data.jose-exposed-data" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "id": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "name": "java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.cookie-missing-httponly.cookie-missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host", - "id": "go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host", - "name": "go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gin.ssrf.gin-tainted-url-host.gin-tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit." - }, - "help": { - "markdown": "AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "AES symmetric cryptographic operations were identified using a key size of 128bit which is less than the industry standard recommendation of 256bit." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize", - "id": "swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize", - "name": "swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-aes-keysize.insecure-crypto-aes-keysize" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify." - }, - "help": { - "markdown": "'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n", - "text": "'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw", - "id": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw", - "name": "ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.avoid-raw.avoid-raw" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks digitalocean-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks digitalocean-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks digitalocean-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token", - "id": "generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token", - "name": "generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.digitalocean-refresh-token.digitalocean-refresh-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly", - "id": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly", - "name": "kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.cookie-missing-httponly.cookie-missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML." - }, - "help": { - "markdown": "Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-scripting-xss)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.md)\n", - "text": "Detected data rendered directly to the end user via 'response' This bypasses Laravel's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Laravel's template engine to safely render HTML." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-direct-response-write.laravel-direct-response-write", - "id": "php.laravel.security.laravel-direct-response-write.laravel-direct-response-write", - "name": "php.laravel.security.laravel-direct-response-write.laravel-direct-response-write", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-direct-response-write.laravel-direct-response-write" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XMLDecoder should not be used to parse untrusted data.\nDeserializing user input can lead to arbitrary code execution.\nUse an alternative and explicitly disable external entities.\n" - }, - "help": { - "markdown": "XMLDecoder should not be used to parse untrusted data.\nDeserializing user input can lead to arbitrary code execution.\nUse an alternative and explicitly disable external entities.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe)\n", - "text": "XMLDecoder should not be used to parse untrusted data.\nDeserializing user input can lead to arbitrary code execution.\nUse an alternative and explicitly disable external entities.\n" - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe", - "id": "mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe", - "name": "mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-611", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.xxe.xmldecoder_xxe.xml_decoder_xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security." - }, - "help": { - "markdown": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone)\n - [https://pkg.go.dev/github.com/gorilla/sessions#Options](https://pkg.go.dev/github.com/gorilla/sessions#Options)\n", - "text": "Found SameSiteNoneMode setting in Gorilla session options. Consider setting SameSite to Lax, Strict or Default for enhanced security." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone", - "id": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone", - "name": "go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-samesitenone.session-cookie-samesitenone" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible." - }, - "help": { - "markdown": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#concepts-public-addresses)\n", - "text": "Resources in the AWS subnet are assigned a public IP address. Resources should not be exposed on the public internet, but should have access limited to consumers required for the function of your application. Set `map_public_ip_on_launch` to false so that resources are not publicly-accessible." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address", - "id": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address", - "name": "terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-subnet-has-public-ip-address.aws-subnet-has-public-ip-address" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-none-alg.jwt-none-alg", - "id": "javascript.jose.security.jwt-none-alg.jwt-none-alg", - "name": "javascript.jose.security.jwt-none-alg.jwt-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jose.security.jwt-none-alg.jwt-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask", - "id": "python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask", - "name": "python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-pandas-hdf-flask.tainted-pandas-hdf-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/java.jjwt.security.jwt-none-alg.jjwt-none-alg", - "id": "java.jjwt.security.jwt-none-alg.jjwt-none-alg", - "name": "java.jjwt.security.jwt-none-alg.jjwt-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jjwt.security.jwt-none-alg.jjwt-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password", - "id": "rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password", - "name": "rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.diesel.mysql-connection-empty-password.mysql-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value." - }, - "help": { - "markdown": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-secrets.check-secrets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb](https://github.com/presidentbeef/brakeman/blob/3f5d5d5f00864cdf7769c50f5bd26f1769a4ba75/test/apps/rails3.1/app/controllers/users_controller.rb)\n", - "text": "Found a Brakeman-style secret - a variable with the name password/secret/api_key/rest_auth_site_key and a non-empty string literal value." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-secrets.check-secrets", - "id": "ruby.rails.security.brakeman.check-secrets.check-secrets", - "name": "ruby.rails.security.brakeman.check-secrets.check-secrets", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-secrets.check-secrets" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files." - }, - "help": { - "markdown": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing)\n - [https://github.com/OWASP/Go-SCP](https://github.com/OWASP/Go-SCP)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n", - "text": "Detected usage of 'http.FileServer' as handler: this allows directory listing and an attacker could navigate through directories looking for sensitive files. Be sure to disable directory listing or restrict access to specific directories/files." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.fs-directory-listing.fs-directory-listing", - "id": "go.lang.security.audit.net.fs-directory-listing.fs-directory-listing", - "name": "go.lang.security.audit.net.fs-directory-listing.fs-directory-listing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-548: Exposure of Information Through Directory Listing", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.fs-directory-listing.fs-directory-listing" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this." - }, - "help": { - "markdown": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.no-send.bad-send)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_send.rb)\n - [https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html](https://the.igreque.info/posts/2016/01-object-send-considered-harmful-en.html)\n", - "text": "Checks for unsafe use of Object#send, try, __send__, and public_send. These only account for unsafe use of a method, not target. This can lead to arbitrary calling of exit, along with arbitrary code execution. Please be sure to sanitize input in order to avoid this." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.no-send.bad-send", - "id": "ruby.lang.security.no-send.bad-send", - "name": "ruby.lang.security.no-send.bad-send", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.no-send.bad-send" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'." - }, - "help": { - "markdown": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n", - "text": "SSLv3 is insecure because it has known vulnerabilities. Starting with go1.14, SSLv3 will be removed. Instead, use 'tls.VersionTLS13'." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure", - "id": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure", - "name": "go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.crypto.ssl.ssl-v3-is-insecure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.node-expat.security.audit.expat-xxe.expat-xxe", - "id": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", - "name": "javascript.node-expat.security.audit.expat-xxe.expat-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.node-expat.security.audit.expat-xxe.expat-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri", - "id": "ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri", - "name": "ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.redis.ruby-redis-hardcoded-uri.ruby-redis-hardcoded-uri" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true" - }, - "help": { - "markdown": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n", - "text": "Bucket $X is not set to enforce encryption-in-transit, if not explictly setting this on the bucket policy - the property \"enforceSSL\" should be set to true" - }, - "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl", - "id": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl", - "name": "typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-enforcessl.aws-cdk-bucket-enforcessl" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint", - "id": "csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint", - "name": "csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.sqli.entityframework-taint.entityframework-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format", - "id": "java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format", - "name": "java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep-format.tainted-ssrf-deepsemgrep-format" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass." - }, - "help": { - "markdown": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault#network_acls)\n - [https://docs.microsoft.com/en-us/azure/key-vault/general/network-security](https://docs.microsoft.com/en-us/azure/key-vault/general/network-security)\n", - "text": "Network ACLs allow you to reduce your exposure to risk by limiting what can access your key vault. The default action of the Network ACL should be set to deny for when IPs are not matched. Azure services can be allowed to bypass." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl", - "id": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl", - "name": "terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-specify-network-acl.keyvault-specify-network-acl" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password", - "id": "rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password", - "name": "rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.sqlx.mysql-connection-empty-password.mysql-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec)\n - [https://guides.rubyonrails.org/security.html#command-line-injection](https://guides.rubyonrails.org/security.html#command-line-injection)\n", - "text": "Detected non-static command inside $EXEC. Audit the input to '$EXEC'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-exec.dangerous-exec", - "id": "ruby.lang.security.dangerous-exec.dangerous-exec", - "name": "ruby.lang.security.dangerous-exec.dangerous-exec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.dangerous-exec.dangerous-exec" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cannot determine what '$UNK' is and it is used with a ' which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL." - }, - "help": { - "markdown": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss)\n - [https://owasp.org/www-community/attacks/DOM_Based_XSS](https://owasp.org/www-community/attacks/DOM_Based_XSS)\n", - "text": "Detected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default= which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.security.dom-based-xss.dom-based-xss", - "id": "javascript.browser.security.dom-based-xss.dom-based-xss", - "name": "javascript.browser.security.dom-based-xss.dom-based-xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.security.dom-based-xss.dom-based-xss" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended." - }, - "help": { - "markdown": "Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request)\n - [https://cwe.mitre.org/data/definitions/95.html](https://cwe.mitre.org/data/definitions/95.html)\n", - "text": "Passing unsanitized user input to a Script Engine or other means of dynamic code evaluation is unsafe. This could lead to code injection with data leakage or arbitrary code execution as a result. Avoid this, or use proper sandboxing if user code evaluation is intended." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request", - "id": "java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request", - "name": "java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-code-injection-from-http-request.tainted-code-injection-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password", - "id": "rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password", - "name": "rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.sqlx.pg-connection-empty-password.pg-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information." - }, - "help": { - "markdown": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls)\n - [https://golang.org/pkg/net/http/#ListenAndServeTLS](https://golang.org/pkg/net/http/#ListenAndServeTLS)\n", - "text": "Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.use-tls.use-tls", - "id": "go.lang.security.audit.net.use-tls.use-tls", - "name": "go.lang.security.audit.net.use-tls.use-tls", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.use-tls.use-tls" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else." - }, - "help": { - "markdown": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-file-permissions.insecure-file-permissions", - "id": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions", - "name": "python.lang.security.audit.insecure-file-permissions.insecure-file-permissions", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-276: Incorrect Default Permissions", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-file-permissions.insecure-file-permissions" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks discord-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks discord-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.discord-client-secret.discord-client-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks discord-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.discord-client-secret.discord-client-secret", - "id": "generic.secrets.gitleaks.discord-client-secret.discord-client-secret", - "name": "generic.secrets.gitleaks.discord-client-secret.discord-client-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.discord-client-secret.discord-client-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "id": "rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "name": "rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)." - }, - "help": { - "markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://www.youtube.com/watch?v=yYTkLUEdIyE](https://www.youtube.com/watch?v=yYTkLUEdIyE)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n", - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag)." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", - "id": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", - "name": "ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-script-tag.var-in-script-tag" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks twitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks twitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.twitter-access-token.twitter-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks twitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.twitter-access-token.twitter-access-token", - "id": "generic.secrets.gitleaks.twitter-access-token.twitter-access-token", - "name": "generic.secrets.gitleaks.twitter-access-token.twitter-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.twitter-access-token.twitter-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data." - }, - "help": { - "markdown": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-response.tainted-html-response", - "id": "python.aws-lambda.security.tainted-html-response.tainted-html-response", - "name": "python.aws-lambda.security.tainted-html-response.tainted-html-response", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.tainted-html-response.tainted-html-response" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User controlled strings in exec() will result in command execution." - }, - "help": { - "markdown": "User controlled strings in exec() will result in command execution.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.injection.command_injection.command_injection)\n", - "text": "User controlled strings in exec() will result in command execution." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.injection.command_injection.command_injection", - "id": "mobsf.mobsfscan.injection.command_injection.command_injection", - "name": "mobsf.mobsfscan.injection.command_injection.command_injection", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-78", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.injection.command_injection.command_injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack" - }, - "help": { - "markdown": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples](https://docs.microsoft.com/en-us/dotnet/standard/base-types/regular-expressions#regular-expression-examples)\n", - "text": "When using `System.Text.RegularExpressions` to process untrusted input, pass a timeout. A malicious user can provide input to `RegularExpressions` that abuses the backtracking behaviour of this regular expression engine. This will lead to excessive CPU usage, causing a Denial-of-Service attack" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", - "id": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", - "name": "csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos.regular-expression-dos" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret", - "id": "kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret", - "name": "kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.sql.jetbrains-hardcoded-empty-secret.jetbrains-hardcoded-empty-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability." - }, - "help": { - "markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n", - "text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.insecure-object-assign.insecure-object-assign", - "id": "javascript.lang.security.insecure-object-assign.insecure-object-assign", - "name": "javascript.lang.security.insecure-object-assign.insecure-object-assign", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.insecure-object-assign.insecure-object-assign" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid", - "id": "python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid", - "name": "python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-json-pyramid.tainted-json-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "A specially crafted calldata may be used to impersonate other accounts" - }, - "help": { - "markdown": "A specially crafted calldata may be used to impersonate other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection)\n - [https://rekt.news/superfluid-rekt/](https://rekt.news/superfluid-rekt/)\n - [https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd](https://medium.com/superfluid-blog/08-02-22-exploit-post-mortem-15ff9c97cdd)\n - [https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7](https://polygonscan.com/address/0x07711bb6dfbc99a1df1f2d7f57545a67519941e7)\n", - "text": "A specially crafted calldata may be used to impersonate other accounts" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.superfluid-ctx-injection.superfluid-ctx-injection", - "id": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection", - "name": "solidity.security.superfluid-ctx-injection.superfluid-ctx-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-20: Improper Input Validation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.superfluid-ctx-injection.superfluid-ctx-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "help": { - "markdown": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS SSM logs are unencrypted or disabled. Please enable logs and use AWS KMS encryption key to protect SSM logs. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues", - "id": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues", - "name": "terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ssm-document-logging-issues.aws-ssm-document-logging-issues" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block." - }, - "help": { - "markdown": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#default_action)\n - [https://docs.microsoft.com/en-us/azure/firewall/rule-processing](https://docs.microsoft.com/en-us/azure/firewall/rule-processing)\n", - "text": "Detected a Storage that was not configured to deny action by default. Add `default_action = \"Deny\"` in your resource block." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny", - "id": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny", - "name": "terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-16: CWE CATEGORY: Configuration", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.storage.storage-default-action-deny.storage-default-action-deny" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "help": { - "markdown": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-1)\n", - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-1", - "id": "gitlab.find_sec_bugs.HARD_CODE_KEY-1", - "name": "gitlab.find_sec_bugs.HARD_CODE_KEY-1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-321: Use of Hard-coded Cryptographic Key", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: gitlab.find_sec_bugs.HARD_CODE_KEY-1" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks linear-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks linear-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.linear-api-key.linear-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks linear-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.linear-api-key.linear-api-key", - "id": "generic.secrets.gitleaks.linear-api-key.linear-api-key", - "name": "generic.secrets.gitleaks.linear-api-key.linear-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.linear-api-key.linear-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle", - "id": "python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle", - "name": "python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-pandas-pickle.tainted-pandas-pickle" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature." - }, - "help": { - "markdown": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none", - "id": "python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none", - "name": "python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-613: Insufficient Session Expiration", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-login-session-protection-app-config-none.flask-login-session-protection-app-config-none" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead." - }, - "help": { - "markdown": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1)\n - [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html](https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html)\n - [https://shattered.io/](https://shattered.io/)\n", - "text": "Should not use SHA1 to generate hashes. There is a proven SHA1 hash collision by Google, which could lead to vulnerabilities. Use SHA256, SHA3 or other hashing functions instead." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1", - "id": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1", - "name": "ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.weak-hashes-sha1.weak-hashes-sha1" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n", - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure that the choice of the `None` value is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing", - "id": "python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing", - "name": "python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-samesite-missing.flask-cookie-samesite-missing" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks." - }, - "help": { - "markdown": "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle)\n", - "text": "The App uses the encryption mode CBC with PKCS5/PKCS7 padding. This configuration is vulnerable to padding oracle attacks." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle", - "id": "mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle", - "name": "mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-649", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.crypto.cbc_padding_oracle.cbc_padding_oracle" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url", - "id": "typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url", - "name": "typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.react-dangerouslysetinnerhtml-url.react-dangerouslysetinnerhtml-url" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.system-command.command-injection-path.command-injection-path", - "id": "cpp.lang.security.system-command.command-injection-path.command-injection-path", - "name": "cpp.lang.security.system-command.command-injection-path.command-injection-path", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.system-command.command-injection-path.command-injection-path" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf", - "id": "go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf", - "name": "go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint-med-conf.grpc-pg-sqli-taint-med-conf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later." - }, - "help": { - "markdown": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/](https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)\n", - "text": "Detected use of an insecure SSL version. Secure SSL versions are TLSv1.2 and TLS1.3; older versions are known to be broken and are susceptible to attacks. Prefer use of TLSv1.2 or later." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-ssl-version.insecure-ssl-version", - "id": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version", - "name": "generic.nginx.security.insecure-ssl-version.insecure-ssl-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.insecure-ssl-version.insecure-ssl-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string." - }, - "help": { - "markdown": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#django.db.models.expressions.RawSQL)\n", - "text": "User-controlled data from request is passed to 'RawSQL()'. This could lead to a SQL injection and therefore protected information could be leaked. Instead, use parameterized queries or escape the user-controlled data by using `params` and not using quote placeholders in the SQL string." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql", - "id": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql", - "name": "python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.sql.sql-injection-rawsql.sql-injection-using-rawsql" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers." - }, - "help": { - "markdown": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing)\n - [https://cwe.mitre.org/data/definitions/548.html](https://cwe.mitre.org/data/definitions/548.html)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration/](https://owasp.org/Top10/A05_2021-Security_Misconfiguration/)\n - [https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing](https://docs.microsoft.com/en-us/aspnet/core/fundamentals/static-files?view=aspnetcore-7.0#directory-browsing)\n", - "text": "An open directory listing is potentially exposed, potentially revealing sensitive information to attackers." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", - "id": "csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", - "name": "csharp.dotnet.security.audit.open-directory-listing.open-directory-listing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-548: Exposure of Information Through Directory Listing", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.audit.open-directory-listing.open-directory-listing" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks github-fine-grained-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks github-fine-grained-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks github-fine-grained-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat", - "id": "generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat", - "name": "generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.github-fine-grained-pat.github-fine-grained-pat" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms." - }, - "help": { - "markdown": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n", - "text": "MD5 hash algorithm detected. This is not collision resistant and leads to easily-cracked password hashes. Replace with current recommended hashing algorithms." - }, - "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-md5.use-of-md5", - "id": "clojure.lang.security.use-of-md5.use-of-md5", - "name": "clojure.lang.security.use-of-md5.use-of-md5", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: clojure.lang.security.use-of-md5.use-of-md5" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize." - }, - "help": { - "markdown": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint)\n - [https://docs.angularjs.org/api/ng/function/angular.element](https://docs.angularjs.org/api/ng/function/angular.element)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "Use of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint", - "id": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint", - "name": "javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-element-taint.detect-angular-element-taint" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "`$PTR` is allocated by `$ALLOC`. The size of this allocation is calculated from `$SIZE_EXPR`. If this calculation overflows then `$SINK` may overflow the heap allocated buffer." - }, - "help": { - "markdown": "`$PTR` is allocated by `$ALLOC`. The size of this allocation is calculated from `$SIZE_EXPR`. If this calculation overflows then `$SINK` may overflow the heap allocated buffer.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.integer-overflow-allocation.integer-overflow-allocation)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM35-C.+Allocate+sufficient+memory+for+an+object](https://wiki.sei.cmu.edu/confluence/display/c/MEM35-C.+Allocate+sufficient+memory+for+an+object)\n", - "text": "`$PTR` is allocated by `$ALLOC`. The size of this allocation is calculated from `$SIZE_EXPR`. If this calculation overflows then `$SINK` may overflow the heap allocated buffer." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.integer-overflow-allocation.integer-overflow-allocation", - "id": "cpp.lang.security.memory.integer-overflow-allocation.integer-overflow-allocation", - "name": "cpp.lang.security.memory.integer-overflow-allocation.integer-overflow-allocation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-680: Integer Overflow to Buffer Overflow", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.integer-overflow-allocation.integer-overflow-allocation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"." - }, - "help": { - "markdown": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected an AWS Elasticsearch domain using an insecure version of TLS. To fix this, set \"tls_security_policy\" equal to \"Policy-Min-TLS-1-2-2019-07\"." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version", - "id": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version", - "name": "terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-insecure-tls-version.aws-elasticsearch-insecure-tls-version" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)" - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Detected string concatenation with a non-literal variable in a pgx Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can use parameterized queries like so: (`SELECT $1 FROM table`, `data1)" - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pgx-sqli.pgx-sqli", - "id": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli", - "name": "go.lang.security.audit.sqli.pgx-sqli.pgx-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.sqli.pgx-sqli.pgx-sqli" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch." - }, - "help": { - "markdown": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/docdb_cluster#enabled_cloudwatch_logs_exports)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n", - "text": "Auditing is not enabled for DocumentDB. To ensure that you are able to accurately audit the usage of your DocumentDB cluster, you should enable auditing and export logs to CloudWatch." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled", - "id": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled", - "name": "terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "MEDIUM CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-documentdb-auditing-disabled.aws-documentdb-auditing-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"." - }, - "help": { - "markdown": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n - [https://github.com/actions/github-script](https://github.com/actions/github-script)\n", - "text": "Using variable interpolation `${{...}}` with `github` context data in a `actions/github-script`'s `script:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"." - }, - "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.github-script-injection.github-script-injection", - "id": "yaml.github-actions.security.github-script-injection.github-script-injection", - "name": "yaml.github-actions.security.github-script-injection.github-script-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.github-actions.security.github-script-injection.github-script-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret", - "id": "java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret", - "name": "java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.mongo.java-mongo-hardcoded-secret.java-mongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "AWS Session Token detected" - }, - "help": { - "markdown": "AWS Session Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "AWS Session Token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-session-token.detected-aws-session-token", - "id": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token", - "name": "generic.secrets.security.detected-aws-session-token.detected-aws-session-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-aws-session-token.detected-aws-session-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing", - "id": "python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing", - "name": "python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-httponly-missing.flask-cookie-httponly-missing" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead." - }, - "help": { - "markdown": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.IDEA)\n", - "text": "IDEA (International Data Encryption Algorithm) is a block cipher created in 1991. It is an optional component of the OpenPGP standard. This cipher is susceptible to attacks when using weak keys. It is recommended that you do not use this cipher for new applications. Use a strong symmetric cipher such as EAS instead. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea", - "id": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea", - "name": "python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms.insecure-cipher-algorithm-idea" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "help": { - "markdown": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n", - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.open-redirect-pathname.open-redirect-pathname", - "id": "javascript.browser.open-redirect-pathname.open-redirect-pathname", - "name": "javascript.browser.open-redirect-pathname.open-redirect-pathname", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.open-redirect-pathname.open-redirect-pathname" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this." - }, - "help": { - "markdown": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy)\n - [https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#configuring-the-role-and-trust-policy)\n - [https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/](https://dagrz.com/writing/aws-security/hacking-github-aws-oidc/)\n", - "text": "`$POLICY` is missing a `condition` block which scopes users of this policy to specific GitHub repositories. Without this, `$POLICY` is open to all users on GitHub. Add a `condition` block on the variable `token.actions.githubusercontent.com:sub` which scopes it to prevent this." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy", - "id": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy", - "name": "terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.unrestricted-github-oidc-policy.unrestricted-github-oidc-policy" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/java.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "id": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "name": "java.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.aws-lambda.security.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities." - }, - "help": { - "markdown": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Avoid using insecure deserialization library, backed by `pickle`, `_pickle`, `cpickle`, `dill`, `shelve`, or `yaml`, which are known to lead to remote code execution vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization", - "id": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization", - "name": "python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.avoid-insecure-deserialization.avoid-insecure-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-ssrf.tainted-ssrf", - "id": "java.servlets.security.tainted-ssrf.tainted-ssrf", - "name": "java.servlets.security.tainted-ssrf.tainted-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-ssrf.tainted-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`." - }, - "help": { - "markdown": "This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning)\n", - "text": "This app does not use a TLS/SSL certificate or public key pinning in code to detect or prevent MITM attacks in secure communication channel. Please verify if pinning is enabled in `network_security_config.xml`." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning", - "id": "mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning", - "name": "mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-295", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.tls_pinning.android_certificate_pinning" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header." - }, - "help": { - "markdown": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\n - [https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url](https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#url)\n - [https://content-security-policy.com/](https://content-security-policy.com/)\n", - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-href-var.template-href-var", - "id": "python.django.security.audit.xss.template-href-var.template-href-var", - "name": "python.django.security.audit.xss.template-href-var.template-href-var", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.template-href-var.template-href-var" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks planetscale-oauth-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks planetscale-oauth-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks planetscale-oauth-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token", - "id": "generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token", - "name": "generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.planetscale-oauth-token.planetscale-oauth-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference" - }, - "help": { - "markdown": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n", - "text": "Variable `$X` is likely modified and later used on error. In some cases this could result in panics due to a nil dereference" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable", - "id": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable", - "name": "trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-665: Improper Initialization", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.invalid-usage-of-modified-variable.invalid-usage-of-modified-variable" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1", - "id": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1", - "name": "python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm.insecure-hash-algorithm-sha1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "help": { - "markdown": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "An expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.el-injection.el-injection", - "id": "java.lang.security.audit.el-injection.el-injection", - "name": "java.lang.security.audit.el-injection.el-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.el-injection.el-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/rust.rocket.nosql.mongodb-taint.mongodb-taint", - "id": "rust.rocket.nosql.mongodb-taint.mongodb-taint", - "name": "rust.rocket.nosql.mongodb-taint.mongodb-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.rocket.nosql.mongodb-taint.mongodb-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password", - "id": "java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password", - "name": "java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jedis.secrets.jedis-jedisfactory-hardcoded-password.jedis-jedisfactory-hardcoded-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret", - "id": "python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret", - "name": "python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pg8000.python-pg8000-hardcoded-secret.python-pg8000-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false", - "id": "python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false", - "name": "python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.web.fastapi-cookie-secure-false.fastapi-cookie-secure-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'." - }, - "help": { - "markdown": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/settings/#templates](https://docs.djangoproject.com/en/3.1/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates)\n", - "text": "Detected a Context with autoescape disabled. If you are rendering any web pages, this exposes your application to cross-site scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it to 'True'." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.context-autoescape-off.context-autoescape-off", - "id": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off", - "name": "python.django.security.audit.xss.context-autoescape-off.context-autoescape-off", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.context-autoescape-off.context-autoescape-off" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that MySQL server enables infrastructure encryption" - }, - "help": { - "markdown": "Ensure that MySQL server enables infrastructure encryption\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure that MySQL server enables infrastructure encryption" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled", - "id": "terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled", - "name": "terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.azure-mysql-encryption-enabled.azure-mysql-encryption-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `wkhtmltopdf` it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection", - "id": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection", - "name": "javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.wkhtmltopdf.security.audit.wkhtmltopdf-injection.wkhtmltopdf-injection" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm." - }, - "help": { - "markdown": "This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "This hashing algorithm is insecure. If this hash is used in a security context, such as password hashing, it should be converted to a stronger hashing algorithm." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.crypto.insecure-hash.insecure-hash", - "id": "cpp.lang.security.crypto.insecure-hash.insecure-hash", - "name": "cpp.lang.security.crypto.insecure-hash.insecure-hash", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.crypto.insecure-hash.insecure-hash" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret", - "id": "ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret", - "name": "ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.pg.ruby-pg-hardcoded-secret.ruby-pg-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "help": { - "markdown": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n", - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". If this wasn't intentional, it's recommended to set the the `SameSite` attribute of the important cookies (e.g., session cookie) to either `Strict` or `Lax`. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement. You can use the Cookie Policy Middleware to globally set the `SameSite` attribute. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none", - "id": "csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none", - "name": "csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.cookies.cookie-samesite-none.cookie-samesite-none" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined." - }, - "help": { - "markdown": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace)\n - [https://github.com/returntocorp/semgrep-rules/issues/518](https://github.com/returntocorp/semgrep-rules/issues/518)\n", - "text": "Detected a potentially dynamic ClientTrace. This occurred because semgrep could not find a static definition for '$TRACE'. Dynamic ClientTraces are dangerous because they deserialize function code to run when certain Request events occur, which could lead to code being run without your knowledge. Ensure that your ClientTrace is statically defined." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace", - "id": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace", - "name": "go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-913: Improper Control of Dynamically-Managed Code Resources", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.dynamic-httptrace-clienttrace.dynamic-httptrace-clienttrace" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies." - }, - "help": { - "markdown": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage)\n - [https://www.npmjs.com/package/csurf](https://www.npmjs.com/package/csurf)\n - [https://www.npmjs.com/package/csrf](https://www.npmjs.com/package/csrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "A CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage", - "id": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage", - "name": "javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information." - }, - "help": { - "markdown": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS CloudWatch Log Group has no retention. Missing retention in log groups can cause losing important event information." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention", - "id": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention", - "name": "terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection", - "id": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection", - "name": "javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-code-injection.puppeteer-evaluate-code-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS." - }, - "help": { - "markdown": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication)\n - [https://cwe.mitre.org/data/definitions/287.html](https://cwe.mitre.org/data/definitions/287.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n", - "text": "Basic authentication is considered weak and should be avoided. Use a different authentication scheme, such of OAuth2, OpenID Connect, or mTLS." - }, - "helpUri": "https://semgrep.dev/r/yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication", - "id": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication", - "name": "yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A04:2021 Insecure Design", - "OWASP-A07:2021 Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.openapi.security.use-of-basic-authentication.use-of-basic-authentication" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi", - "id": "python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi", - "name": "python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-pickle-fastapi.tainted-pickle-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users." - }, - "help": { - "markdown": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n - [https://golang.org/pkg/io/#WriteString](https://golang.org/pkg/io/#WriteString)\n", - "text": "Detected 'io.WriteString()' writing directly to 'http.ResponseWriter'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter", - "id": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter", - "name": "go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.xss.no-io-writestring-to-responsewriter.no-io-writestring-to-responsewriter" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "helpUri": "https://semgrep.dev/r/kotlin.spring.hibernate-sqli.hibernate-sqli", - "id": "kotlin.spring.hibernate-sqli.hibernate-sqli", - "name": "kotlin.spring.hibernate-sqli.hibernate-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.spring.hibernate-sqli.hibernate-sqli" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks squarespace-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks squarespace-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks squarespace-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token", - "id": "generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token", - "name": "generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.squarespace-access-token.squarespace-access-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-config-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-config-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-config-refresh-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token", - "id": "generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token", - "name": "generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-config-refresh-token.slack-config-refresh-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues" - }, - "help": { - "markdown": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality)\n - [https://www.php.net/manual/en/types.comparisons.php](https://www.php.net/manual/en/types.comparisons.php)\n - [https://www.whitehatsec.com/blog/magic-hashes/](https://www.whitehatsec.com/blog/magic-hashes/)\n", - "text": "Make sure comparisons involving md5 values are strict (use `===` not `==`) to avoid type juggling issues" - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.md5-loose-equality.md5-loose-equality", - "id": "php.lang.security.md5-loose-equality.md5-loose-equality", - "name": "php.lang.security.md5-loose-equality.md5-loose-equality", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-697: Incorrect Comparison", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.md5-loose-equality.md5-loose-equality" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "bcrypt hash detected" - }, - "help": { - "markdown": "bcrypt hash detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "bcrypt hash detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash", - "id": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash", - "name": "generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-bcrypt-hash.detected-bcrypt-hash" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege." - }, - "help": { - "markdown": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository_policy)\n - [https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html](https://docs.aws.amazon.com/lambda/latest/operatorguide/wildcard-permissions-iam.html)\n - [https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html](https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/monitor-amazon-ecr-repositories-for-wildcard-permissions-using-aws-cloudformation-and-aws-config.html)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n", - "text": "Detected wildcard access granted in your ECR repository policy principal. This grants access to all users, including anonymous users (public access). Instead, limit principals, actions and resources to what you need according to least privilege." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal", - "id": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal", - "name": "terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ecr-repository-wildcard-principal.aws-ecr-repository-wildcard-principal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value", - "id": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value", - "name": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-httponly-unsafe-value.pyramid-authtkt-cookie-httponly-unsafe-value" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." - }, - "help": { - "markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n", - "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." - }, - "helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials", - "id": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials", - "name": "python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jwt.security.jwt-exposed-credentials.jwt-python-exposed-credentials" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This gets data from session using user inputs. A malicious user may be able to retrieve information from your session that you didn't intend them to. Do not use user input as a session key." - }, - "help": { - "markdown": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation)\n - [https://brakemanscanner.org/docs/warning_types/session_manipulation/](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n", - "text": "## Remediation\nSession manipulation can occur when an application allows user-input in session keys. Since sessions are typically considered a source of truth (e.g. to check the logged-in user or to match CSRF tokens), allowing an attacker to manipulate the session may lead to unintended behavior.\n\n## References\n[Session Manipulation](https://brakemanscanner.org/docs/warning_types/session_manipulation/)\n" - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation", - "id": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation", - "name": "ruby.rails.security.audit.avoid-session-manipulation.avoid-session-manipulation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-276: Incorrect Default Permissions", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Allowing an attacker to manipulate the session may lead to unintended behavior." - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`" - }, - "help": { - "markdown": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n", - "text": "Allowing user input to `send_file` allows a malicious user to potentially read arbitrary files from the server. Avoid accepting user input in `send_file` or normalize with `File.basename(...)`" - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-send-file.check-send-file", - "id": "ruby.rails.security.brakeman.check-send-file.check-send-file", - "name": "ruby.rails.security.brakeman.check-send-file.check-send-file", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-73: External Control of File Name or Path", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-send-file.check-send-file" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string", - "id": "python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string", - "name": "python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-connection-string.python-psycopg2-hardcoded-connection-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements." - }, - "help": { - "markdown": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n", - "text": "Detected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements." - }, - "helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection", - "id": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection", - "name": "javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-injection-express.express-sequelize-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "transferFrom() can steal allowance of other accounts" - }, - "help": { - "markdown": "transferFrom() can steal allowance of other accounts\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug)\n - [https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5](https://medium.com/immunefi/redacted-cartel-custom-approval-logic-bugfix-review-9b2d039ca2c5)\n - [https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C](https://etherscan.io/address/0x186E55C0BebD2f69348d94C4A27556d93C5Bd36C)\n", - "text": "transferFrom() can steal allowance of other accounts" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug", - "id": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug", - "name": "solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-688: Function Call With Incorrect Variable or Reference as Argument", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.redacted-cartel-custom-approval-bug.redacted-cartel-custom-approval-bug" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources." - }, - "help": { - "markdown": "WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access)\n", - "text": "WebView File System Access is enabled. An attacker able to inject script into a WebView, could exploit the opportunity to access local resources." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access", - "id": "mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access", - "name": "mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-73", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.webview.webview_file_access.webview_set_allow_file_access" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Ensure AWS Redshift cluster is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk", - "id": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk", - "name": "terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-redshift-cluster-encrypted-with-cmk.aws-redshift-cluster-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi", - "id": "python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi", - "name": "python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-pyyaml-fastapi.tainted-pyyaml-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off." - }, - "help": { - "markdown": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Found that the setting for providing detailed exception reports in Rails is set to true. This can lead to information exposure, where sensitive system or internal information is displayed to the end user. Instead, turn this setting off." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.detailed-exceptions.detailed-exceptions", - "id": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions", - "name": "ruby.rails.security.audit.detailed-exceptions.detailed-exceptions", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.detailed-exceptions.detailed-exceptions" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Found a Pyramid cookie without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value", - "id": "python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value", - "name": "python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.set-cookie-samesite-unsafe-value.pyramid-set-cookie-samesite-unsafe-value" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module." - }, - "help": { - "markdown": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "Avoid using `jsonpickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data using `json` module." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle", - "id": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle", - "name": "python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.avoid-jsonpickle.avoid-jsonpickle" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified." - }, - "help": { - "markdown": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode)\n - [https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96](https://github.com/we45/Vulnerable-Flask-App/blob/752ee16087c0bfb79073f68802d907569a1f0df7/app/app.py#L96)\n", - "text": "Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified." - }, - "helpUri": "https://semgrep.dev/r/python.jwt.security.unverified-jwt-decode.unverified-jwt-decode", - "id": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode", - "name": "python.jwt.security.unverified-jwt-decode.unverified-jwt-decode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." - }, - "help": { - "markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.hardcoded-iv.hardcoded-iv", - "id": "swift.commoncrypto.hardcoded-iv.hardcoded-iv", - "name": "swift.commoncrypto.hardcoded-iv.hardcoded-iv", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-329: Not using a random initialization Vector (IV) with Cipher Block Chaining (CBC) Mode causes algorithms to be susceptible to dictionary attacks.", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.hardcoded-iv.hardcoded-iv" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "id": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "name": "python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file." - }, - "help": { - "markdown": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Private Key detected. This is a sensitive credential and should not be hardcoded here. Instead, store this in a separate, private file." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-private-key.detected-private-key", - "id": "generic.secrets.security.detected-private-key.detected-private-key", - "name": "generic.secrets.security.detected-private-key.detected-private-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-private-key.detected-private-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n" - }, - "help": { - "markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe)\n", - "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n" - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe", - "id": "mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe", - "name": "mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-611", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.xxe.xmlfactory_xxe.xmlinputfactory_xxe" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks scalingo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks scalingo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks scalingo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token", - "id": "generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token", - "name": "generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.scalingo-api-token.scalingo-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended" - }, - "help": { - "markdown": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n", - "text": "A `sync.Mutex` is copied in function `$FUNC` given that `$T` is value receiver. As a result, the struct `$T` may not be locked as intended" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied", - "id": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied", - "name": "trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-688: Function Call With Incorrect Variable or Reference as Argument", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.sync-mutex-value-copied.sync-mutex-value-copied" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this." - }, - "help": { - "markdown": "Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled)\n - [https://docs.docker.com/engine/security/seccomp/](https://docs.docker.com/engine/security/seccomp/)\n", - "text": "Service '$SERVICE' is explicitly disabling seccomp confinement. This runs the service in an unrestricted state. Remove 'seccomp:unconfined' to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled", - "id": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled", - "name": "yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.seccomp-confinement-disabled.seccomp-confinement-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`" - }, - "help": { - "markdown": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/groups_controller.rb)\n", - "text": "Found user-controllable input to a reflection method. This may allow a user to alter program behavior and potentially execute arbitrary instructions in the context of the process. Do not provide arbitrary user input to `tap`, `method`, or `to_proc`" - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods", - "id": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods", - "name": "ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection-methods.check-unsafe-reflection-methods" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask", - "id": "python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask", - "name": "python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-pandas-pickle-flask.tainted-pandas-pickle-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "help": { - "markdown": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Document Builder being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled", - "id": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled", - "name": "scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.documentbuilder-dtd-enabled.documentbuilder-dtd-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "ERC777 tokensReceived() reentrancy" - }, - "help": { - "markdown": "ERC777 tokensReceived() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy)\n - [https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0](https://mirror.xyz/baconcoin.eth/LHaPiX38mnx8eJ2RVKNXHttHfweQMKNGmEnX4KUksk0)\n - [https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f](https://etherscan.io/address/0xf53f00f844b381963a47fde3325011566870b31f)\n", - "text": "ERC777 tokensReceived() reentrancy" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.erc777-reentrancy.erc777-reentrancy", - "id": "solidity.security.erc777-reentrancy.erc777-reentrancy", - "name": "solidity.security.erc777-reentrancy.erc777-reentrancy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.erc777-reentrancy.erc777-reentrancy" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.mssql.node-mssql-empty-password.node-mssql-empty-password", - "id": "javascript.mssql.node-mssql-empty-password.node-mssql-empty-password", - "name": "javascript.mssql.node-mssql-empty-password.node-mssql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.mssql.node-mssql-empty-password.node-mssql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "id": "go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "name": "go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.openai.openai-hardcoded-secret.openai-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.express-fs-filename.express-fs-filename", - "id": "javascript.express.express-fs-filename.express-fs-filename", - "name": "javascript.express.express-fs-filename.express-fs-filename", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.express-fs-filename.express-fs-filename" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. $PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.validator-xxe.validator-xxe", - "id": "java.lang.security.xxe.validator-xxe.validator-xxe", - "name": "java.lang.security.xxe.validator-xxe.validator-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.validator-xxe.validator-xxe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option." - }, - "help": { - "markdown": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n", - "text": "Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option." - }, - "helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query", - "id": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query", - "name": "python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "help": { - "markdown": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite)\n - [https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application](https://stackoverflow.com/questions/42717210/samesite-cookie-in-java-application)\n", - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite", - "id": "java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite", - "name": "java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.audit.cookie-missing-samesite.cookie-missing-samesite" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`." - }, - "help": { - "markdown": "Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the `none` algorithm in a JWT token. The `none` algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the `none` algorithm. Instead, use an algorithm such as `HS256`." - }, - "helpUri": "https://semgrep.dev/r/kotlin.java-jwt.jwt-none-alg.jwt-none-alg", - "id": "kotlin.java-jwt.jwt-none-alg.jwt-none-alg", - "name": "kotlin.java-jwt.jwt-none-alg.jwt-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.java-jwt.jwt-none-alg.jwt-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection" - }, - "help": { - "markdown": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv)\n - [https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection](https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection)\n", - "text": "The Connection.recv() method automatically unpickles the data it receives, which can be a security risk unless you can trust the process which sent the message. Therefore, unless the connection object was produced using Pipe() you should only use the recv() and send() methods after performing some sort of authentication. See more dettails: https://docs.python.org/3/library/multiprocessing.html?highlight=security#multiprocessing.connection.Connection" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.conn_recv.multiprocessing-recv", - "id": "python.lang.security.audit.conn_recv.multiprocessing-recv", - "name": "python.lang.security.audit.conn_recv.multiprocessing-recv", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.conn_recv.multiprocessing-recv" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256" - }, - "help": { - "markdown": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n", - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 600K iterations should be used with SHA256" - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256", - "id": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256", - "name": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-916: Use of Password Hash With Insufficient Computational Effort", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha256.insufficient-pbkdf2-work-factor-sha256" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code." - }, - "help": { - "markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string", - "id": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string", - "name": "python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.dangerous-subinterpreters-run-string.dangerous-subinterpreters-run-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." - }, - "help": { - "markdown": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", - "text": "DOCTYPE declarations are enabled for this DocumentBuilderFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", - "id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", - "name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-missing.documentbuilderfactory-disallow-doctype-decl-missing" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption." - }, - "help": { - "markdown": "The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n", - "text": "The preceding call to `$SOURCE` can return a negative value when an error is encountered. This can lead to an out-of-bounds array access and possible memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index", - "id": "cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index", - "name": "cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-787: Out-of-bounds Write", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.negative-return-value-array-index.negative-return-value-array-index" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "id": "java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "name": "java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.tainted-ssrf-spring-format.tainted-ssrf-spring-format" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "help": { - "markdown": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Avoid using `cPickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-cPickle", - "id": "python.lang.security.deserialization.pickle.avoid-cPickle", - "name": "python.lang.security.deserialization.pickle.avoid-cPickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-cPickle" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands." - }, - "help": { - "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args", - "id": "python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args", - "name": "python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-os-exec-tainted-env-args.dangerous-os-exec-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "AWS Secret Access Key detected" - }, - "help": { - "markdown": "AWS Secret Access Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "AWS Secret Access Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key", - "id": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key", - "name": "generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-aws-secret-access-key.detected-aws-secret-access-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability." - }, - "help": { - "markdown": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run)\n - [https://deno.land/manual/examples/subprocess#simple-example](https://deno.land/manual/examples/subprocess#simple-example)\n", - "text": "Detected non-literal calls to Deno.run(). This could lead to a command injection vulnerability." - }, - "helpUri": "https://semgrep.dev/r/javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run", - "id": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run", - "name": "javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.deno.security.audit.deno-dangerous-run.deno-dangerous-run" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource." - }, - "help": { - "markdown": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing)\n - [https://www.npmjs.com/package/serve-index](https://www.npmjs.com/package/serve-index)\n - [https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/](https://www.acunetix.com/blog/articles/directory-listing-information-disclosure/)\n", - "text": "Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing", - "id": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing", - "name": "javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-548: Exposure of Information Through Directory Listing", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-check-directory-listing.express-check-directory-listing" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.diesel.mysql-connection-url.mysql-connection-url", - "id": "rust.secrets.diesel.mysql-connection-url.mysql-connection-url", - "name": "rust.secrets.diesel.mysql-connection-url.mysql-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.diesel.mysql-connection-url.mysql-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access." - }, - "help": { - "markdown": "The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The libxml2 library is used to parse XML. When auditing such code, make sure that either the document being parsed is trusted or that the parsing options are safe to consume untrusted documents. In such case make sure DTD or XInclude documents cannot be loaded and there is no network access." - }, - "helpUri": "https://semgrep.dev/r/cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser", - "id": "cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser", - "name": "cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.libxml2.security.libxml2-audit-parser.libxml2-audit-parser" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Snyk API Key detected" - }, - "help": { - "markdown": "Snyk API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Snyk API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key", - "id": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key", - "name": "generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-snyk-api-key.detected-snyk-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "the `encoding` argument to Popen is only available on Python 3.6+" - }, - "help": { - "markdown": "the `encoding` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2)\n", - "text": "the `encoding` argument to Popen is only available on Python 3.6+" - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen2", - "id": "python.lang.compatibility.python36.python36-compatibility-Popen2", - "name": "python.lang.compatibility.python36.python36-compatibility-Popen2", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Database instance has no logging. Missing logs can cause missing important event information." - }, - "help": { - "markdown": "Database instance has no logging. Missing logs can cause missing important event information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Database instance has no logging. Missing logs can cause missing important event information." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging", - "id": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging", - "name": "terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-db-instance-no-logging.aws-db-instance-no-logging" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users." - }, - "help": { - "markdown": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://cwe.mitre.org/data/definitions/862.html](https://cwe.mitre.org/data/definitions/862.html)\n - [https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-7.0)\n", - "text": "Anonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", - "id": "csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", - "name": "csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-862: Missing Authorization", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.audit.missing-or-broken-authorization.missing-or-broken-authorization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header." - }, - "help": { - "markdown": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\n - [https://content-security-policy.com/](https://content-security-policy.com/)\n", - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.template-href-var.template-href-var", - "id": "python.flask.security.xss.audit.template-href-var.template-href-var", - "name": "python.flask.security.xss.audit.template-href-var.template-href-var", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.xss.audit.template-href-var.template-href-var" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt." - }, - "help": { - "markdown": "The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "The use of the MD2 hashing algorithm was identified which is considered insecure. MD2 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2", - "id": "swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2", - "name": "swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md2.insecure-hashing-algorithm-md2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "help": { - "markdown": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request)\n - [https://openjdk.java.net/groups/net/httpclient/intro.html](https://openjdk.java.net/groups/net/httpclient/intro.html)\n", - "text": "Checks for requests sent via HttpClient to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpclient-http-request.httpclient-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure MSSQL is using the latest version of TLS encryption" - }, - "help": { - "markdown": "Ensure MSSQL is using the latest version of TLS encryption\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure MSSQL is using the latest version of TLS encryption" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version", - "id": "terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version", - "name": "terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.azure-mssql-service-mintls-version.azure-mssql-service-mintls-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements." - }, - "help": { - "markdown": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli)\n - [https://www.npmjs.com/package/mysql2](https://www.npmjs.com/package/mysql2)\n - [https://www.npmjs.com/package/mysql](https://www.npmjs.com/package/mysql)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Detected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli", - "id": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli", - "name": "javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mysql-sqli.node-mysql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside 'open'. Audit the input to 'open'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open.dangerous-open", - "id": "ruby.lang.security.dangerous-open.dangerous-open", - "name": "ruby.lang.security.dangerous-open.dangerous-open", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.dangerous-open.dangerous-open" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret", - "id": "python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret", - "name": "python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.urllib3.python-urllib3-hardcoded-secret.python-urllib3-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks shopify-custom-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks shopify-custom-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks shopify-custom-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token", - "id": "generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token", - "name": "generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.shopify-custom-access-token.shopify-custom-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls." - }, - "help": { - "markdown": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#cross-site-request-forgery)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests)\n", - "text": "$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery", - "id": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery", - "name": "csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.mvc-missing-antiforgery.mvc-missing-antiforgery" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X" - }, - "help": { - "markdown": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html)\n", - "text": "Add \"encryption: $Y.BucketEncryption.KMS_MANAGED\" or \"encryption: $Y.BucketEncryption.S3_MANAGED\" to the bucket props for Bucket construct $X" - }, - "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption", - "id": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption", - "name": "typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-bucket-encryption.awscdk-bucket-encryption" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.jpa-sqli.jpa-sqli", - "id": "java.spring.security.jpa-sqli.jpa-sqli", - "name": "java.spring.security.jpa-sqli.jpa-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.jpa-sqli.jpa-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token", - "id": "javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token", - "name": "javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-bearer-token.hardcoded-bearer-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The file is World Readable and Writable. Any App can read/write to the file." - }, - "help": { - "markdown": "The file is World Readable and Writable. Any App can read/write to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_writeable)\n", - "text": "The file is World Readable and Writable. Any App can read/write to the file." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_writeable", - "id": "mobsf.mobsfscan.android.word_readable_writable.world_writeable", - "name": "mobsf.mobsfscan.android.word_readable_writable.world_writeable", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-276", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.word_readable_writable.world_writeable" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`." - }, - "help": { - "markdown": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected an AWS Redshift configuration with a SSL disabled. To fix this, set your `require_ssl` to `\"true\"`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration", - "id": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration", - "name": "terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-insecure-redshift-ssl-configuration.aws-insecure-redshift-ssl-configuration" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks." - }, - "help": { - "markdown": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate](https://stackoverflow.com/questions/4072585/disabling-ssl-certificate-validation-in-spring-resttemplate)\n - [https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1](https://stackoverflow.com/questions/35530558/how-to-fix-unsafe-implementation-of-x509trustmanager-in-android-app?rq=1)\n", - "text": "Checks for redefinitions of functions that check TLS/SSL certificate verification. This can lead to vulnerabilities, as simple errors in the code can result in lack of proper certificate validation. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification", - "id": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification", - "name": "problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.bypass-tls-verification.bypass-tls-verification" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi", - "id": "python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi", - "name": "python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.file.tainted-path-traversal-openpyxl-fastapi.tainted-path-traversal-openpyxl-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "help": { - "markdown": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service Slot" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only", - "id": "terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only", - "name": "terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.appservice.azure-appservice-https-only.azure-appservice-https-only" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.age-secret-key.age-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks age-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.age-secret-key.age-secret-key", - "id": "generic.secrets.gitleaks.age-secret-key.age-secret-key", - "name": "generic.secrets.gitleaks.age-secret-key.age-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.age-secret-key.age-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." - }, - "help": { - "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." - }, - "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify", - "id": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify", - "name": "javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-345: Insufficient Verification of Data Authenticity", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-decode-without-verify.jwt-decode-without-verify" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password", - "id": "rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password", - "name": "rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-password.hardcoded-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "id": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "name": "ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true." - }, - "help": { - "markdown": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control/](https://owasp.org/Top10/A01_2021-Broken_Access_Control/)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures/](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)\n - [https://cwe.mitre.org/data/definitions/347](https://cwe.mitre.org/data/definitions/347)\n", - "text": "Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", - "id": "csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", - "name": "csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-347: Improper Verification of Cryptographic Signature", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.cryptography.unsigned-security-token.unsigned-security-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512" - }, - "help": { - "markdown": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n", - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 210K iterations should be used with SHA512" - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512", - "id": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512", - "name": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-916: Use of Password Hash With Insufficient Computational Effort", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha512.insufficient-pbkdf2-work-factor-sha512" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep)\n - [https://cwe.mitre.org/data/definitions/918.html](https://cwe.mitre.org/data/definitions/918.html)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fauth~2Fssrf~2Fgeneric)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep", - "id": "java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep", - "name": "java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-ssrf-deepsemgrep.tainted-ssrf-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that user controlled URLs never reaches the Webview. Enabling file access from URLs in WebView can leak sensitive information from the file system." - }, - "help": { - "markdown": "Ensure that user controlled URLs never reaches the Webview. Enabling file access from URLs in WebView can leak sensitive information from the file system.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url)\n", - "text": "Ensure that user controlled URLs never reaches the Webview. Enabling file access from URLs in WebView can leak sensitive information from the file system." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url", - "id": "mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url", - "name": "mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-200", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.webview.webview_allow_file_from_url.webview_allow_file_from_url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims." - }, - "help": { - "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims." - }, - "helpUri": "https://semgrep.dev/r/ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify", - "id": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify", - "name": "ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-345: Insufficient Verification of Data Authenticity", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.jwt.security.audit.jwt-decode-without-verify.ruby-jwt-decode-without-verify" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure." - }, - "help": { - "markdown": "This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n - [https://nginx.org/en/docs/http/ngx_http_core_module.html#internal](https://nginx.org/en/docs/http/ngx_http_core_module.html#internal)\n", - "text": "This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-internal.missing-internal", - "id": "generic.nginx.security.missing-internal.missing-internal", - "name": "generic.nginx.security.missing-internal.missing-internal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-16: CWE CATEGORY: Configuration", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.missing-internal.missing-internal" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.sql.postgres-taint.postgres-taint", - "id": "rust.actix.sql.postgres-taint.postgres-taint", - "name": "rust.actix.sql.postgres-taint.postgres-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.sql.postgres-taint.postgres-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead." - }, - "help": { - "markdown": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context)\n - [https://docs.python.org/3/library/ssl.html#ssl-security](https://docs.python.org/3/library/ssl.html#ssl-security)\n - [https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection](https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection)\n", - "text": "Unverified SSL context detected. This will permit insecure connections without verifying SSL certificates. Use 'ssl.create_default_context' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.unverified-ssl-context.unverified-ssl-context", - "id": "python.lang.security.unverified-ssl-context.unverified-ssl-context", - "name": "python.lang.security.unverified-ssl-context.unverified-ssl-context", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.unverified-ssl-context.unverified-ssl-context" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret", - "id": "go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret", - "name": "go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.gorm.gorm-hardcoded-secret.gorm-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks grafana-cloud-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks grafana-cloud-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks grafana-cloud-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token", - "id": "generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token", - "name": "generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.grafana-cloud-api-token.grafana-cloud-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." - }, - "help": { - "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", - "id": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", - "name": "java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5-digest-utils.use-of-md5-digest-utils" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy." - }, - "help": { - "markdown": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy)\n - [https://chainsecurity.com/heartbreaks-curve-lp-oracles/](https://chainsecurity.com/heartbreaks-curve-lp-oracles/)\n - [https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/](https://chainsecurity.com/curve-lp-oracle-manipulation-post-mortem/)\n", - "text": "$POOL.get_virtual_price() call on a Curve pool is not protected from the read-only reentrancy." - }, - "helpUri": "https://semgrep.dev/r/solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy", - "id": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy", - "name": "solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.curve-readonly-reentrancy.curve-readonly-reentrancy" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner." - }, - "help": { - "markdown": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke, the potential exists for the attacker to create control flow paths through the application that were not intended by the application developers. This attack vector may allow the attacker to bypass authentication or access control checks or otherwise cause the application to behave in an unexpected manner." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.unsafe-reflection.unsafe-reflection", - "id": "java.lang.security.audit.unsafe-reflection.unsafe-reflection", - "name": "java.lang.security.audit.unsafe-reflection.unsafe-reflection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.unsafe-reflection.unsafe-reflection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used." - }, - "help": { - "markdown": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "$sceDelegateProvider allowlisting can introduce security issues if wildcards are used." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading", - "id": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading", - "name": "javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-resource-loading.detect-angular-resource-loading" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks defined-networking-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks defined-networking-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks defined-networking-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token", - "id": "generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token", - "name": "generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.defined-networking-api-token.defined-networking-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library." - }, - "help": { - "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`$mysqli->prepare(\"INSERT INTO test(id, label) VALUES (?, ?)\");`) or a safe library." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-sql-string.tainted-sql-string", - "id": "php.lang.security.injection.tainted-sql-string.tainted-sql-string", - "name": "php.lang.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks planetscale-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks planetscale-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-password.planetscale-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks planetscale-password was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-password.planetscale-password", - "id": "generic.secrets.gitleaks.planetscale-password.planetscale-password", - "name": "generic.secrets.gitleaks.planetscale-password.planetscale-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.planetscale-password.planetscale-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "help": { - "markdown": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request)\n - [https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-](https://docs.spring.io/spring/docs/current/javadoc-api/org/springframework/web/client/RestTemplate.html#delete-java.lang.String-java.util.Map-)\n - [https://www.baeldung.com/rest-template](https://www.baeldung.com/rest-template)\n", - "text": "Checks for requests sent via Java Spring RestTemplate API to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request", - "id": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request", - "name": "problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-spring.spring-http-request.spring-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli)\n - [https://sequelize.org/master/manual/raw-queries.html](https://sequelize.org/master/manual/raw-queries.html)\n", - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`" - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli", - "id": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli", - "name": "javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.sequelize-sqli.sequelize-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n - [https://stackoverflow.com/questions/3115559/exploitable-php-functions](https://stackoverflow.com/questions/3115559/exploitable-php-functions)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.tainted-code-execution.tainted-code-execution", - "id": "php.lang.security.tainted-code-execution.tainted-code-execution", - "name": "php.lang.security.tainted-code-execution.tainted-code-execution", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.tainted-code-execution.tainted-code-execution" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege." - }, - "help": { - "markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n", - "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy", - "id": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy", - "name": "terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy.aws-iam-admin-policy" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead" - }, - "help": { - "markdown": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "This socket is not encrypted. The traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead" - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.unencrypted-socket.unencrypted-socket", - "id": "kotlin.lang.security.unencrypted-socket.unencrypted-socket", - "name": "kotlin.lang.security.unencrypted-socket.unencrypted-socket", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.unencrypted-socket.unencrypted-socket" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client." - }, - "help": { - "markdown": "The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption)\n - [https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22](https://ali-akhtar.medium.com/realm-custom-configuration-and-encryption-realmswift-part-3-f991f090ae22)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/](https://mas.owasp.org/MASVS/controls/MASVS-CRYPTO-1/)\n", - "text": "The application was observed to utilize Realm for data storage, but was not observed to set an encryption key. When no encryption key is set in the configuration, no encryption is used. To protect user and application data, the application should specify an encryption key, which is randomly generated per user, per client." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption", - "id": "swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption", - "name": "swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.realmstate-encryption-missing.swift-hardcoded-realm-without-encryption" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat", - "id": "javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat", - "name": "javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-github-pat.hardcoded-github-pat" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted." - }, - "help": { - "markdown": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request)\n - [https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html](https://docs.ruby-lang.org/en/2.2.0/Net/Telnet.html)\n - [https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet](https://www.rubydoc.info/gems/net-ssh-telnet2/0.1.0/Net/SSH/Telnet)\n", - "text": "Checks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request", - "id": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request", - "name": "problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-telnet-request.net-telnet-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The input values included in SQL queries need to be passed in safely. Bind\nvariables in prepared statements can be used to easily mitigate the risk of\nSQL injection.\n" - }, - "help": { - "markdown": "The input values included in SQL queries need to be passed in safely. Bind\nvariables in prepared statements can be used to easily mitigate the risk of\nSQL injection.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1)\n", - "text": "The input values included in SQL queries need to be passed in safely. Bind\nvariables in prepared statements can be used to easily mitigate the risk of\nSQL injection.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1", - "id": "gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1", - "name": "gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: gitlab.find_sec_bugs.SQL_INJECTION_SPRING_JDBC-1.SQL_INJECTION_JPA-1.SQL_INJECTION_JDO-1.SQL_INJECTION_JDBC-1.SQL_NONCONSTANT_STRING_PASSED_TO_EXECUTE-1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter." - }, - "help": { - "markdown": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped. Ensure data passed to an LDAP query is not controllable or properly sanitize the user input with functions like createEqualityFilter." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep", - "id": "java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep", - "name": "java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-ldapi-from-http-request-deepsemgrep.tainted-ldapi-from-http-request-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret", - "id": "kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret", - "name": "kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.jedis.jedis-auth-hardcoded-secret.jedis-auth-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks algolia-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks algolia-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.algolia-api-key.algolia-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks algolia-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.algolia-api-key.algolia-api-key", - "id": "generic.secrets.gitleaks.algolia-api-key.algolia-api-key", - "name": "generic.secrets.gitleaks.algolia-api-key.algolia-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.algolia-api-key.algolia-api-key" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block." - }, - "help": { - "markdown": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#client_cert_enabled)\n", - "text": "Detected an AppService that was not configured to use a client certificate. Add `client_cert_enabled = true` in your resource block." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert", - "id": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert", - "name": "terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-require-client-cert.appservice-require-client-cert" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "help": { - "markdown": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape)\n - [https://pugjs.org/language/code.html#unescaped-buffered-code](https://pugjs.org/language/code.html#unescaped-buffered-code)\n - [https://pugjs.org/language/attributes.html#unescaped-attributes](https://pugjs.org/language/attributes.html#unescaped-attributes)\n", - "text": "Detected an explicit unescape in a Pug template, using either '!=' or '!{...}'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape", - "id": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape", - "name": "javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.pug.explicit-unescape.template-explicit-unescape" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks shopify-shared-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks shopify-shared-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks shopify-shared-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret", - "id": "generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret", - "name": "generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.shopify-shared-secret.shopify-shared-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-hardcoded-secret.jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-hardcoded-secret.jwt-hardcoded-secret", - "id": "csharp.dotnet-core.jwt.jwt-hardcoded-secret.jwt-hardcoded-secret", - "name": "csharp.dotnet-core.jwt.jwt-hardcoded-secret.jwt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.jwt.jwt-hardcoded-secret.jwt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers)." - }, - "help": { - "markdown": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use)\n - [https://www.php.net/manual/en/function.unserialize.php](https://www.php.net/manual/en/function.unserialize.php)\n - [https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html](https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization.html)\n", - "text": "Calling `unserialize()` with user input in the pattern can lead to arbitrary code execution. Consider using JSON or structured data approaches (e.g. Google Protocol Buffers)." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.unserialize-use.unserialize-use", - "id": "php.lang.security.unserialize-use.unserialize-use", - "name": "php.lang.security.unserialize-use.unserialize-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.unserialize-use.unserialize-use" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "id": "java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "name": "java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "help": { - "markdown": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Avoid using `shelve`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-shelve", - "id": "python.lang.security.deserialization.pickle.avoid-shelve", - "name": "python.lang.security.deserialization.pickle.avoid-shelve", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-shelve" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks rapidapi-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks rapidapi-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks rapidapi-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token", - "id": "generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token", - "name": "generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.rapidapi-access-token.rapidapi-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "id": "kotlin.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "name": "kotlin.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!" - }, - "help": { - "markdown": "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n", - "text": "'content_tag()' bypasses HTML escaping for some portion of the content. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here. If you must do this, create your HTML manually and use 'html_safe'. Ensure no external data enters the HTML-safe string!" - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag", - "id": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag", - "name": "ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-content-tag.avoid-content-tag" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code." - }, - "help": { - "markdown": "Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off)\n - [https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape](https://docs.djangoproject.com/en/3.1/ref/templates/builtins/#autoescape)\n", - "text": "Detected a template block where autoescaping is explicitly disabled with '{% autoescape off %}'. This allows rendering of raw HTML in this segment. Turn autoescaping on to prevent cross-site scripting (XSS). If you must do this, consider instead, using `mark_safe` in Python code." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-autoescape-off.template-autoescape-off", - "id": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off", - "name": "python.django.security.audit.xss.template-autoescape-off.template-autoescape-off", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.template-autoescape-off.template-autoescape-off" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality." - }, - "help": { - "markdown": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n", - "text": "Pod is sharing the host IPC namespace. This allows container processes to communicate with processes on the host which reduces isolation and bypasses container protection models. Remove the 'hostIPC' key to disable this functionality." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostipc-pod.hostipc-pod", - "id": "yaml.kubernetes.security.hostipc-pod.hostipc-pod", - "name": "yaml.kubernetes.security.hostipc-pod.hostipc-pod", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-693: Protection Mechanism Failure", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.hostipc-pod.hostipc-pod" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "APIs (namely ptrace) were identified which are forbidden from iOS appstore applications. The application should avoid calling such APIs, as this may result in a blocker during app store review." - }, - "help": { - "markdown": "APIs (namely ptrace) were identified which are forbidden from iOS appstore applications. The application should avoid calling such APIs, as this may result in a blocker during app store review.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis)\n - [https://mas.owasp.org/MASVS/10-MASVS-CODE/](https://mas.owasp.org/MASVS/10-MASVS-CODE/)\n", - "text": "APIs (namely ptrace) were identified which are forbidden from iOS appstore applications. The application should avoid calling such APIs, as this may result in a blocker during app store review." - }, - "helpUri": "https://semgrep.dev/r/swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis", - "id": "swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis", - "name": "swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-477: Use of Obsolete Function", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.lang.forbidden.forbidden-ios-api.swift-forbidden-ios-apis" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method." - }, - "help": { - "markdown": "The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#conditional_escape)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n", - "text": "The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-magic-method.html-magic-method", - "id": "python.django.security.audit.xss.html-magic-method.html-magic-method", - "name": "python.django.security.audit.xss.html-magic-method.html-magic-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.html-magic-method.html-magic-method" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload." - }, - "help": { - "markdown": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "The object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload." - }, - "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data", - "id": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data", - "name": "javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jsonwebtoken.security.audit.jwt-exposed-data.jwt-exposed-data" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.java-http-concat-taint.java-http-concat-taint)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.ssrf.java-http-concat-taint.java-http-concat-taint", - "id": "java.micronaut.ssrf.java-http-concat-taint.java-http-concat-taint", - "name": "java.micronaut.ssrf.java-http-concat-taint.java-http-concat-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.ssrf.java-http-concat-taint.java-http-concat-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.java-jwt.jwt-hardcode.jwt-hardcode)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.java-jwt.jwt-hardcode.jwt-hardcode", - "id": "kotlin.java-jwt.jwt-hardcode.jwt-hardcode", - "name": "kotlin.java-jwt.jwt-hardcode.jwt-hardcode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.java-jwt.jwt-hardcode.jwt-hardcode" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API." - }, - "help": { - "markdown": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "The use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method", - "id": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method", - "name": "javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-url-method.detect-angular-trust-as-url-method" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid cookie using an unsafe default for the httponly option. Pyramid cookies should be handled securely by setting httponly=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default", - "id": "python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default", - "name": "python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.set-cookie-httponly-unsafe-default.pyramid-set-cookie-httponly-unsafe-default" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks confluent-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks confluent-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks confluent-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key", - "id": "generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key", - "name": "generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.confluent-secret-key.confluent-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-tainted-xmldecoder.spring-tainted-xmldecoder)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.spring-tainted-xmldecoder.spring-tainted-xmldecoder", - "id": "java.spring.security.spring-tainted-xmldecoder.spring-tainted-xmldecoder", - "name": "java.spring.security.spring-tainted-xmldecoder.spring-tainted-xmldecoder", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.spring-tainted-xmldecoder.spring-tainted-xmldecoder" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "helpUri": "https://semgrep.dev/r/go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint", - "id": "go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint", - "name": "go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.xxe.libxml2-xxe-taint.libxml2-xxe-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n", - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false", - "id": "java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false", - "name": "java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.audit.cookie-secure-flag-false.cookie-secure-flag-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.missing-httponly.missing-httponly)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.audit.cookies.missing-httponly.missing-httponly", - "id": "csharp.lang.audit.cookies.missing-httponly.missing-httponly", - "name": "csharp.lang.audit.cookies.missing-httponly.missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.audit.cookies.missing-httponly.missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure DocDB is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk", - "id": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk", - "name": "terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-docdb-encrypted-with-cmk.aws-docdb-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized." - }, - "help": { - "markdown": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression)\n - [https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection](https://docs.djangoproject.com/en/3.0/ref/models/expressions/#avoiding-sql-injection)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n", - "text": "Found extension of custom expression: $CLASS. Extending expressions in this way could inadvertently lead to a SQL injection vulnerability, which can result in attackers exfiltrating sensitive data. Instead, ensure no user input enters this function or that user input is properly sanitized." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.extends-custom-expression.extends-custom-expression", - "id": "python.django.security.audit.extends-custom-expression.extends-custom-expression", - "name": "python.django.security.audit.extends-custom-expression.extends-custom-expression", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.extends-custom-expression.extends-custom-expression" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n" - }, - "help": { - "markdown": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled)\n", - "text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n" - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled", - "id": "mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled", - "name": "mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-611", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.xxe.xmlfactory_external_entities_enabled.xmlinputfactory_xxe_enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"" - }, - "help": { - "markdown": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check)\n - [https://pkg.go.dev/github.com/gorilla/websocket#Upgrader](https://pkg.go.dev/github.com/gorilla/websocket#Upgrader)\n", - "text": "The Origin header in the HTTP WebSocket handshake is used to guarantee that the connection accepted by the WebSocket is from a trusted origin domain. Failure to enforce can lead to Cross Site Request Forgery (CSRF). As per \"gorilla/websocket\" documentation: \"A CheckOrigin function should carefully validate the request origin to prevent cross-site request forgery.\"" - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check", - "id": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check", - "name": "go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.security.audit.websocket-missing-origin-check.websocket-missing-origin-check" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs." - }, - "help": { - "markdown": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret)\n - [https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#std-setting-SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n", - "text": "The Django secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Django secret key can be obtained by attackers, through the HashIDs." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.hashids-with-django-secret.hashids-with-django-secret", - "id": "python.django.security.hashids-with-django-secret.hashids-with-django-secret", - "name": "python.django.security.hashids-with-django-secret.hashids-with-django-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 – Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.hashids-with-django-secret.hashids-with-django-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security" - }, - "help": { - "markdown": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage)\n - [https://docs.python.org/3/library/marshal.html?highlight=security](https://docs.python.org/3/library/marshal.html?highlight=security)\n", - "text": "The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.marshal.marshal-usage", - "id": "python.lang.security.audit.marshal.marshal-usage", - "name": "python.lang.security.audit.marshal.marshal-usage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.marshal.marshal-usage" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials", - "id": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials", - "name": "terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-credentials.aws-lambda-environment-credentials" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.path-traversal.gorilla-path-traversal.gorilla-path-traversal-taint)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.path-traversal.gorilla-path-traversal.gorilla-path-traversal-taint", - "id": "go.gorilla.path-traversal.gorilla-path-traversal.gorilla-path-traversal-taint", - "name": "go.gorilla.path-traversal.gorilla-path-traversal.gorilla-path-traversal-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.path-traversal.gorilla-path-traversal.gorilla-path-traversal-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to store keychain items that leverage biometric protection, but allow for biometry changes. This means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass this keychain authentication mechanism within the app. The application should store keychain entries with `biometryCurrentSet` rather than `biometryAny` or `userPresence`." - }, - "help": { - "markdown": "The application was observed to store keychain items that leverage biometric protection, but allow for biometry changes. This means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass this keychain authentication mechanism within the app. The application should store keychain entries with `biometryCurrentSet` rather than `biometryAny` or `userPresence`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.acl-changes.keychain-acl-allows-biometry-changes)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n", - "text": "The application was observed to store keychain items that leverage biometric protection, but allow for biometry changes. This means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass this keychain authentication mechanism within the app. The application should store keychain entries with `biometryCurrentSet` rather than `biometryAny` or `userPresence`." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.acl-changes.keychain-acl-allows-biometry-changes", - "id": "swift.biometrics-and-auth.acl-changes.keychain-acl-allows-biometry-changes", - "name": "swift.biometrics-and-auth.acl-changes.keychain-acl-allows-biometry-changes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-305: Authentication Bypass by Primary Weakness", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.acl-changes.keychain-acl-allows-biometry-changes" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`." - }, - "help": { - "markdown": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS KMS has no rotation. Missing rotation can cause leaked key to be used by attackers. To fix this, set a `enable_key_rotation`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation", - "id": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation", - "name": "terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-kms-no-rotation.aws-kms-no-rotation" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure this is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure this is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-none.flask-cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n", - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure this is intentional and that you understand the potential security implications. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests. While 'Strict' is the most secure option, 'Lax' is a good compromise between security and usability and this default value is secure for most applications. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `Lax` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag a different value on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-samesite-none.flask-cookie-samesite-none", - "id": "python.flask.web.flask-cookie-samesite-none.flask-cookie-samesite-none", - "name": "python.flask.web.flask-cookie-samesite-none.flask-cookie-samesite-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-samesite-none.flask-cookie-samesite-none" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege." - }, - "help": { - "markdown": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n", - "text": "Detected wildcard access granted in your KMS key. This means anyone with this policy can perform administrative actions over the keys. Instead, limit principals, actions and resources to what you need according to least privilege." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal", - "id": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal", - "name": "terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-kms-key-wildcard-principal.aws-kms-key-wildcard-principal" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks twitter-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks twitter-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.twitter-api-key.twitter-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks twitter-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.twitter-api-key.twitter-api-key", - "id": "generic.secrets.gitleaks.twitter-api-key.twitter-api-key", - "name": "generic.secrets.gitleaks.twitter-api-key.twitter-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.twitter-api-key.twitter-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mongodb.mongo-empty-password.mongo-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.mongodb.mongo-empty-password.mongo-empty-password", - "id": "go.secrets.mongodb.mongo-empty-password.mongo-empty-password", - "name": "go.secrets.mongodb.mongo-empty-password.mongo-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.mongodb.mongo-empty-password.mongo-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object." - }, - "help": { - "markdown": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization)\n - [https://www.owasp.org/index.php/Deserialization_of_untrusted_data](https://www.owasp.org/index.php/Deserialization_of_untrusted_data)\n - [https://www.oracle.com/java/technologies/javase/seccodeguide.html#8](https://www.oracle.com/java/technologies/javase/seccodeguide.html#8)\n", - "text": "Found object deserialization using ObjectInputStream. Deserializing entire Java objects is dangerous because malicious actors can create Java object streams with unintended consequences. Ensure that the objects being deserialized are not user-controlled. If this must be done, consider using HMACs to sign the data stream to make sure it is not tampered with, or consider only transmitting object fields and populating a new object." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.object-deserialization.object-deserialization", - "id": "java.lang.security.audit.object-deserialization.object-deserialization", - "name": "java.lang.security.audit.object-deserialization.object-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.object-deserialization.object-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure Timestream database is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk", - "id": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk", - "name": "terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-timestream-database-encrypted-with-cmk.aws-timestream-database-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.spring-tainted-path-traversal.spring-tainted-path-traversal)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://www.stackhawk.com/blog/spring-path-traversal-guide-examples-and-prevention/](https://www.stackhawk.com/blog/spring-path-traversal-guide-examples-and-prevention/)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.spring.spring-tainted-path-traversal.spring-tainted-path-traversal", - "id": "java.spring.spring-tainted-path-traversal.spring-tainted-path-traversal", - "name": "java.spring.spring-tainted-path-traversal.spring-tainted-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.spring-tainted-path-traversal.spring-tainted-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Mixing trusted and untrusted data within the same structure can lead to trust boundary violations, where unvalidated data is mistakenly trusted, potentially bypassing security mechanisms. Thoroughly sanitize user input before passing it into such function calls." - }, - "help": { - "markdown": "Mixing trusted and untrusted data within the same structure can lead to trust boundary violations, where unvalidated data is mistakenly trusted, potentially bypassing security mechanisms. Thoroughly sanitize user input before passing it into such function calls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Mixing trusted and untrusted data within the same structure can lead to trust boundary violations, where unvalidated data is mistakenly trusted, potentially bypassing security mechanisms. Thoroughly sanitize user input before passing it into such function calls." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep", - "id": "java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep", - "name": "java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-501: Trust Boundary Violation", - "HIGH CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-session-from-http-request-deepsemgrep.tainted-session-from-http-request-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code." - }, - "help": { - "markdown": "Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq)\n - [https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq](https://docs.djangoproject.com/en/3.0/ref/templates/builtins/#safeseq)\n", - "text": "Detected a template variable where autoescaping is explicitly disabled with '| safeseq' filter. This allows rendering of raw HTML in this segment. Ensure no user data is rendered here, otherwise this is a cross-site scripting (XSS) vulnerability. If you must do this, use `mark_safe` in your Python code." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq", - "id": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq", - "name": "python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.template-var-unescaped-with-safeseq.template-var-unescaped-with-safeseq" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'." - }, - "help": { - "markdown": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The special variable IFS affects how splitting takes place when expanding unquoted variables. Don't set it globally. Prefer a dedicated utility such as 'cut' or 'awk' if you need to split input data. If you must use 'read', set IFS locally using e.g. 'IFS=\",\" read -a my_array'." - }, - "helpUri": "https://semgrep.dev/r/bash.lang.security.ifs-tampering.ifs-tampering", - "id": "bash.lang.security.ifs-tampering.ifs-tampering", - "name": "bash.lang.security.ifs-tampering.ifs-tampering", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-20: Improper Input Validation", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: bash.lang.security.ifs-tampering.ifs-tampering" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead." - }, - "help": { - "markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use HttpClientBuilder instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "id": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "name": "java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect." - }, - "help": { - "markdown": "Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "Mass assignment protection disabled for '$MODEL'. This could permit assignment to sensitive model fields without intention. Instead, use 'attr_accessible' for the model or disable mass assigment using 'config.active_record.whitelist_attributes = true'. ':without_protection => true' must be removed for this to take effect." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled", - "id": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled", - "name": "ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.mass-assignment-protection-disabled.mass-assignment-protection-disabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure AWS Sagemaker domains are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk", - "id": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk", - "name": "terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-sagemaker-domain-encrypted-with-cmk.aws-sagemaker-domain-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`." - }, - "help": { - "markdown": "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw](https://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-raw)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n", - "text": "'raw()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. If you must do this, construct individual strings and mark them as safe for HTML rendering with `html_safe()`." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-raw.avoid-raw", - "id": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw", - "name": "ruby.rails.security.audit.xss.avoid-raw.avoid-raw", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-raw.avoid-raw" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application." - }, - "help": { - "markdown": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config)\n - [https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy](https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy)\n", - "text": "Django REST framework configuration is missing default rate- limiting options. This could inadvertently allow resource starvation or Denial of Service (DoS) attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to add rate-limiting to your application." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config", - "id": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config", - "name": "python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-400: Uncontrolled Resource Consumption", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.django-rest-framework.missing-throttle-config.missing-throttle-config" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks." - }, - "help": { - "markdown": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false)\n - [https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean)](https://docs.oracle.com/javaee/6/api/javax/servlet/http/Cookie.html#setSecure(boolean))\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n", - "text": "Default session middleware settings: `setSecure` not set to true. This ensures that the cookie is sent only over HTTPS to prevent cross-site scripting attacks." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.cookie-issecure-false.cookie-issecure-false", - "id": "java.servlets.security.cookie-issecure-false.cookie-issecure-false", - "name": "java.servlets.security.cookie-issecure-false.cookie-issecure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.cookie-issecure-false.cookie-issecure-false" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks datadog-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks datadog-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.datadog-access-token.datadog-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks datadog-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.datadog-access-token.datadog-access-token", - "id": "generic.secrets.gitleaks.datadog-access-token.datadog-access-token", - "name": "generic.secrets.gitleaks.datadog-access-token.datadog-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.datadog-access-token.datadog-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to store keychain items that do not leverage user authentication. Requiring the user to provide authentication increases the confidence that the person using the phone is indeed authorized to view the information being retrieved." - }, - "help": { - "markdown": "The application was observed to store keychain items that do not leverage user authentication. Requiring the user to provide authentication increases the confidence that the person using the phone is indeed authorized to view the information being retrieved.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.missing-user-auth.keychain-without-user-auth)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n", - "text": "The application was observed to store keychain items that do not leverage user authentication. Requiring the user to provide authentication increases the confidence that the person using the phone is indeed authorized to view the information being retrieved." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.missing-user-auth.keychain-without-user-auth", - "id": "swift.biometrics-and-auth.missing-user-auth.keychain-without-user-auth", - "name": "swift.biometrics-and-auth.missing-user-auth.keychain-without-user-auth", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.missing-user-auth.keychain-without-user-auth" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.sql.gorilla-pgx-slqi-taint.gorilla-pgx-sqli-taint)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.sql.gorilla-pgx-slqi-taint.gorilla-pgx-sqli-taint", - "id": "go.gorilla.sql.gorilla-pgx-slqi-taint.gorilla-pgx-sqli-taint", - "name": "go.gorilla.sql.gorilla-pgx-slqi-taint.gorilla-pgx-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.sql.gorilla-pgx-slqi-taint.gorilla-pgx-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.saxbuilder-xxe.saxbuilder-xxe", - "id": "java.lang.security.xxe.saxbuilder-xxe.saxbuilder-xxe", - "name": "java.lang.security.xxe.saxbuilder-xxe.saxbuilder-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.saxbuilder-xxe.saxbuilder-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data." - }, - "help": { - "markdown": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "String-formatted SQL query detected. This could lead to SQL injection if the string is not sanitized properly. Audit this call to ensure the SQL is not manipulable by external data." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.database.string-formatted-query.string-formatted-query", - "id": "go.lang.security.audit.database.string-formatted-query.string-formatted-query", - "name": "go.lang.security.audit.database.string-formatted-query.string-formatted-query", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.database.string-formatted-query.string-formatted-query" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "help": { - "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n", - "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access", - "id": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access", - "name": "ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-file-access.avoid-tainted-file-access" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection", - "id": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection", - "name": "javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.playwright.security.audit.playwright-setcontent-injection.playwright-setcontent-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result." - }, - "help": { - "markdown": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n", - "text": "Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src", - "id": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src", - "name": "javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-src.var-in-script-src" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-bot-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-bot-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-bot-token.slack-bot-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-bot-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-bot-token.slack-bot-token", - "id": "generic.secrets.gitleaks.slack-bot-token.slack-bot-token", - "name": "generic.secrets.gitleaks.slack-bot-token.slack-bot-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-bot-token.slack-bot-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks shopify-private-app-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks shopify-private-app-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks shopify-private-app-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token", - "id": "generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token", - "name": "generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.shopify-private-app-access-token.shopify-private-app-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-shelve-flask.tainted-shelve-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://docs.python.org/3/library/shelve.html](https://docs.python.org/3/library/shelve.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-shelve-flask.tainted-shelve-flask", - "id": "python.flask.deserialization.tainted-shelve-flask.tainted-shelve-flask", - "name": "python.flask.deserialization.tainted-shelve-flask.tainted-shelve-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-shelve-flask.tainted-shelve-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below." - }, - "help": { - "markdown": "Found usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn)\n", - "text": "Found usage of the 'blocksize' argument in a HTTPConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpconn", - "id": "python.lang.compatibility.python37.python37-compatibility-httpconn", - "name": "python.lang.compatibility.python37.python37-compatibility-httpconn", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpconn" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-none-alg.jwt-python-none-alg", - "id": "python.jwt.security.jwt-none-alg.jwt-python-none-alg", - "name": "python.jwt.security.jwt-none-alg.jwt-python-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jwt.security.jwt-none-alg.jwt-python-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks new-relic-browser-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks new-relic-browser-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks new-relic-browser-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token", - "id": "generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token", - "name": "generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.new-relic-browser-api-token.new-relic-browser-api-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info." - }, - "help": { - "markdown": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#server_side_encryption_configuration)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-encryption.html)\n", - "text": "This rule has been deprecated, as all s3 buckets are encrypted by default with no way to disable it. See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration for more info." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket", - "id": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket", - "name": "terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.s3-unencrypted-bucket.s3-unencrypted-bucket" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-httplib2.tainted-fastapi-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-httplib2.tainted-fastapi-http-request-httplib2", - "id": "python.fastapi.net.tainted-fastapi-http-request-httplib2.tainted-fastapi-http-request-httplib2", - "name": "python.fastapi.net.tainted-fastapi-http-request-httplib2.tainted-fastapi-http-request-httplib2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-httplib2.tainted-fastapi-http-request-httplib2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "help": { - "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5", - "id": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5", - "name": "python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md5.insecure-hash-algorithm-md5" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication." - }, - "help": { - "markdown": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster)\n - [https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster](https://kubernetes.io/docs/reference/config-api/client-authentication.v1beta1/#client-authentication-k8s-io-v1beta1-Cluster)\n", - "text": "Cluster is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecure-skip-tls-verify: true' key to secure communication." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster", - "id": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster", - "name": "yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-cluster.skip-tls-verify-cluster" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t" - }, - "help": { - "markdown": "Ensure all Elasticsearch has node-to-node encryption enabled.\t\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure all Elasticsearch has node-to-node encryption enabled.\t" - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled", - "id": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled", - "name": "terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-elasticsearch-nodetonode-encryption.aws-elasticsearch-nodetonode-encryption-not-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens." - }, - "help": { - "markdown": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision)\n - [https://www.php.net/base_convert](https://www.php.net/base_convert)\n - [https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/](https://www.sjoerdlangkemper.nl/2017/03/15/dont-use-base-convert-on-random-tokens/)\n", - "text": "The function base_convert uses 64-bit numbers internally, and does not correctly convert large numbers. It is not suitable for random tokens such as those used for session tokens or CSRF tokens." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.base-convert-loses-precision.base-convert-loses-precision", - "id": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision", - "name": "php.lang.security.base-convert-loses-precision.base-convert-loses-precision", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-190: Integer Overflow or Wraparound", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.base-convert-loses-precision.base-convert-loses-precision" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of an insecure SSL/TLS algorithm. This could allow an attacker to peform a man-in-the-middle-attack. Applications should prefer a secure algorithm such as TLS 1.2 or 1.3." - }, - "help": { - "markdown": "Detected use of an insecure SSL/TLS algorithm. This could allow an attacker to peform a man-in-the-middle-attack. Applications should prefer a secure algorithm such as TLS 1.2 or 1.3.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.openssl-insecure-required-version.openssl-insecure-required-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of an insecure SSL/TLS algorithm. This could allow an attacker to peform a man-in-the-middle-attack. Applications should prefer a secure algorithm such as TLS 1.2 or 1.3." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.crypto.certificate.openssl-insecure-required-version.openssl-insecure-required-version", - "id": "cpp.lang.security.crypto.certificate.openssl-insecure-required-version.openssl-insecure-required-version", - "name": "cpp.lang.security.crypto.certificate.openssl-insecure-required-version.openssl-insecure-required-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.crypto.certificate.openssl-insecure-required-version.openssl-insecure-required-version" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions." - }, - "help": { - "markdown": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions." - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection", - "id": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection", - "name": "javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.vm-runincontext-injection.vm-runincontext-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "certificate verification explicitly disabled, insecure connections possible" - }, - "help": { - "markdown": "certificate verification explicitly disabled, insecure connections possible\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "certificate verification explicitly disabled, insecure connections possible" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation", - "id": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation", - "name": "python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.network.disabled-cert-validation.disabled-cert-validation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.superagent.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.superagent.hardcoded-basic-token.hardcoded-basic-token", - "id": "javascript.superagent.hardcoded-basic-token.hardcoded-basic-token", - "name": "javascript.superagent.hardcoded-basic-token.hardcoded-basic-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.superagent.hardcoded-basic-token.hardcoded-basic-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Square Access Token detected" - }, - "help": { - "markdown": "Square Access Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Square Access Token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-access-token.detected-square-access-token", - "id": "generic.secrets.security.detected-square-access-token.detected-square-access-token", - "name": "generic.secrets.security.detected-square-access-token.detected-square-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-square-access-token.detected-square-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The identified XML parser permits the use of external Document Type Definitions (DTDs). The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The identified XML parser permits the use of external Document Type Definitions (DTDs). The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.schemafactory-xxe.schemafactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The identified XML parser permits the use of external Document Type Definitions (DTDs). The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.schemafactory-xxe.schemafactory-xxe", - "id": "kotlin.xxe.schemafactory-xxe.schemafactory-xxe", - "name": "kotlin.xxe.schemafactory-xxe.schemafactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.schemafactory-xxe.schemafactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious." - }, - "help": { - "markdown": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n", - "text": "TLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious." - }, - "helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version", - "id": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version", - "name": "javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-weak-tls-version.sequelize-weak-tls-version" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks kucoin-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks kucoin-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks kucoin-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token", - "id": "generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token", - "name": "generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.kucoin-access-token.kucoin-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability." - }, - "help": { - "markdown": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n", - "text": "User data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-insecure-template-usage.express-insecure-template-usage", - "id": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage", - "name": "javascript.express.security.express-insecure-template-usage.express-insecure-template-usage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-insecure-template-usage.express-insecure-template-usage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RSA keys should be at least 2048 bits based on NIST recommendation." - }, - "help": { - "markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", - "text": "RSA keys should be at least 2048 bits based on NIST recommendation." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.weak-rsa.use-of-weak-rsa-key", - "id": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key", - "name": "kotlin.lang.security.weak-rsa.use-of-weak-rsa-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.weak-rsa.use-of-weak-rsa-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli)\n - [https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute](https://docs.sqlalchemy.org/en/14/core/connections.html#sqlalchemy.engine.Connection.execute)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = ?', 'active')`" - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli", - "id": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli", - "name": "python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.sqlalchemy-sqli.sqlalchemy-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://bento.dev/checks/boto3/hardcoded-access-token/](https://bento.dev/checks/boto3/hardcoded-access-token/)\n - [https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/](https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-access-key/)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.boto3.security.hardcoded-token.hardcoded-token", - "id": "python.boto3.security.hardcoded-token.hardcoded-token", - "name": "python.boto3.security.hardcoded-token.hardcoded-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.boto3.security.hardcoded-token.hardcoded-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "help": { - "markdown": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.ktor.active-debug-code.ktor-development-mode-yaml.ktor-development-mode-yaml)\n - [https://ktor.io/docs/development-mode.html#application-conf](https://ktor.io/docs/development-mode.html#application-conf)\n", - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "helpUri": "https://semgrep.dev/r/kotlin.ktor.active-debug-code.ktor-development-mode-yaml.ktor-development-mode-yaml", - "id": "kotlin.ktor.active-debug-code.ktor-development-mode-yaml.ktor-development-mode-yaml", - "name": "kotlin.ktor.active-debug-code.ktor-development-mode-yaml.ktor-development-mode-yaml", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.ktor.active-debug-code.ktor-development-mode-yaml.ktor-development-mode-yaml" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach)." - }, - "help": { - "markdown": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage)\n - [https://gorm.io/docs/security.html#SQL-injection-Methods](https://gorm.io/docs/security.html#SQL-injection-Methods)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Detected usage of dangerous method $METHOD which does not escape inputs (see link in references). If the argument is user-controlled, this can lead to SQL injection. When using $METHOD function, do not trust user-submitted data and only allow approved list of input (possibly, use an allowlist approach)." - }, - "helpUri": "https://semgrep.dev/r/go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage", - "id": "go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage", - "name": "go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorm.security.audit.gorm-dangerous-methods-usage.gorm-dangerous-method-usage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-empty-password.python-redis-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.redis.python-redis-empty-password.python-redis-empty-password", - "id": "python.redis.python-redis-empty-password.python-redis-empty-password", - "name": "python.redis.python-redis-empty-password.python-redis-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.redis.python-redis-empty-password.python-redis-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request." - }, - "help": { - "markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n", - "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.ssrf-requests.ssrf-requests", - "id": "python.flask.security.injection.ssrf-requests.ssrf-requests", - "name": "python.flask.security.injection.ssrf-requests.ssrf-requests", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.ssrf-requests.ssrf-requests" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE" - }, - "help": { - "markdown": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges)\n - [https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/master/checkov/terraform/checks/data/aws/AdminPolicyDocument.py)\n", - "text": "IAM policies that allow full \"*-*\" admin privileges violates the principle of least privilege. This allows an attacker to take full control over all AWS account resources. Instead, give each user more fine-grained control with only the privileges they need. $TYPE" - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges", - "id": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges", - "name": "terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-admin-privileges.no-iam-admin-privileges" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.jedis.jedis-hardcoded-pool.jedis-hardcoded-pool)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.jedis.jedis-hardcoded-pool.jedis-hardcoded-pool", - "id": "kotlin.jedis.jedis-hardcoded-pool.jedis-hardcoded-pool", - "name": "kotlin.jedis.jedis-hardcoded-pool.jedis-hardcoded-pool", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.jedis.jedis-hardcoded-pool.jedis-hardcoded-pool" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret", - "id": "python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret", - "name": "python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymysql.python-pymysql-hardcoded-secret.python-pymysql-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "`$SINK_VAR` has previously been freed which will trigger a double-free vulnerability. This may lead to memory corruption." - }, - "help": { - "markdown": "`$SINK_VAR` has previously been freed which will trigger a double-free vulnerability. This may lead to memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.deallocation.double-free.double-free)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory)\n", - "text": "`$SINK_VAR` has previously been freed which will trigger a double-free vulnerability. This may lead to memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.deallocation.double-free.double-free", - "id": "cpp.lang.security.memory.deallocation.double-free.double-free", - "name": "cpp.lang.security.memory.deallocation.double-free.double-free", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-415: Double Free", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.deallocation.double-free.double-free" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-urllib3.tainted-fastapi-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-urllib3.tainted-fastapi-http-request-urllib3", - "id": "python.fastapi.net.tainted-fastapi-http-request-urllib3.tainted-fastapi-http-request-urllib3", - "name": "python.fastapi.net.tainted-fastapi-http-request-urllib3.tainted-fastapi-http-request-urllib3", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-urllib3.tainted-fastapi-http-request-urllib3" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-saxtransformerfactory-xxe-spring.tainted-saxtransformerfactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.xxe.tainted-saxtransformerfactory-xxe-spring.tainted-saxtransformerfactory-xxe-spring", - "id": "java.spring.security.xxe.tainted-saxtransformerfactory-xxe-spring.tainted-saxtransformerfactory-xxe-spring", - "name": "java.spring.security.xxe.tainted-saxtransformerfactory-xxe-spring.tainted-saxtransformerfactory-xxe-spring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.xxe.tainted-saxtransformerfactory-xxe-spring.tainted-saxtransformerfactory-xxe-spring" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Webviews were observed that do not enable the `upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental HTTP connections are automatically upgraded to HTTPS, avoiding potential data leakage over the network." - }, - "help": { - "markdown": "Webviews were observed that do not enable the `upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental HTTP connections are automatically upgraded to HTTPS, avoiding potential data leakage over the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-https.swift-webview-config-https-upgrade)\n - [https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps](https://developer.apple.com/documentation/webkit/wkwebviewconfiguration/3752243-upgradeknownhoststohttps)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n", - "text": "Webviews were observed that do not enable the `upgradeKnownHostsToHTTPS` feature. This feature will ensure accidental HTTP connections are automatically upgraded to HTTPS, avoiding potential data leakage over the network." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-https.swift-webview-config-https-upgrade", - "id": "swift.webview.webview-https.swift-webview-config-https-upgrade", - "name": "swift.webview.webview-https.swift-webview-config-https-upgrade", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-https.swift-webview-config-https-upgrade" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set." - }, - "help": { - "markdown": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/02-Testing_for_Cookies_Attributes)\n", - "text": "Found a Rails `cookie_store` session configuration setting the `$KEY` attribute to `false`. If using a cookie-based session store, the HttpOnly and Secure flags should be set." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes", - "id": "ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes", - "name": "ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-cookie-store-session-security-attributes.check-cookie-store-session-security-attributes" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that the expiration date is set on all keys" - }, - "help": { - "markdown": "Ensure that the expiration date is set on all keys\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure that the expiration date is set on all keys" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date", - "id": "terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date", - "name": "terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.azure-key-no-expiration-date.azure-key-no-expiration-date" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." - }, - "help": { - "markdown": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md](https://github.com/nodesecurity/eslint-plugin-security/blob/master/docs/bypass-connect-csrf-protection-by-abusing.md)\n", - "text": "Detected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", - "id": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", - "name": "javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.detect-no-csrf-before-method-override.detect-no-csrf-before-method-override" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution." - }, - "help": { - "markdown": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "An object-returning LDAP search will allow attackers to control the LDAP response. This could lead to Remote Code Execution." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning", - "id": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning", - "name": "java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.ldap-entry-poisoning.ldap-entry-poisoning" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files." - }, - "help": { - "markdown": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files." - }, - "helpUri": "https://semgrep.dev/r/html.security.audit.missing-integrity.missing-integrity", - "id": "html.security.audit.missing-integrity.missing-integrity", - "name": "html.security.audit.missing-integrity.missing-integrity", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-353: Missing Support for Integrity Check", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: html.security.audit.missing-integrity.missing-integrity" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-pyyaml-flask.tainted-pyyaml-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-pyyaml-flask.tainted-pyyaml-flask", - "id": "python.flask.deserialization.tainted-pyyaml-flask.tainted-pyyaml-flask", - "name": "python.flask.deserialization.tainted-pyyaml-flask.tainted-pyyaml-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-pyyaml-flask.tainted-pyyaml-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)" - }, - "help": { - "markdown": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off)\n - [https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/](https://www.saotn.org/dont-turn-off-curlopt_ssl_verifypeer-fix-php-configuration/)\n", - "text": "SSL verification is disabled but should not be (currently CURLOPT_SSL_VERIFYPEER= $IS_VERIFIED)" - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off", - "id": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off", - "name": "php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.curl-ssl-verifypeer-off.curl-ssl-verifypeer-off" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret", - "id": "csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret", - "name": "csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.system.sqlconnectionstringbuilder-hardcoded-secret.sqlconnectionstringbuilder-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This call turns off CSRF protection allowing CSRF attacks against the application" - }, - "help": { - "markdown": "This call turns off CSRF protection allowing CSRF attacks against the application\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection)\n - [https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection](https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html#method-i-skip_forgery_protection)\n", - "text": "This call turns off CSRF protection allowing CSRF attacks against the application" - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection", - "id": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection", - "name": "ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.rails-skip-forgery-protection.rails-skip-forgery-protection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "help": { - "markdown": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "User data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.injection.raw-html-format.raw-html-format", - "id": "javascript.express.security.injection.raw-html-format.raw-html-format", - "name": "javascript.express.security.injection.raw-html-format.raw-html-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.injection.raw-html-format.raw-html-format" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.pg-connection-url.pg-connection-url)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.diesel.pg-connection-url.pg-connection-url", - "id": "rust.secrets.diesel.pg-connection-url.pg-connection-url", - "name": "rust.secrets.diesel.pg-connection-url.pg-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.diesel.pg-connection-url.pg-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped." - }, - "help": { - "markdown": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string)\n - [https://github.com/golang/go/issues/9200#issuecomment-66100328](https://github.com/golang/go/issues/9200#issuecomment-66100328)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n", - "text": "Detected template variable interpolation in a JavaScript template string. This is potentially vulnerable to cross-site scripting (XSS) attacks because a malicious actor has control over JavaScript but without the need to use escaped characters. Instead, obtain this variable outside of the template string and ensure your template is properly escaped." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string", - "id": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string", - "name": "go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.xss.no-interpolation-js-template-string.no-interpolation-js-template-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The return value of `snprintf` is the number of characters that would be written, excluding the NUL terminator. The return value must be validated before using it as a buffer index or buffer length in this following `snprintf` call." - }, - "help": { - "markdown": "The return value of `snprintf` is the number of characters that would be written, excluding the NUL terminator. The return value must be validated before using it as a buffer index or buffer length in this following `snprintf` call.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.snprintf-return-value-snprintf.snprintf-return-value-snprintf)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n - [https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts](https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts)\n", - "text": "The return value of `snprintf` is the number of characters that would be written, excluding the NUL terminator. The return value must be validated before using it as a buffer index or buffer length in this following `snprintf` call." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.snprintf-return-value-snprintf.snprintf-return-value-snprintf", - "id": "cpp.lang.security.strings.snprintf-return-value-snprintf.snprintf-return-value-snprintf", - "name": "cpp.lang.security.strings.snprintf-return-value-snprintf.snprintf-return-value-snprintf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-787: Out-of-bounds Write", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.snprintf-return-value-snprintf.snprintf-return-value-snprintf" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "the `errors` argument to Popen is only available on Python 3.6+" - }, - "help": { - "markdown": "the `errors` argument to Popen is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1)\n", - "text": "the `errors` argument to Popen is only available on Python 3.6+" - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-Popen1", - "id": "python.lang.compatibility.python36.python36-compatibility-Popen1", - "name": "python.lang.compatibility.python36.python36-compatibility-Popen1", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-Popen1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'." - }, - "help": { - "markdown": "Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup)\n - [https://tedboy.github.io/flask/generated/generated/flask.Markup.html](https://tedboy.github.io/flask/generated/generated/flask.Markup.html)\n", - "text": "Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup", - "id": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup", - "name": "python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'." - }, - "help": { - "markdown": "Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n", - "text": "Found request data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution", - "id": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution", - "name": "python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.code.globals-misuse-code-execution.globals-misuse-code-execution" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n", - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`" - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.knex-sqli.knex-sqli", - "id": "javascript.aws-lambda.security.knex-sqli.knex-sqli", - "name": "javascript.aws-lambda.security.knex-sqli.knex-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.knex-sqli.knex-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-vanillasql-format-string-sqli-taint.grpc-vanillasql-format-string-sqli-taint)\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.sql.grpc-vanillasql-format-string-sqli-taint.grpc-vanillasql-format-string-sqli-taint", - "id": "go.grpc.sql.grpc-vanillasql-format-string-sqli-taint.grpc-vanillasql-format-string-sqli-taint", - "name": "go.grpc.sql.grpc-vanillasql-format-string-sqli-taint.grpc-vanillasql-format-string-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.sql.grpc-vanillasql-format-string-sqli-taint.grpc-vanillasql-format-string-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set." - }, - "help": { - "markdown": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.create-with.create-with)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_create_with.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ](https://groups.google.com/g/rubyonrails-security/c/M4chq5Sb540/m/CC1Fh0Y_NWwJ)\n", - "text": "Checks for strong parameter bypass through usage of create_with. Create_with bypasses strong parameter protection, which could allow attackers to set arbitrary attributes on models. To fix this vulnerability, either remove all create_with calls or use the permit function to specify tags that are allowed to be set." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.create-with.create-with", - "id": "ruby.lang.security.create-with.create-with", - "name": "ruby.lang.security.create-with.create-with", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.create-with.create-with" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`MinVersion` is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3." - }, - "help": { - "markdown": "`MinVersion` is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion)\n - [https://golang.org/doc/go1.14#crypto/tls](https://golang.org/doc/go1.14#crypto/tls)\n - [https://golang.org/pkg/crypto/tls/#:~:text=MinVersion](https://golang.org/pkg/crypto/tls/#:~:text=MinVersion)\n - [https://www.us-cert.gov/ncas/alerts/TA14-290A](https://www.us-cert.gov/ncas/alerts/TA14-290A)\n", - "text": "`MinVersion` is missing from this TLS configuration. By default, TLS 1.2 is currently used as the minimum when acting as a client, and TLS 1.0 when acting as a server. General purpose web applications should default to TLS 1.3 with all other protocols disabled. Only where it is known that a web server must support legacy clients with unsupported an insecure browsers (such as Internet Explorer 10), it may be necessary to enable TLS 1.0 to provide support. Add `MinVersion: tls.VersionTLS13' to the TLS configuration to bump the minimum version to TLS 1.3." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion", - "id": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion", - "name": "go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.crypto.missing-ssl-minversion.missing-ssl-minversion" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML." - }, - "help": { - "markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln](https://developer.mozilla.org/en-US/docs/Web/API/Document/writeln)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Document/write](https://developer.mozilla.org/en-US/docs/Web/API/Document/write)\n - [https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML](https://developer.mozilla.org/en-US/docs/Web/API/Element/insertAdjacentHTML)\n", - "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method", - "id": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method", - "name": "typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-method.react-unsanitized-method" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint.grpc-pgx-sqli-taint)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint.grpc-pgx-sqli-taint", - "id": "go.grpc.sql.grpc-pgx-sqli-taint.grpc-pgx-sqli-taint", - "name": "go.grpc.sql.grpc-pgx-sqli-taint.grpc-pgx-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint.grpc-pgx-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.nosql.net-mongo-nosqli-taint.net-mongo-nosqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/go.net.nosql.net-mongo-nosqli-taint.net-mongo-nosqli-taint", - "id": "go.net.nosql.net-mongo-nosqli-taint.net-mongo-nosqli-taint", - "name": "go.net.nosql.net-mongo-nosqli-taint.net-mongo-nosqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.nosql.net-mongo-nosqli-taint.net-mongo-nosqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML." - }, - "help": { - "markdown": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.direct-response-write.direct-response-write", - "id": "javascript.express.security.audit.xss.direct-response-write.direct-response-write", - "name": "javascript.express.security.audit.xss.direct-response-write.direct-response-write", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.direct-response-write.direct-response-write" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly." - }, - "help": { - "markdown": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", - "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", - "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-jsonpickle-fastapi.tainted-jsonpickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-jsonpickle-fastapi.tainted-jsonpickle-fastapi", - "id": "python.fastapi.deserialization.tainted-jsonpickle-fastapi.tainted-jsonpickle-fastapi", - "name": "python.fastapi.deserialization.tainted-jsonpickle-fastapi.tainted-jsonpickle-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-jsonpickle-fastapi.tainted-jsonpickle-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist." - }, - "help": { - "markdown": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://goteleport.com/blog/ssrf-attacks/](https://goteleport.com/blog/ssrf-attacks/)\n", - "text": "A request was found to be crafted from user-input `$REQUEST`. This can lead to Server-Side Request Forgery (SSRF) vulnerabilities, potentially exposing sensitive data. It is recommend where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to prevent abuse, including using an allowlist." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-url-host.tainted-url-host", - "id": "go.lang.security.injection.tainted-url-host.tainted-url-host", - "name": "go.lang.security.injection.tainted-url-host.tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.injection.tainted-url-host.tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.strings.detected-private-key.detected-private-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.hardcoded.strings.detected-private-key.detected-private-key", - "id": "javascript.lang.hardcoded.strings.detected-private-key.detected-private-key", - "name": "javascript.lang.hardcoded.strings.detected-private-key.detected-private-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.hardcoded.strings.detected-private-key.detected-private-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from()." - }, - "help": { - "markdown": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html)\n", - "text": "The following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from()." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization", - "id": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization", - "name": "javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-third-party-object-deserialization.express-third-party-object-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to." - }, - "help": { - "markdown": "This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking)\n", - "text": "This app does not have capabilities to prevent tapjacking attacks. An attacker can hijack the user's taps and tricks him into performing some critical operations that he did not intend to." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking", - "id": "mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking", - "name": "mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-200", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.tapjacking.android_detect_tapjacking" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input." - }, - "help": { - "markdown": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport)\n - [https://github.com/microsoft/monaco-editor/issues/801](https://github.com/microsoft/monaco-editor/issues/801)\n", - "text": "If user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input." - }, - "helpUri": "https://semgrep.dev/r/javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport", - "id": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport", - "name": "javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.monaco-editor.security.audit.monaco-hover-htmlsupport.monaco-hover-htmlsupport" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify." - }, - "help": { - "markdown": "The syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe)\n - [https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027](https://medium.com/sumone-technical-blog/a-pretty-way-to-unescape-html-in-a-ruby-on-rails-application-efc22b850027)\n - [https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===](https://stackoverflow.com/questions/4251284/raw-vs-html-safe-vs-h-to-unescape-html#:~:text===)\n", - "text": "The syntax `<%== ... %>` is an alias for `html_safe`. This means the content inside these tags will be rendered as raw HTML. This may expose your application to cross-site scripting. If you need raw HTML, prefer using the more explicit `html_safe` and be sure to correctly sanitize variables using a library such as DOMPurify." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe", - "id": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe", - "name": "ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.alias-for-html-safe.alias-for-html-safe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "help": { - "markdown": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/file_access/index.markdown)\n", - "text": "Using user input when accessing files is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call", - "id": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call", - "name": "ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.avoid-tainted-shell-call.avoid-tainted-shell-call" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block." - }, - "help": { - "markdown": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#enable_https_traffic_only)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer](https://docs.microsoft.com/en-us/azure/storage/common/storage-require-secure-transfer)\n", - "text": "Detected a Storage that was not configured to deny action by default. Add `enable_https_traffic_only = true` in your resource block." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-enforce-https.storage-enforce-https", - "id": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https", - "name": "terraform.azure.security.storage.storage-enforce-https.storage-enforce-https", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.storage.storage-enforce-https.storage-enforce-https" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.tainted-html-string-responsebody.tainted-html-string-responsebody)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "helpUri": "https://semgrep.dev/r/java.spring.tainted-html-string-responsebody.tainted-html-string-responsebody", - "id": "java.spring.tainted-html-string-responsebody.tainted-html-string-responsebody", - "name": "java.spring.tainted-html-string-responsebody.tainted-html-string-responsebody", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.tainted-html-string-responsebody.tainted-html-string-responsebody" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-create-element-href-url.react-create-element-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.react-create-element-href-url.react-create-element-href-url", - "id": "typescript.react.react-create-element-href-url.react-create-element-href-url", - "name": "typescript.react.react-create-element-href-url.react-create-element-href-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.react-create-element-href-url.react-create-element-href-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including `$W.Header.Set(X-CSRF-Token\", csrf.Token($R))` in the function before calling `$W.Write()`, or by wrapping the `$FUNC` call with `csrf.Protect(authKey)($FUNC)` and using a key retrieved for instance from an environment variable." - }, - "help": { - "markdown": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including `$W.Header.Set(X-CSRF-Token\", csrf.Token($R))` in the function before calling `$W.Write()`, or by wrapping the `$FUNC` call with `csrf.Protect(authKey)($FUNC)` and using a key retrieved for instance from an environment variable.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-form-without-gorilla-csrf-protection.go-net-http-form-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n", - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. This vulnerability can be prevented by getting the CSRF token from the request and including it in a response header by including `$W.Header.Set(X-CSRF-Token\", csrf.Token($R))` in the function before calling `$W.Write()`, or by wrapping the `$FUNC` call with `csrf.Protect(authKey)($FUNC)` and using a key retrieved for instance from an environment variable." - }, - "helpUri": "https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-form-without-gorilla-csrf-protection.go-net-http-form-without-gorilla-csrf-protection", - "id": "go.net.csrf.gorilla-csrf.go-net-http-form-without-gorilla-csrf-protection.go-net-http-form-without-gorilla-csrf-protection", - "name": "go.net.csrf.gorilla-csrf.go-net-http-form-without-gorilla-csrf-protection.go-net-http-form-without-gorilla-csrf-protection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-form-without-gorilla-csrf-protection.go-net-http-form-without-gorilla-csrf-protection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled." - }, - "help": { - "markdown": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-fileaccess.swift-webview-config-allows-file-access)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n", - "text": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-fileaccess.swift-webview-config-allows-file-access", - "id": "swift.webview.webview-fileaccess.swift-webview-config-allows-file-access", - "name": "swift.webview.webview-fileaccess.swift-webview-config-allows-file-access", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-fileaccess.swift-webview-config-allows-file-access" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient." - }, - "help": { - "markdown": "Checks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests)\n - [https://github.com/rest-client/rest-client](https://github.com/rest-client/rest-client)\n - [https://github.com/jnunemaker/httparty/tree/master/docs](https://github.com/jnunemaker/httparty/tree/master/docs)\n", - "text": "Checks for requests to http (unencrypted) sites using some of ruby's most popular REST/HTTP libraries, including httparty and restclient." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests", - "id": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests", - "name": "problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.http-client-requests.http-client-requests" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package." - }, - "help": { - "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://pkg.go.dev/golang.org/x/crypto/bcrypt](https://pkg.go.dev/golang.org/x/crypto/bcrypt)\n", - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `golang.org/x/crypto/bcrypt` package." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.md5-used-as-password.md5-used-as-password", - "id": "go.lang.security.audit.md5-used-as-password.md5-used-as-password", - "name": "go.lang.security.audit.md5-used-as-password.md5-used-as-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.md5-used-as-password.md5-used-as-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections." - }, - "help": { - "markdown": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket", - "id": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket", - "name": "javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib." - }, - "help": { - "markdown": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives)\n", - "text": "Pervasives is deprecated and will not be available after 4.10. Use Stdlib." - }, - "helpUri": "https://semgrep.dev/r/ocaml.lang.compatibility.deprecated.deprecated-pervasives", - "id": "ocaml.lang.compatibility.deprecated.deprecated-pervasives", - "name": "ocaml.lang.compatibility.deprecated.deprecated-pervasives", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: ocaml.lang.compatibility.deprecated.deprecated-pervasives" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "help": { - "markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.ognl-injection.ognl-injection", - "id": "java.lang.security.audit.ognl-injection.ognl-injection", - "name": "java.lang.security.audit.ognl-injection.ognl-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.ognl-injection.ognl-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-aws-secretaccesskey.hardcoded-aws-secretaccesskey)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.hardcoded.tokens.hardcoded-aws-secretaccesskey.hardcoded-aws-secretaccesskey", - "id": "javascript.lang.hardcoded.tokens.hardcoded-aws-secretaccesskey.hardcoded-aws-secretaccesskey", - "name": "javascript.lang.hardcoded.tokens.hardcoded-aws-secretaccesskey.hardcoded-aws-secretaccesskey", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.hardcoded.tokens.hardcoded-aws-secretaccesskey.hardcoded-aws-secretaccesskey" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag", - "id": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag", - "name": "kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.cookie-missing-secure-flag.cookie-missing-secure-flag" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks flutterwave-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks flutterwave-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks flutterwave-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key", - "id": "generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key", - "name": "generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.flutterwave-secret-key.flutterwave-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the Validator parser with `parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the Validator parser with `parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-validator-xxe-servlet.tainted-validator-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the Validator parser with `parser.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\"). For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xxe.tainted-validator-xxe-servlet.tainted-validator-xxe-servlet", - "id": "java.servlets.security.xxe.tainted-validator-xxe-servlet.tainted-validator-xxe-servlet", - "name": "java.servlets.security.xxe.tainted-validator-xxe-servlet.tainted-validator-xxe-servlet", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xxe.tainted-validator-xxe-servlet.tainted-validator-xxe-servlet" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.code.tainted-code-stdlib-flask.tainted-code-stdlib-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/python.flask.code.tainted-code-stdlib-flask.tainted-code-stdlib-flask", - "id": "python.flask.code.tainted-code-stdlib-flask.tainted-code-stdlib-flask", - "name": "python.flask.code.tainted-code-stdlib-flask.tainted-code-stdlib-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.code.tainted-code-stdlib-flask.tainted-code-stdlib-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Twilio API Key detected" - }, - "help": { - "markdown": "Twilio API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Twilio API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key", - "id": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key", - "name": "generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-twilio-api-key.detected-twilio-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information." - }, - "help": { - "markdown": "Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.active-debug-code-getstacktrace.active-debug-code-getstacktrace)\n - [https://cwe.mitre.org/data/definitions/489.html](https://cwe.mitre.org/data/definitions/489.html)\n - [https://www.acunetix.com/vulnerabilities/web/stack-trace-disclosure-java/](https://www.acunetix.com/vulnerabilities/web/stack-trace-disclosure-java/)\n - [https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces](https://owasp.org/www-project-web-security-testing-guide/v41/4-Web_Application_Security_Testing/08-Testing_for_Error_Handling/02-Testing_for_Stack_Traces)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-information-exposure](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-information-exposure)\n", - "text": "Possible active debug code detected. Deploying an application with debug code can create unintended entry points or expose sensitive information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.active-debug-code-getstacktrace.active-debug-code-getstacktrace", - "id": "java.lang.security.audit.active-debug-code-getstacktrace.active-debug-code-getstacktrace", - "name": "java.lang.security.audit.active-debug-code-getstacktrace.active-debug-code-getstacktrace", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "OWASP-A10:2004 - Insecure Configuration Management", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.active-debug-code-getstacktrace.active-debug-code-getstacktrace" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm", - "id": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm", - "name": "go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.jwt-go.security.jwt-none-alg.jwt-go-none-algorithm" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks planetscale-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks planetscale-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks planetscale-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token", - "id": "generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token", - "name": "generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.planetscale-api-token.planetscale-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-href.react-nextjs-router-href)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "helpUri": "https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-href.react-nextjs-router-href", - "id": "typescript.nextjs.react-nextjs-router-href.react-nextjs-router-href", - "name": "typescript.nextjs.react-nextjs-router-href.react-nextjs-router-href", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nextjs.react-nextjs-router-href.react-nextjs-router-href" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y." - }, - "help": { - "markdown": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1)\n", - "text": "math.remainder is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use math.fmod() or calculate $X - n* $Y." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-math1", - "id": "python.lang.compatibility.python37.python37-compatibility-math1", - "name": "python.lang.compatibility.python37.python37-compatibility-math1", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-math1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-add.tainted-ssrf-spring-add)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-add.tainted-ssrf-spring-add", - "id": "kotlin.spring.tainted-ssrf-spring-add.tainted-ssrf-spring-add", - "name": "kotlin.spring.tainted-ssrf-spring-add.tainted-ssrf-spring-add", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.spring.tainted-ssrf-spring-add.tainted-ssrf-spring-add" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "help": { - "markdown": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.regex.tainted-regex-stdlib-fastapi.tainted-regex-stdlib-fastapi)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n", - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.regex.tainted-regex-stdlib-fastapi.tainted-regex-stdlib-fastapi", - "id": "python.fastapi.regex.tainted-regex-stdlib-fastapi.tainted-regex-stdlib-fastapi", - "name": "python.fastapi.regex.tainted-regex-stdlib-fastapi.tainted-regex-stdlib-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.regex.tainted-regex-stdlib-fastapi.tainted-regex-stdlib-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'." - }, - "help": { - "markdown": "Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n", - "text": "Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter", - "id": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter", - "name": "go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.xss.no-direct-write-to-responsewriter.no-direct-write-to-responsewriter" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method." - }, - "help": { - "markdown": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe)\n - [https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe](https://docs.djangoproject.com/en/3.0/_modules/django/utils/html/#html_safe)\n - [https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5](https://gist.github.com/minusworld/7885d8a81dba3ea2d1e4b8fd3c218ef5)\n", - "text": "`html_safe()` add the `__html__` magic method to the provided class. The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.html-safe.html-safe", - "id": "python.django.security.audit.xss.html-safe.html-safe", - "name": "python.django.security.audit.xss.html-safe.html-safe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.html-safe.html-safe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t" - }, - "help": { - "markdown": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure that RSASHA1 is not used for the zone-signing and key-signing keys in Cloud DNS DNSSEC\t" - }, - "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1", - "id": "terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1", - "name": "terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.gcp.security.gcp-dns-key-specs-rsasha1.gcp-dns-key-specs-rsasha1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Writing `$MAP` from multiple goroutines is not concurrency safe" - }, - "help": { - "markdown": "Writing `$MAP` from multiple goroutines is not concurrency safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map)\n - [https://go.dev/blog/maps#concurrency](https://go.dev/blog/maps#concurrency)\n", - "text": "Writing `$MAP` from multiple goroutines is not concurrency safe" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.racy-write-to-map.racy-write-to-map", - "id": "trailofbits.go.racy-write-to-map.racy-write-to-map", - "name": "trailofbits.go.racy-write-to-map.racy-write-to-map", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.racy-write-to-map.racy-write-to-map" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." - }, - "help": { - "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n", - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-sql-string.tainted-sql-string", - "id": "java.spring.security.injection.tainted-sql-string.tainted-sql-string", - "name": "java.spring.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Artifactory token detected" - }, - "help": { - "markdown": "Artifactory token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Artifactory token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-token.detected-artifactory-token", - "id": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token", - "name": "generic.secrets.security.detected-artifactory-token.detected-artifactory-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-artifactory-token.detected-artifactory-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks mailgun-pub-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks mailgun-pub-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks mailgun-pub-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key", - "id": "generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key", - "name": "generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.mailgun-pub-key.mailgun-pub-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-toml-flask.tainted-path-traversal-toml-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-path-traversal-toml-flask.tainted-path-traversal-toml-flask", - "id": "python.flask.file.tainted-path-traversal-toml-flask.tainted-path-traversal-toml-flask", - "name": "python.flask.file.tainted-path-traversal-toml-flask.tainted-path-traversal-toml-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-path-traversal-toml-flask.tainted-path-traversal-toml-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Use 'resp.render()' to render safely escaped HTML. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Use 'resp.render()' to render safely escaped HTML. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.direct-response-write-with-header.direct-response-write-with-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Use 'resp.render()' to render safely escaped HTML. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.direct-response-write-with-header.direct-response-write-with-header", - "id": "javascript.express.direct-response-write-with-header.direct-response-write-with-header", - "name": "javascript.express.direct-response-write-with-header.direct-response-write-with-header", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.direct-response-write-with-header.direct-response-write-with-header" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.go-vanillasql-format-string-sqli-taint-med-conf.go-vanillasql-format-string-sqli-taint-med-conf)\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "helpUri": "https://semgrep.dev/r/go.net.sql.go-vanillasql-format-string-sqli-taint-med-conf.go-vanillasql-format-string-sqli-taint-med-conf", - "id": "go.net.sql.go-vanillasql-format-string-sqli-taint-med-conf.go-vanillasql-format-string-sqli-taint-med-conf", - "name": "go.net.sql.go-vanillasql-format-string-sqli-taint-med-conf.go-vanillasql-format-string-sqli-taint-med-conf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.sql.go-vanillasql-format-string-sqli-taint-med-conf.go-vanillasql-format-string-sqli-taint-med-conf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information." - }, - "help": { - "markdown": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension)\n - [https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup](https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup)\n - [https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/](https://semgrep.dev/blog/2020/bento-check-unescaped-template-extensions-in-flask/)\n - [https://bento.dev/checks/flask/unescaped-file-extension/](https://bento.dev/checks/flask/unescaped-file-extension/)\n", - "text": "Flask does not automatically escape Jinja templates unless they have .html, .htm, .xml, or .xhtml extensions. This could lead to XSS attacks. Use .html, .htm, .xml, or .xhtml for your template extensions. See https://flask.palletsprojects.com/en/1.1.x/templating/#jinja-setup for more information." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.unescaped-template-extension.unescaped-template-extension", - "id": "python.flask.security.unescaped-template-extension.unescaped-template-extension", - "name": "python.flask.security.unescaped-template-extension.unescaped-template-extension", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.unescaped-template-extension.unescaped-template-extension" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false." - }, - "help": { - "markdown": "Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_file_disclosure.rb)\n - [https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ](https://groups.google.com/g/rubyonrails-security/c/23fiuwb1NBA/m/MQVM1-5GkPMJ)\n", - "text": "Special requests can determine whether a file exists on a filesystem that's outside the Rails app's root directory. To fix this, set config.serve_static_assets = false." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.file-disclosure.file-disclosure", - "id": "ruby.lang.security.file-disclosure.file-disclosure", - "name": "ruby.lang.security.file-disclosure.file-disclosure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.file-disclosure.file-disclosure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic." - }, - "help": { - "markdown": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request)\n - [https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html](https://docs.oracle.com/javase/8/docs/api/java/net/Socket.html)\n", - "text": "Insecure transport rules to catch socket connections to http, telnet, and ftp servers. This is dangerous because these are protocols that do not encrypt traffic." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.socket-request.socket-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution." - }, - "help": { - "markdown": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.eslint.detect-object-injection)\n", - "text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution." - }, - "helpUri": "https://semgrep.dev/r/gitlab.eslint.detect-object-injection", - "id": "gitlab.eslint.detect-object-injection", - "name": "gitlab.eslint.detect-object-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: gitlab.eslint.detect-object-injection" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options." - }, - "help": { - "markdown": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-dotenv-variable-fastapi.tainted-dotenv-variable-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.os.tainted-dotenv-variable-fastapi.tainted-dotenv-variable-fastapi", - "id": "python.fastapi.os.tainted-dotenv-variable-fastapi.tainted-dotenv-variable-fastapi", - "name": "python.fastapi.os.tainted-dotenv-variable-fastapi.tainted-dotenv-variable-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-454: External Initialization of Trusted Variables or Data Stores", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.os.tainted-dotenv-variable-fastapi.tainted-dotenv-variable-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping" - }, - "help": { - "markdown": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug)\n - [https://twitter.com/Mauricio_0218/status/1490082073096462340](https://twitter.com/Mauricio_0218/status/1490082073096462340)\n - [https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1](https://etherscan.io/address/0xe38b72d6595fd3885d1d2f770aa23e94757f91a1)\n", - "text": "Parameter \"from\" is checked at incorrect position in \"_allowances\" mapping" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug", - "id": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug", - "name": "solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-688: Function Call With Incorrect Variable or Reference as Argument", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.tecra-coin-burnfrom-bug.tecra-coin-burnfrom-bug" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks authress-service-client-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks authress-service-client-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks authress-service-client-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key", - "id": "generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key", - "name": "generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.authress-service-client-access-key.authress-service-client-access-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure CloudTrail logs are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk", - "id": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk", - "name": "terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-cloudtrail-encrypted-with-cmk.aws-cloudtrail-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-connection-string.ruby-pg-hardcoded-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.pg.ruby-pg-hardcoded-connection-string.ruby-pg-hardcoded-connection-string", - "id": "ruby.pg.ruby-pg-hardcoded-connection-string.ruby-pg-hardcoded-connection-string", - "name": "ruby.pg.ruby-pg-hardcoded-connection-string.ruby-pg-hardcoded-connection-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.pg.ruby-pg-hardcoded-connection-string.ruby-pg-hardcoded-connection-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks." - }, - "help": { - "markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n - [https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti](https://pequalsnp-team.github.io/cheatsheet/flask-jinja2-ssti)\n", - "text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.dangerous-template-string.dangerous-template-string", - "id": "python.flask.security.dangerous-template-string.dangerous-template-string", - "name": "python.flask.security.dangerous-template-string.dangerous-template-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.dangerous-template-string.dangerous-template-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Generic API Key detected" - }, - "help": { - "markdown": "Generic API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key)\n - [https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json](https://github.com/dxa4481/truffleHogRegexes/blob/master/truffleHogRegexes/regexes.json)\n", - "text": "Generic API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-api-key.detected-generic-api-key", - "id": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key", - "name": "generic.secrets.security.detected-generic-api-key.detected-generic-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-generic-api-key.detected-generic-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hardcoded passphrase was used with a call to the Password Based Key Derivation Function (PBKDF2) function which derives a cryptographic key from the password input. Because of this, the derived key is predictable and can be considered hard-coded too. Keys should be derived using a unique passphrase and randomly generated salt - per user." - }, - "help": { - "markdown": "A hardcoded passphrase was used with a call to the Password Based Key Derivation Function (PBKDF2) function which derives a cryptographic key from the password input. Because of this, the derived key is predictable and can be considered hard-coded too. Keys should be derived using a unique passphrase and randomly generated salt - per user.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-pbkdf2-passphrase.hardcoded-pbkdf2-passphrase)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n", - "text": "A hardcoded passphrase was used with a call to the Password Based Key Derivation Function (PBKDF2) function which derives a cryptographic key from the password input. Because of this, the derived key is predictable and can be considered hard-coded too. Keys should be derived using a unique passphrase and randomly generated salt - per user." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.hardcoded-pbkdf2-passphrase.hardcoded-pbkdf2-passphrase", - "id": "swift.commoncrypto.hardcoded-pbkdf2-passphrase.hardcoded-pbkdf2-passphrase", - "name": "swift.commoncrypto.hardcoded-pbkdf2-passphrase.hardcoded-pbkdf2-passphrase", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-259: Use of Hard-coded Password", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.hardcoded-pbkdf2-passphrase.hardcoded-pbkdf2-passphrase" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "help": { - "markdown": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask.active-debug-code-flask)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n", - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "helpUri": "https://semgrep.dev/r/python.flask.debug.debug-flask.active-debug-code-flask", - "id": "python.flask.debug.debug-flask.active-debug-code-flask", - "name": "python.flask.debug.debug-flask.active-debug-code-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.debug.debug-flask.active-debug-code-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'." - }, - "help": { - "markdown": "Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use)\n - [https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186](https://github.com/mpirnat/lets-be-bad-guys/blob/d92768fb3ade32956abd53bd6bb06e19d634a084/badguys/vulnerable/views.py#L181-L186)\n", - "text": "Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-globals-use.dangerous-globals-use", - "id": "python.lang.security.dangerous-globals-use.dangerous-globals-use", - "name": "python.lang.security.dangerous-globals-use.dangerous-globals-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.dangerous-globals-use.dangerous-globals-use" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. " - }, - "help": { - "markdown": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions)\n - [https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole)\n - [https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice](https://kubernetes.io/docs/concepts/security/rbac-good-practices/#general-good-practice)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#api-groups)\n", - "text": "Semgrep detected a Kubernetes core API ClusterRole with excessive permissions. Attaching excessive permissions to a ClusterRole associated with the core namespace allows the V1 API to perform arbitrary actions on arbitrary resources attached to the cluster. Prefer explicit allowlists of verbs/resources when configuring the core API namespace. " - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions", - "id": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions", - "name": "yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.legacy-api-clusterrole-excessive-permissions.legacy-api-clusterrole-excessive-permissions" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "help": { - "markdown": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "By default, AWS DynamoDB Table is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your data in the DynamoDB table. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted", - "id": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted", - "name": "terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-dynamodb-table-unencrypted.aws-dynamodb-table-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Debug logging is explicitly enabled. This can potentially disclose sensitive information and should never be active on production systems." - }, - "help": { - "markdown": "Debug logging is explicitly enabled. This can potentially disclose sensitive information and should never be active on production systems.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-active-debug.search-active-debug)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n", - "text": "Debug logging is explicitly enabled. This can potentially disclose sensitive information and should never be active on production systems." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.search-active-debug.search-active-debug", - "id": "php.lang.security.search-active-debug.search-active-debug", - "name": "php.lang.security.search-active-debug.search-active-debug", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.search-active-debug.search-active-debug" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher." - }, - "help": { - "markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.pycryptodome.org/src/public_key/dsa](https://www.pycryptodome.org/src/public_key/dsa)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf)\n", - "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "id": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "name": "python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insufficient-dsa-key-size.insufficient-dsa-key-size" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability." - }, - "help": { - "markdown": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected potential code injection using ScriptEngine. Ensure user-controlled data cannot enter '.eval()', otherwise, this is a code injection vulnerability." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.script-engine-injection.script-engine-injection", - "id": "java.lang.security.audit.script-engine-injection.script-engine-injection", - "name": "java.lang.security.audit.script-engine-injection.script-engine-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.script-engine-injection.script-engine-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination" - }, - "help": { - "markdown": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Possible writing outside of the destination, make sure that the target path is nested in the intended destination" - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal", - "id": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal", - "name": "javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-path-join-resolve-traversal.express-path-join-resolve-traversal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation." - }, - "help": { - "markdown": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/hostspoofing.md)\n - [https://portswigger.net/web-security/host-header](https://portswigger.net/web-security/host-header)\n", - "text": "'$http_host' and '$host' variables may contain a malicious value from attacker controlled 'Host' request header. Use an explicitly configured host value or a allow list for validation." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.request-host-used.request-host-used", - "id": "generic.nginx.security.request-host-used.request-host-used", - "name": "generic.nginx.security.request-host-used.request-host-used", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-290: Authentication Bypass by Spoofing", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.request-host-used.request-host-used" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`" - }, - "help": { - "markdown": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n", - "text": "Calling `$WG.Wait()` inside a loop blocks the call to `$WG.Done()`" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop", - "id": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop", - "name": "trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-667: Improper Locking", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.waitgroup-wait-inside-loop.waitgroup-wait-inside-loop" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Key generation routines were identified where the resultant keys are not stored protected by the Secure Enclave. On iOS/macOS systems, cryptographic keys can be generated within the Secure Enclave - making them inaccessible to the rest of the system. The keys can be used for operations (signing, decryption, etc) but the private keys cannot be dumped or copied - even on rooted/jailbroken systems." - }, - "help": { - "markdown": "Key generation routines were identified where the resultant keys are not stored protected by the Secure Enclave. On iOS/macOS systems, cryptographic keys can be generated within the Secure Enclave - making them inaccessible to the rest of the system. The keys can be used for operations (signing, decryption, etc) but the private keys cannot be dumped or copied - even on rooted/jailbroken systems.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-keystorage.insecure-crypto-keystorage)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "Key generation routines were identified where the resultant keys are not stored protected by the Secure Enclave. On iOS/macOS systems, cryptographic keys can be generated within the Secure Enclave - making them inaccessible to the rest of the system. The keys can be used for operations (signing, decryption, etc) but the private keys cannot be dumped or copied - even on rooted/jailbroken systems." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-keystorage.insecure-crypto-keystorage", - "id": "swift.commoncrypto.insecure-crypto-keystorage.insecure-crypto-keystorage", - "name": "swift.commoncrypto.insecure-crypto-keystorage.insecure-crypto-keystorage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-922: Insecure Storage of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-keystorage.insecure-crypto-keystorage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The ECR Repository isn't configured to scan images on push" - }, - "help": { - "markdown": "The ECR Repository isn't configured to scan images on push\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push)\n - [https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components)\n", - "text": "The ECR Repository isn't configured to scan images on push" - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push", - "id": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push", - "name": "terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1104: Use of Unmaintained Third Party Components", - "LOW CONFIDENCE", - "OWASP-A06:2021 - Vulnerable and Outdated Components", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.ecr-image-scan-on-push.ecr-image-scan-on-push" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header-encoded.hardcoded-secret-in-request-header-encoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header-encoded.hardcoded-secret-in-request-header-encoded", - "id": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header-encoded.hardcoded-secret-in-request-header-encoded", - "name": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header-encoded.hardcoded-secret-in-request-header-encoded", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.okhttp.secrets.hardcoded-secret-in-request-header-encoded.hardcoded-secret-in-request-header-encoded" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Using 'locals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'locals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead." - }, - "help": { - "markdown": "Using 'locals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'locals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context)\n - [https://docs.djangoproject.com/en/3.2/ref/settings/#templates](https://docs.djangoproject.com/en/3.2/ref/settings/#templates)\n - [https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates](https://docs.djangoproject.com/en/3.2/topics/templates/#django.template.backends.django.DjangoTemplates)\n - [https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context](https://docs.djangoproject.com/en/3.2/ref/templates/api/#rendering-a-context)\n", - "text": "Using 'locals()' as a context to 'render(...)' is extremely dangerous. This exposes Python functions to the template that were not meant to be exposed. An attacker could use these functions to execute code that was not intended to run and could compromise the application. (This is server-side template injection (SSTI)). Do not use 'locals()'. Instead, specify each variable in a dictionary or 'django.template.Context' object, like '{\"var1\": \"hello\"}' and use that instead." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.locals-as-template-context.locals-as-template-context", - "id": "python.django.security.locals-as-template-context.locals-as-template-context", - "name": "python.django.security.locals-as-template-context.locals-as-template-context", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.locals-as-template-context.locals-as-template-context" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-mysql-hardcoded-secret.python-peewee-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.peewee.python-peewee-mysql-hardcoded-secret.python-peewee-mysql-hardcoded-secret", - "id": "python.peewee.python-peewee-mysql-hardcoded-secret.python-peewee-mysql-hardcoded-secret", - "name": "python.peewee.python-peewee-mysql-hardcoded-secret.python-peewee-mysql-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.peewee.python-peewee-mysql-hardcoded-secret.python-peewee-mysql-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information." - }, - "help": { - "markdown": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n", - "text": "Detected a python logger call with a potential hardcoded secret $FORMAT_STRING being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure", - "id": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure", - "name": "python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-532: Insertion of Sensitive Information into Log File", - "MEDIUM CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "help": { - "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode)\n - [https://jwt-scala.github.io/jwt-scala/](https://jwt-scala.github.io/jwt-scala/)\n", - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "helpUri": "https://semgrep.dev/r/scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode", - "id": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode", - "name": "scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.jwt-scala.security.jwt-scala-hardcode.jwt-scala-hardcode" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-create-element-dangerouslysetinnerhtml-url.react-create-element-dangerouslysetinnerhtml-url)\n - [https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1](https://medium.com/dailyjs/exploiting-script-injection-flaws-in-reactjs-883fb1fe36c1)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.react-create-element-dangerouslysetinnerhtml-url.react-create-element-dangerouslysetinnerhtml-url", - "id": "typescript.react.react-create-element-dangerouslysetinnerhtml-url.react-create-element-dangerouslysetinnerhtml-url", - "name": "typescript.react.react-create-element-dangerouslysetinnerhtml-url.react-create-element-dangerouslysetinnerhtml-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.react-create-element-dangerouslysetinnerhtml-url.react-create-element-dangerouslysetinnerhtml-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-empty-password.python-webrepl-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.webrepl.python-webrepl-empty-password.python-webrepl-empty-password", - "id": "python.webrepl.python-webrepl-empty-password.python-webrepl-empty-password", - "name": "python.webrepl.python-webrepl-empty-password.python-webrepl-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.webrepl.python-webrepl-empty-password.python-webrepl-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint-sls.file-access-taint-sls)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint-sls.file-access-taint-sls", - "id": "java.micronaut.path-traversal.file-access-taint-sls.file-access-taint-sls", - "name": "java.micronaut.path-traversal.file-access-taint-sls.file-access-taint-sls", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.path-traversal.file-access-taint-sls.file-access-taint-sls" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret", - "id": "javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret", - "name": "javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.pg.node-pg-hardcoded-secret.node-pg-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true." - }, - "help": { - "markdown": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version)\n - [https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm](https://developer.salesforce.com/docs/atlas.en-us.api_meta.meta/api_meta/meta_pages.htm)\n", - "text": "Visualforce Pages must use API version 55 or higher for required use of the cspHeader attribute set to true." - }, - "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version", - "id": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version", - "name": "generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.visualforce.security.ncino.xml.visualforceapiversion.visualforce-page-api-version" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Ensure that the expiration date is set on all keys" - }, - "help": { - "markdown": "Ensure that the expiration date is set on all keys\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/key_vault_key#expiration_date)\n - [https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags](https://docs.microsoft.com/en-us/powershell/module/az.keyvault/update-azkeyvaultkey?view=azps-5.8.0#example-1--modify-a-key-to-enable-it--and-set-the-expiration-date-and-tags)\n", - "text": "Ensure that the expiration date is set on all keys" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires", - "id": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires", - "name": "terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-262: Not Using Password Aging", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.keyvault.keyvault-ensure-key-expires.keyvault-ensure-key-expires" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "help": { - "markdown": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Seam Logging API support an expression language to introduce bean property to log messages. The expression language can also be the source to unwanted code execution. In this context, an expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "helpUri": "https://semgrep.dev/r/java.jboss.security.seam-log-injection.seam-log-injection", - "id": "java.jboss.security.seam-log-injection.seam-log-injection", - "name": "java.jboss.security.seam-log-injection.seam-log-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jboss.security.seam-log-injection.seam-log-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdo-sqli.jdo-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.jdo-sqli.jdo-sqli", - "id": "java.spring.security.jdo-sqli.jdo-sqli", - "name": "java.spring.security.jdo-sqli.jdo-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.jdo-sqli.jdo-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute." - }, - "help": { - "markdown": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_cluster#enabling-control-plane-logging)\n - [https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html](https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html)\n", - "text": "Missing EKS control plane logging. It is recommended to enable at least Kubernetes API server component logs (\"api\") and audit logs (\"audit\") of the EKS control plane through the enabled_cluster_log_types attribute." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging", - "id": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging", - "name": "terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "LOW CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "OWASP-A10:2017 - Insufficient Logging & Monitoring", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.eks-insufficient-control-plane-logging.eks-insufficient-control-plane-logging" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.diesel-taint.diesel-taint)\n - [https://docs.rs/diesel/latest/diesel/](https://docs.rs/diesel/latest/diesel/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.hyper.sql.diesel-taint.diesel-taint", - "id": "rust.hyper.sql.diesel-taint.diesel-taint", - "name": "rust.hyper.sql.diesel-taint.diesel-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.hyper.sql.diesel-taint.diesel-taint" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks new-relic-user-api-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks new-relic-user-api-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks new-relic-user-api-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id", - "id": "generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id", - "name": "generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.new-relic-user-api-id.new-relic-user-api-id" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead." - }, - "help": { - "markdown": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query)\n - [https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection](https://www.doctrine-project.org/projects/doctrine-dbal/en/current/reference/query-builder.html#security-safely-preventing-sql-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "`$QUERY` Detected string concatenation with a non-literal variable in a Doctrine QueryBuilder method. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead." - }, - "helpUri": "https://semgrep.dev/r/php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query", - "id": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query", - "name": "php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.doctrine.security.audit.doctrine-orm-dangerous-query.doctrine-orm-dangerous-query" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct." - }, - "help": { - "markdown": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/user/session/session.go#L69)\n", - "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Options struct." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", - "id": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", - "name": "go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.security.audit.session-cookie-missing-httponly.session-cookie-missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed." - }, - "help": { - "markdown": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n", - "text": "Found user-controlled request data passed into HttpResponse. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse", - "id": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse", - "name": "python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponse.reflected-data-httpresponse" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead." - }, - "help": { - "markdown": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected use of an insecure MD4 or MD5 hash function. These functions have known vulnerabilities and are considered deprecated. Consider using 'SHA256' or a similar function instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.insecure-hash-function.insecure-hash-function", - "id": "python.lang.security.insecure-hash-function.insecure-hash-function", - "name": "python.lang.security.insecure-hash-function.insecure-hash-function", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.insecure-hash-function.insecure-hash-function" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT" - }, - "help": { - "markdown": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell)\n - [https://cwe.mitre.org/data/definitions/553.html](https://cwe.mitre.org/data/definitions/553.html)\n", - "text": "Semgrep found a Python reverse shell using $BINPATH to $IP at $PORT" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.python-reverse-shell.python-reverse-shell", - "id": "python.lang.security.audit.python-reverse-shell.python-reverse-shell", - "name": "python.lang.security.audit.python-reverse-shell.python-reverse-shell", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-553: Command Shell in Externally Accessible Directory", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.python-reverse-shell.python-reverse-shell" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "help": { - "markdown": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Avoid using `dill`, which uses `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-dill", - "id": "python.lang.security.deserialization.pickle.avoid-dill", - "name": "python.lang.security.deserialization.pickle.avoid-dill", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-dill" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Symmetric cryptographic operations were identified that use Cipher Block Chaining (CBC) mode. AES in CBC mode provides unauthenticated cryptographic encryption. CBC is also malleable, meaning that an attacker can influence the decrypted plaintext by modifying bits of the ciphertext (bit flipping attacks). Consider using an authenticated encryption mechanism, such as AES-GCM or ChaChaPoly. If CBC mode is **required**, consider augmenting the encryption with authentication by signing the ciphertexts with a Message Authentication Code (e.g. HMAC)." - }, - "help": { - "markdown": "Symmetric cryptographic operations were identified that use Cipher Block Chaining (CBC) mode. AES in CBC mode provides unauthenticated cryptographic encryption. CBC is also malleable, meaning that an attacker can influence the decrypted plaintext by modifying bits of the ciphertext (bit flipping attacks). Consider using an authenticated encryption mechanism, such as AES-GCM or ChaChaPoly. If CBC mode is **required**, consider augmenting the encryption with authentication by signing the ciphertexts with a Message Authentication Code (e.g. HMAC).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-cbc-mode.insecure-crypto-cbc-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://zhangzeyu2001.medium.com/attacking-cbc-mode-bit-flipping-7e0a1c185511](https://zhangzeyu2001.medium.com/attacking-cbc-mode-bit-flipping-7e0a1c185511)\n - [https://arxumpathsecurity.com/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication](https://arxumpathsecurity.com/blog/2019/10/16/cbc-mode-is-malleable-dont-trust-it-for-authentication)\n", - "text": "Symmetric cryptographic operations were identified that use Cipher Block Chaining (CBC) mode. AES in CBC mode provides unauthenticated cryptographic encryption. CBC is also malleable, meaning that an attacker can influence the decrypted plaintext by modifying bits of the ciphertext (bit flipping attacks). Consider using an authenticated encryption mechanism, such as AES-GCM or ChaChaPoly. If CBC mode is **required**, consider augmenting the encryption with authentication by signing the ciphertexts with a Message Authentication Code (e.g. HMAC)." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-cbc-mode.insecure-crypto-cbc-mode", - "id": "swift.commoncrypto.insecure-crypto-cbc-mode.insecure-crypto-cbc-mode", - "name": "swift.commoncrypto.insecure-crypto-cbc-mode.insecure-crypto-cbc-mode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-cbc-mode.insecure-crypto-cbc-mode" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach `sandbox`." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Make sure that unverified user data can not reach `sandbox`." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-sandbox-injection.express-sandbox-code-injection", - "id": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection", - "name": "javascript.express.security.express-sandbox-injection.express-sandbox-code-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-sandbox-injection.express-sandbox-code-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server." - }, - "help": { - "markdown": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.web.script.serialization.simpletyperesolver?view=netframework-4.8#remarks)\n", - "text": "The SimpleTypeResolver class is insecure and should not be used. Using SimpleTypeResolver to deserialize JSON could allow the remote client to execute malicious code within the app and take control of the web server." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization", - "id": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization", - "name": "csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.javascript-serializer.insecure-javascriptserializer-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "id": "rust.secrets.tokio-postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "name": "rust.secrets.tokio-postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-empty-password.hardcoded-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data." - }, - "help": { - "markdown": "FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.ftplib.ftplib)\n - [https://docs.python.org/3/library/telnetlib.html](https://docs.python.org/3/library/telnetlib.html)\n", - "text": "FTP does not encrypt communications by default. This can lead to sensitive data being exposed. Ensure use of FTP here does not expose sensitive data." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.ftplib.ftplib", - "id": "python.lang.security.audit.ftplib.ftplib", - "name": "python.lang.security.audit.ftplib.ftplib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.ftplib.ftplib" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed." - }, - "help": { - "markdown": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n", - "text": "Found user-controlled request data passed into a HttpResponseBadRequest. This could be vulnerable to XSS, leading to attackers gaining access to user cookies and protected information. Ensure that the request data is properly escaped or sanitzed." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest", - "id": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest", - "name": "python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.reflected-data-httpresponsebadrequest.reflected-data-httpresponsebadrequest" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure Kinesis video stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk", - "id": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk", - "name": "terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-kinesis-video-stream-encrypted-with-cmk.aws-kinesis-video-stream-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Client-side SQL injection was found, which has different impacts depending on the SQL use-case. The impact may include the circumvention of local authentication mechanisms, obtaining of sensitive data from the app, or manipulation of client-side behavior." - }, - "help": { - "markdown": "Client-side SQL injection was found, which has different impacts depending on the SQL use-case. The impact may include the circumvention of local authentication mechanisms, obtaining of sensitive data from the app, or manipulation of client-side behavior.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.sql.sqlilite-injection.swift-sqlite-injection)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n", - "text": "Client-side SQL injection was found, which has different impacts depending on the SQL use-case. The impact may include the circumvention of local authentication mechanisms, obtaining of sensitive data from the app, or manipulation of client-side behavior." - }, - "helpUri": "https://semgrep.dev/r/swift.sql.sqlilite-injection.swift-sqlite-injection", - "id": "swift.sql.sqlilite-injection.swift-sqlite-injection", - "name": "swift.sql.sqlilite-injection.swift-sqlite-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.sql.sqlilite-injection.swift-sqlite-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedispool-constructor-hardcoded-secret.jedispool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jedis.secrets.jedispool-constructor-hardcoded-secret.jedispool-constructor-hardcoded-secret", - "id": "java.jedis.secrets.jedispool-constructor-hardcoded-secret.jedispool-constructor-hardcoded-secret", - "name": "java.jedis.secrets.jedispool-constructor-hardcoded-secret.jedispool-constructor-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jedis.secrets.jedispool-constructor-hardcoded-secret.jedispool-constructor-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method." - }, - "help": { - "markdown": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization)\n - [https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf](https://www.blackhat.com/docs/us-16/materials/us-16-Kaiser-Pwning-Your-Java-Messaging-With-Deserialization-Vulnerabilities-wp.pdf)\n", - "text": "JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload when ObjectMessage.getObject() is called. Deserialization of untrusted data can lead to security flaws; a remote attacker could via a crafted JMS ObjectMessage to execute arbitrary code with the permissions of the application listening/consuming JMS Messages. In this case, the JMS MessageListener consume an ObjectMessage type received inside the onMessage method, which may lead to arbitrary code execution when calling the $Y.getObject method." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", - "id": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", - "name": "java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.insecure-jms-deserialization.insecure-jms-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RSA key generation was identified where the key size was less than the industry standard recommendation of 2048 bits minimum. Use a key strength of at least 2048 bit, or stronger where appropriate." - }, - "help": { - "markdown": "RSA key generation was identified where the key size was less than the industry standard recommendation of 2048 bits minimum. Use a key strength of at least 2048 bit, or stronger where appropriate.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-rsa-keysize.insecure-crypto-rsa-keysize)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "RSA key generation was identified where the key size was less than the industry standard recommendation of 2048 bits minimum. Use a key strength of at least 2048 bit, or stronger where appropriate." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-rsa-keysize.insecure-crypto-rsa-keysize", - "id": "swift.commoncrypto.insecure-crypto-rsa-keysize.insecure-crypto-rsa-keysize", - "name": "swift.commoncrypto.insecure-crypto-rsa-keysize.insecure-crypto-rsa-keysize", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-rsa-keysize.insecure-crypto-rsa-keysize" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [Command injection prevention for JavaScript ](https://semgrep.dev/docs/cheat-sheets/javascript-command-injection/)." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [Command injection prevention for JavaScript ](https://semgrep.dev/docs/cheat-sheets/javascript-command-injection/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.express-child-process.express-child-process)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [Command injection prevention for JavaScript ](https://semgrep.dev/docs/cheat-sheets/javascript-command-injection/)." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.express-child-process.express-child-process", - "id": "javascript.express.express-child-process.express-child-process", - "name": "javascript.express.express-child-process.express-child-process", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.express-child-process.express-child-process" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.secure-false.secure-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.audit.cookies.secure-false.secure-false", - "id": "csharp.lang.audit.cookies.secure-false.secure-false", - "name": "csharp.lang.audit.cookies.secure-false.secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.audit.cookies.secure-false.secure-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." - }, - "help": { - "markdown": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override)\n - [https://www.jardinesoftware.net/2016/05/26/xxe-and-net/](https://www.jardinesoftware.net/2016/05/26/xxe-and-net/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.xml.xmldocument.xmlresolver?view=net-6.0#remarks)\n", - "text": "XmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", - "id": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", - "name": "csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.xxe.xmlreadersettings-unsafe-parser-override.xmlreadersettings-unsafe-parser-override" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead." - }, - "help": { - "markdown": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Usage of RSA without OAEP (Optimal Asymmetric Encryption Padding) may weaken encryption. This could lead to sensitive data exposure. Instead, use RSA with `OAEPWithMD5AndMGF1Padding` instead." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.rsa-padding-set.rsa-padding-set", - "id": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set", - "name": "scala.lang.security.audit.rsa-padding-set.rsa-padding-set", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-780: Use of RSA Algorithm without OAEP", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.rsa-padding-set.rsa-padding-set" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true." - }, - "help": { - "markdown": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_force_ssl.rb)\n", - "text": "Checks for configuration setting of force_ssl to false. Force_ssl forces usage of HTTPS, which could lead to network interception of unencrypted application traffic. To fix, set config.force_ssl = true." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.force-ssl-false.force-ssl-false", - "id": "ruby.lang.security.force-ssl-false.force-ssl-false", - "name": "ruby.lang.security.force-ssl-false.force-ssl-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "HIGH CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.force-ssl-false.force-ssl-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "help": { - "markdown": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.redos.express-redos.redos)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n", - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.redos.express-redos.redos", - "id": "javascript.express.redos.express-redos.redos", - "name": "javascript.express.redos.express-redos.redos", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.redos.express-redos.redos" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." - }, - "help": { - "markdown": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Detected input from a HTTPServletRequest going into a SQL sink or statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use parameterized SQL queries or properly sanitize user input instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", - "id": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", - "name": "java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.sqli.tainted-sql-from-http-request.tainted-sql-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`)." - }, - "help": { - "markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag)\n - [https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A](https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n", - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`)." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.var-in-script-tag.var-in-script-tag", - "id": "python.django.security.audit.xss.var-in-script-tag.var-in-script-tag", - "name": "python.django.security.audit.xss.var-in-script-tag.var-in-script-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.var-in-script-tag.var-in-script-tag" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "This rule has been deprecated. Please remove it from your policies and rulepacks." - }, - "help": { - "markdown": "This rule has been deprecated. Please remove it from your policies and rulepacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n", - "text": "This rule has been deprecated. Please remove it from your policies and rulepacks." - }, - "helpUri": "https://semgrep.dev/r/go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint", - "id": "go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint", - "name": "go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.sql.pg-orm-sqli-taint.pg-orm-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability." - }, - "help": { - "markdown": "'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "'reflect.MakeFunc' detected. This will sidestep protections that are normally afforded by Go's type system. Audit this call and be sure that user input cannot be used to affect the code generated by MakeFunc; otherwise, you will have a serious security vulnerability." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.reflect-makefunc.reflect-makefunc", - "id": "go.lang.security.audit.reflect-makefunc.reflect-makefunc", - "name": "go.lang.security.audit.reflect-makefunc.reflect-makefunc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-913: Improper Control of Dynamically-Managed Code Resources", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.reflect-makefunc.reflect-makefunc" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysql.python-mysql-empty-password.python-mysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.mysql.python-mysql-empty-password.python-mysql-empty-password", - "id": "python.mysql.python-mysql-empty-password.python-mysql-empty-password", - "name": "python.mysql.python-mysql-empty-password.python-mysql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.mysql.python-mysql-empty-password.python-mysql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.path-traversal.file-taint-msg.file-taint-msg)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.path-traversal.file-taint-msg.file-taint-msg", - "id": "java.micronaut.path-traversal.file-taint-msg.file-taint-msg", - "name": "java.micronaut.path-traversal.file-taint-msg.file-taint-msg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.path-traversal.file-taint-msg.file-taint-msg" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior." - }, - "help": { - "markdown": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n", - "text": "Only use DataContractResolver if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver", - "id": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver", - "name": "csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.data-contract-resolver.data-contract-resolver" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/go.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "id": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "name": "go.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.aws-lambda.security.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information." - }, - "help": { - "markdown": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated)\n - [https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard](https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", - "text": "DES is considered deprecated. AES is the recommended cipher. Upgrade to use AES. See https://www.nist.gov/news-events/news/2005/06/nist-withdraws-outdated-data-encryption-standard for more information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", - "id": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", - "name": "java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.des-is-deprecated.des-is-deprecated" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "help": { - "markdown": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "By default, the AWS Lambda Environment is encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your environment variables in Lambda. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted", - "id": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted", - "name": "terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-lambda-environment-unencrypted.aws-lambda-environment-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "`$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer is invalid after `$VAR` goes out of scope, which can trigger a use after free." - }, - "help": { - "markdown": "`$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer is invalid after `$VAR` goes out of scope, which can trigger a use after free.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.containers.std-return-data.std-return-data)\n - [https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations](https://wiki.sei.cmu.edu/confluence/display/c/DCL30-C.+Declare+objects+with+appropriate+storage+durations)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n", - "text": "`$FUNC` returns a pointer to the memory owned by `$VAR`. This pointer is invalid after `$VAR` goes out of scope, which can trigger a use after free." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.containers.std-return-data.std-return-data", - "id": "cpp.lang.security.containers.std-return-data.std-return-data", - "name": "cpp.lang.security.containers.std-return-data.std-return-data", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-416: Use After Free", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.containers.std-return-data.std-return-data" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value", - "id": "python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value", - "name": "python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.set-cookie-secure-unsafe-value.pyramid-set-cookie-secure-unsafe-value" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-boto3.tainted-flask-http-request-boto3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-boto3.tainted-flask-http-request-boto3", - "id": "python.flask.net.tainted-flask-http-request-boto3.tainted-flask-http-request-boto3", - "name": "python.flask.net.tainted-flask-http-request-boto3.tainted-flask-http-request-boto3", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-boto3.tainted-flask-http-request-boto3" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure S3 bucket object is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk", - "id": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk", - "name": "terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-s3-bucket-object-encrypted-with-cmk.aws-s3-bucket-object-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead" - }, - "help": { - "markdown": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n", - "text": "Hardcoded variable `TESTING` detected. Use environment variables or config files instead" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING", - "id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING", - "name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_TESTING" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks readme-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks readme-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.readme-api-token.readme-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks readme-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.readme-api-token.readme-api-token", - "id": "generic.secrets.gitleaks.readme-api-token.readme-api-token", - "name": "generic.secrets.gitleaks.readme-api-token.readme-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.readme-api-token.readme-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs." - }, - "help": { - "markdown": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Application redirects to a destination URL specified by a user-supplied parameter that is not validated. This could direct users to malicious locations. Consider using an allowlist to validate URLs." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", - "id": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", - "name": "java.lang.security.audit.unvalidated-redirect.unvalidated-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.unvalidated-redirect.unvalidated-redirect" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi-relationship.sqlalchemy-fastapi-relationship)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. Don't pass untrusted data to this relationship argument, it's getting passed to `eval`." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi-relationship.sqlalchemy-fastapi-relationship", - "id": "python.fastapi.db.sqlalchemy-fastapi-relationship.sqlalchemy-fastapi-relationship", - "name": "python.fastapi.db.sqlalchemy-fastapi-relationship.sqlalchemy-fastapi-relationship", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi-relationship.sqlalchemy-fastapi-relationship" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "help": { - "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "helpUri": "https://semgrep.dev/r/scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret", - "id": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret", - "name": "scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.scala-jwt.security.jwt-hardcode.scala-jwt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'." - }, - "help": { - "markdown": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Insecure SMTP connection detected. This connection will trust any SSL certificate. Enable certificate verification by setting 'email.setSSLCheckServerIdentity(true)'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", - "id": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", - "name": "java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-297: Improper Validation of Certificate with Host Mismatch", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.insecure-smtp-connection.insecure-smtp-connection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that no IAM policies allow \"*\" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take." - }, - "help": { - "markdown": "Ensure that no IAM policies allow \"*\" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/StarActionPolicyDocument.py)\n", - "text": "Ensure that no IAM policies allow \"*\" as a statement's actions. This allows all actions to be performed on the specified resources, and is a violation of the principle of least privilege. Instead, specify the actions that a certain user or policy is allowed to take." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions", - "id": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions", - "name": "terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-star-actions.no-iam-star-actions" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function." - }, - "help": { - "markdown": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage)\n - [https://docs.python.org/3/library/typing.html#typing.get_type_hints](https://docs.python.org/3/library/typing.html#typing.get_type_hints)\n", - "text": "Annotations passed to `typing.get_type_hints` are evaluated in `globals` and `locals` namespaces. Make sure that no arbitrary value can be written as the annotation and passed to `typing.get_type_hints` function." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage", - "id": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage", - "name": "python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-annotations-usage.dangerous-annotations-usage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`" - }, - "help": { - "markdown": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Detected a user-controlled `filename` that could flow to `flask.send_file()` function. This could lead to an attacker reading arbitrary file from the system, leaking private information. Make sure to properly sanitize filename or use `flask.send_from_directory`" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization", - "id": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization", - "name": "python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-73: External Control of File Name or Path", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.secure-static-file-serve.avoid_send_file_without_path_sanitization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint.grpc-pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.sql.grpc-pg-sqli-taint.grpc-pg-sqli-taint", - "id": "go.grpc.sql.grpc-pg-sqli-taint.grpc-pg-sqli-taint", - "name": "go.grpc.sql.grpc-pg-sqli-taint.grpc-pg-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.sql.grpc-pg-sqli-taint.grpc-pg-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration lowers the minimum TLS version requirement for one or more domains. This potentially reduces the efficacy of the transport layer security, allowing for older, more vulnerable versions of TLS to be utilized." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration lowers the minimum TLS version requirement for one or more domains. This potentially reduces the efficacy of the transport layer security, allowing for older, more vulnerable versions of TLS to be utilized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-tls.ATS-minimum-tls-version)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration lowers the minimum TLS version requirement for one or more domains. This potentially reduces the efficacy of the transport layer security, allowing for older, more vulnerable versions of TLS to be utilized." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-tls.ATS-minimum-tls-version", - "id": "swift.insecure-communication.ats.ats-tls.ATS-minimum-tls-version", - "name": "swift.insecure-communication.ats.ats-tls.ATS-minimum-tls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-tls.ATS-minimum-tls-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "id": "kotlin.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "name": "kotlin.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Backticks use may lead to command injection vulnerabilities." - }, - "help": { - "markdown": "Backticks use may lead to command injection vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use)\n - [https://www.php.net/manual/en/language.operators.execution.php](https://www.php.net/manual/en/language.operators.execution.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/BackticksSniff.php)\n", - "text": "Backticks use may lead to command injection vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.backticks-use.backticks-use", - "id": "php.lang.security.backticks-use.backticks-use", - "name": "php.lang.security.backticks-use.backticks-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.backticks-use.backticks-use" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-shelve.tainted-shelve)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://docs.python.org/3/library/shelve.html](https://docs.python.org/3/library/shelve.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-shelve.tainted-shelve", - "id": "python.lang.deserialization.tainted-shelve.tainted-shelve", - "name": "python.lang.deserialization.tainted-shelve.tainted-shelve", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-shelve.tainted-shelve" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.command-injection.grpc-command-injection.grpc-http-command-injection-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/os/exec](https://pkg.go.dev/os/exec)\n - [https://pkg.go.dev/syscall#Exec](https://pkg.go.dev/syscall#Exec)\n - [https://semgrep.dev/docs/cheat-sheets/go-command-injection/](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/go.grpc.command-injection.grpc-command-injection.grpc-http-command-injection-taint", - "id": "go.grpc.command-injection.grpc-command-injection.grpc-http-command-injection-taint", - "name": "go.grpc.command-injection.grpc-command-injection.grpc-http-command-injection-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.command-injection.grpc-command-injection.grpc-http-command-injection-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected usage of weak crypto function. Consider using stronger alternatives." - }, - "help": { - "markdown": "Detected usage of weak crypto function. Consider using stronger alternatives.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.weak-crypto.weak-crypto)\n - [https://www.php.net/manual/en/book.sodium.php](https://www.php.net/manual/en/book.sodium.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/CryptoFunctionsSniff.php)\n", - "text": "Detected usage of weak crypto function. Consider using stronger alternatives." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.weak-crypto.weak-crypto", - "id": "php.lang.security.weak-crypto.weak-crypto", - "name": "php.lang.security.weak-crypto.weak-crypto", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.weak-crypto.weak-crypto" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks infracost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks infracost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.infracost-api-token.infracost-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks infracost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.infracost-api-token.infracost-api-token", - "id": "generic.secrets.gitleaks.infracost-api-token.infracost-api-token", - "name": "generic.secrets.gitleaks.infracost-api-token.infracost-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.infracost-api-token.infracost-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption." - }, - "help": { - "markdown": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-malloc-free.local-variable-malloc-free)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n", - "text": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-malloc-free.local-variable-malloc-free", - "id": "cpp.lang.security.use-after-free.local-variable-malloc-free.local-variable-malloc-free", - "name": "cpp.lang.security.use-after-free.local-variable-malloc-free.local-variable-malloc-free", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-416: Use After Free", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.use-after-free.local-variable-malloc-free.local-variable-malloc-free" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-ruamel-fastapi.tainted-ruamel-fastapi)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-ruamel-fastapi.tainted-ruamel-fastapi", - "id": "python.fastapi.deserialization.tainted-ruamel-fastapi.tainted-ruamel-fastapi", - "name": "python.fastapi.deserialization.tainted-ruamel-fastapi.tainted-ruamel-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-ruamel-fastapi.tainted-ruamel-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers." - }, - "help": { - "markdown": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx)\n - [https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities](https://blog.verichains.io/p/miner-project-attacked-by-vulnerabilities)\n - [https://x.com/shoucccc/status/1757777764646859121](https://x.com/shoucccc/status/1757777764646859121)\n", - "text": "Missing check for 'from' and 'to' being the same before updating balances could lead to incorrect balance manipulation on self-transfers. Include a check to ensure 'from' and 'to' are not the same before updating balances to prevent balance manipulation during self-transfers." - }, - "helpUri": "https://semgrep.dev/r/solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx", - "id": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx", - "name": "solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-682: Incorrect Calculation", - "HIGH CONFIDENCE", - "OWASP-A7:2021 Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.missing-self-transfer-check-ercx.missing-self-transfer-check-ercx" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading" - }, - "help": { - "markdown": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules)\n - [https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects](https://tanelp.github.io/posts/a-bug-that-plagues-thousands-of-open-source-ml-projects)\n", - "text": "Usage of NumPy library inside PyTorch `$MODULE` module was found. Avoid mixing these libraries for efficiency and proper ONNX loading" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules", - "id": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules", - "name": "trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules", - "properties": { - "precision": "very-high", - "tags": [ - "MEDIUM CONFIDENCE" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.numpy-in-pytorch-modules.numpy-in-pytorch-modules" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability." - }, - "help": { - "markdown": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected `os` function with argument tainted by `event` object. This is dangerous if external data can reach this function call because it allows a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-system-call.dangerous-system-call", - "id": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call", - "name": "python.aws-lambda.security.dangerous-system-call.dangerous-system-call", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.dangerous-system-call.dangerous-system-call" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure bucket logs access." - }, - "help": { - "markdown": "Ensure bucket logs access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging)\n - [https://docs.bridgecrew.io/docs/google-cloud-policy-index](https://docs.bridgecrew.io/docs/google-cloud-policy-index)\n", - "text": "Ensure bucket logs access." - }, - "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging", - "id": "terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging", - "name": "terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "MEDIUM CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "OWASP-A10:2017 - Insufficient Logging & Monitoring", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.gcp.security.gcp-cloud-storage-logging.gcp-cloud-storage-logging" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.sql.sqlx-taint.sqlx-taint", - "id": "rust.actix.sql.sqlx-taint.sqlx-taint", - "name": "rust.actix.sql.sqlx-taint.sqlx-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.sql.sqlx-taint.sqlx-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.empty-password.empty-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.postgres.empty-password.empty-password", - "id": "rust.secrets.postgres.empty-password.empty-password", - "name": "rust.secrets.postgres.empty-password.empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.postgres.empty-password.empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks messagebird-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks messagebird-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks messagebird-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id", - "id": "generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id", - "name": "generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.messagebird-client-id.messagebird-client-id" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block." - }, - "help": { - "markdown": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#min_tls_version)\n", - "text": "Detected an AppService that was not configured to use TLS 1.2. Add `site_config.min_tls_version = \"1.2\"` in your resource block." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy", - "id": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy", - "name": "terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-use-secure-tls-policy.appservice-use-secure-tls-policy" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.path-manipulation.path-manipulation)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO02-C.+Canonicalize+path+names+originating+from+tainted+sources](https://wiki.sei.cmu.edu/confluence/display/c/FIO02-C.+Canonicalize+path+names+originating+from+tainted+sources)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.filesystem.path-manipulation.path-manipulation", - "id": "cpp.lang.security.filesystem.path-manipulation.path-manipulation", - "name": "cpp.lang.security.filesystem.path-manipulation.path-manipulation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.filesystem.path-manipulation.path-manipulation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain." - }, - "help": { - "markdown": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/](https://mas.owasp.org/MASVS/controls/MASVS-STORAGE-1/)\n", - "text": "Potentially sensitive data was observed to be stored in UserDefaults, which is not adequate protection of sensitive information. For data of a sensitive nature, applications should leverage the Keychain." - }, - "helpUri": "https://semgrep.dev/r/swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults", - "id": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults", - "name": "swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.lang.storage.sensitive-storage-userdefaults.swift-user-defaults" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML." - }, - "help": { - "markdown": "Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse)\n - [https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render](https://docs.djangoproject.com/en/3.1/intro/tutorial03/#a-shortcut-render)\n - [https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.1/topics/http/shortcuts/#render)\n", - "text": "Detected data rendered directly to the end user via 'HttpResponse' or a similar object. This bypasses Django's built-in cross-site scripting (XSS) defenses and could result in an XSS vulnerability. Use Django's template engine to safely render HTML." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse", - "id": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse", - "name": "python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.direct-use-of-httpresponse.direct-use-of-httpresponse" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.python-requests-oauth-hardcoded-secret.python-requests-oauth-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.requests.python-requests-oauth-hardcoded-secret.python-requests-oauth-hardcoded-secret", - "id": "python.requests.python-requests-oauth-hardcoded-secret.python-requests-oauth-hardcoded-secret", - "name": "python.requests.python-requests-oauth-hardcoded-secret.python-requests-oauth-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.requests.python-requests-oauth-hardcoded-secret.python-requests-oauth-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.faraday.ruby-faraday-hardcoded-uri-secret.ruby-faraday-hardcoded-uri-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.faraday.ruby-faraday-hardcoded-uri-secret.ruby-faraday-hardcoded-uri-secret", - "id": "ruby.faraday.ruby-faraday-hardcoded-uri-secret.ruby-faraday-hardcoded-uri-secret", - "name": "ruby.faraday.ruby-faraday-hardcoded-uri-secret.ruby-faraday-hardcoded-uri-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.faraday.ruby-faraday-hardcoded-uri-secret.ruby-faraday-hardcoded-uri-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "help": { - "markdown": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", - "text": "Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", - "id": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", - "name": "java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli)\n - [https://github.com/brianmario/mysql2](https://github.com/brianmario/mysql2)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use sanitize statements like so: `escaped = client.escape(user_input)`" - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli", - "id": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli", - "name": "ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.mysql2-sqli.mysql2-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-hdf.tainted-pandas-hdf)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-pandas-hdf.tainted-pandas-hdf", - "id": "python.lang.deserialization.tainted-pandas-hdf.tainted-pandas-hdf", - "name": "python.lang.deserialization.tainted-pandas-hdf.tainted-pandas-hdf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-pandas-hdf.tainted-pandas-hdf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks." - }, - "help": { - "markdown": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token)\n - [https://docs.djangoproject.com/en/4.2/howto/csrf/](https://docs.djangoproject.com/en/4.2/howto/csrf/)\n", - "text": "Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.django-no-csrf-token.django-no-csrf-token", - "id": "python.django.security.django-no-csrf-token.django-no-csrf-token", - "name": "python.django.security.django-no-csrf-token.django-no-csrf-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.django-no-csrf-token.django-no-csrf-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Do not use `sizeof(this)` to get the number of bytes of the object in memory. It returns the size of the pointer, not the size of the object." - }, - "help": { - "markdown": "Do not use `sizeof(this)` to get the number of bytes of the object in memory. It returns the size of the pointer, not the size of the object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.correctness.sizeof-this.sizeof-this)\n - [https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array](https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array)\n", - "text": "Do not use `sizeof(this)` to get the number of bytes of the object in memory. It returns the size of the pointer, not the size of the object." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.correctness.sizeof-this.sizeof-this", - "id": "cpp.lang.correctness.sizeof-this.sizeof-this", - "name": "cpp.lang.correctness.sizeof-this.sizeof-this", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-467: Use of sizeof() on a Pointer Type", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.correctness.sizeof-this.sizeof-this" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'." - }, - "help": { - "markdown": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/template_injection/index.markdown)\n", - "text": "Detected manual creation of an ERB template. Manual creation of templates may expose your application to server-side template injection (SSTI) or cross-site scripting (XSS) attacks if user input is used to create the template. Instead, create a '.erb' template file and use 'render'." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation", - "id": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation", - "name": "ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.manual-template-creation.manual-template-creation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service '$SERVICE' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this." - }, - "help": { - "markdown": "Service '$SERVICE' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir](https://docs.docker.com/compose/compose-file/compose-file-v3/#domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir)\n - [https://blog.atomist.com/security-of-docker-kubernetes/](https://blog.atomist.com/security-of-docker-kubernetes/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only)\n", - "text": "Service '$SERVICE' is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'read_only: true' to this service to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service", - "id": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service", - "name": "yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.writable-filesystem-service.writable-filesystem-service" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", - "id": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", - "name": "javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jose.security.jwt-hardcode.hardcoded-jwt-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." - }, - "help": { - "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Call '.verify()' before using the token." - }, - "helpUri": "https://semgrep.dev/r/java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", - "id": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", - "name": "java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-345: Insufficient Verification of Data Authenticity", - "MEDIUM CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.java-jwt.security.audit.jwt-decode-without-verify.java-jwt-decode-without-verify" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.deserialization.tainted-shelve-django.tainted-shelve-django)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://docs.python.org/3/library/shelve.html](https://docs.python.org/3/library/shelve.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.django.deserialization.tainted-shelve-django.tainted-shelve-django", - "id": "python.django.deserialization.tainted-shelve-django.tainted-shelve-django", - "name": "python.django.deserialization.tainted-shelve-django.tainted-shelve-django", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.deserialization.tainted-shelve-django.tainted-shelve-django" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "blockhash(block.number) and blockhash(block.number + N) always returns 0." - }, - "help": { - "markdown": "blockhash(block.number) and blockhash(block.number + N) always returns 0.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash)\n - [https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620](https://blog.positive.com/predicting-random-numbers-in-ethereum-smart-contracts-e5358c6b8620)\n", - "text": "blockhash(block.number) and blockhash(block.number + N) always returns 0." - }, - "helpUri": "https://semgrep.dev/r/solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash", - "id": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash", - "name": "solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-341: Predictable from Observable State", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.incorrect-use-of-blockhash.incorrect-use-of-blockhash" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"<%= expr %>\"." - }, - "help": { - "markdown": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"<%= expr %>\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#unquoted-attributes)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss)\n", - "text": "Detected a unquoted template variable as an attribute. If unquoted, a malicious actor could inject custom JavaScript handlers. To fix this, add quotes around the template expression, like this: \"<%= expr %>\"." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute", - "id": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute", - "name": "ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.unquoted-attribute.unquoted-attribute" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "args should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"" - }, - "help": { - "markdown": "args should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.args.args)\n - [https://doc.rust-lang.org/stable/std/env/fn.args.html](https://doc.rust-lang.org/stable/std/env/fn.args.html)\n", - "text": "args should not be used for security operations. From the docs: \"The first element is traditionally the path of the executable, but it can be set to arbitrary text, and might not even exist. This means this property should not be relied upon for security purposes.\"" - }, - "helpUri": "https://semgrep.dev/r/rust.lang.security.args.args", - "id": "rust.lang.security.args.args", - "name": "rust.lang.security.args.args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-807: Reliance on Untrusted Inputs in a Security Decision", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.lang.security.args.args" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks bitbucket-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks bitbucket-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks bitbucket-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id", - "id": "generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id", - "name": "generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.bitbucket-client-id.bitbucket-client-id" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint", - "id": "go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint", - "name": "go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gin.nosql.gin-mongo-nosql-taint.gin-mongo-nosqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. If this is intentional, remember that with `WTF_CSRF_CHECK_DEFAULT` set to `False` the CSRF tokens are still enabled and included, but the check no longer happens automatically, which weakens the security of the application. Doing the check manually requires a call to `csrf.protect()` before handling the request. An appropriate place to do this is a `@app.before_request` decorated function." - }, - "help": { - "markdown": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. If this is intentional, remember that with `WTF_CSRF_CHECK_DEFAULT` set to `False` the CSRF tokens are still enabled and included, but the check no longer happens automatically, which weakens the security of the application. Doing the check manually requires a call to `csrf.protect()` before handling the request. An appropriate place to do this is a `@app.before_request` decorated function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-wtf-csrf-check-default-false.flask-wtf-csrf-check-default-false)\n - [https://flask-wtf.readthedocs.io/en/1.2.x/config/](https://flask-wtf.readthedocs.io/en/1.2.x/config/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. If this is intentional, remember that with `WTF_CSRF_CHECK_DEFAULT` set to `False` the CSRF tokens are still enabled and included, but the check no longer happens automatically, which weakens the security of the application. Doing the check manually requires a call to `csrf.protect()` before handling the request. An appropriate place to do this is a `@app.before_request` decorated function." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-wtf-csrf-check-default-false.flask-wtf-csrf-check-default-false", - "id": "python.flask.web.flask-wtf-csrf-check-default-false.flask-wtf-csrf-check-default-false", - "name": "python.flask.web.flask-wtf-csrf-check-default-false.flask-wtf-csrf-check-default-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-wtf-csrf-check-default-false.flask-wtf-csrf-check-default-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." - }, - "help": { - "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use HMAC instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-md5.use-of-md5", - "id": "java.lang.security.audit.crypto.use-of-md5.use-of-md5", - "name": "java.lang.security.audit.crypto.use-of-md5.use-of-md5", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-md5.use-of-md5" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources." - }, - "help": { - "markdown": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources." - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-eval.tainted-eval", - "id": "javascript.aws-lambda.security.tainted-eval.tainted-eval", - "name": "javascript.aws-lambda.security.tainted-eval.tainted-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.tainted-eval.tainted-eval" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block." - }, - "help": { - "markdown": "The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md)\n", - "text": "The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.header-redefinition.header-redefinition", - "id": "generic.nginx.security.header-redefinition.header-redefinition", - "name": "generic.nginx.security.header-redefinition.header-redefinition", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-16: CWE CATEGORY: Configuration", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.header-redefinition.header-redefinition" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.command-injection.gorilla-command-injection-taint.gorilla-command-injection-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/os/exec](https://pkg.go.dev/os/exec)\n - [https://pkg.go.dev/syscall#Exec](https://pkg.go.dev/syscall#Exec)\n - [https://semgrep.dev/docs/cheat-sheets/go-command-injection/](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.command-injection.gorilla-command-injection-taint.gorilla-command-injection-taint", - "id": "go.gorilla.command-injection.gorilla-command-injection-taint.gorilla-command-injection-taint", - "name": "go.gorilla.command-injection.gorilla-command-injection-taint.gorilla-command-injection-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.command-injection.gorilla-command-injection-taint.gorilla-command-injection-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "help": { - "markdown": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.open-redirect.open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n", - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.open-redirect.open-redirect", - "id": "javascript.browser.open-redirect.open-redirect", - "name": "javascript.browser.open-redirect.open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.open-redirect.open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Dangerously accepting invalid TLS information" - }, - "help": { - "markdown": "Dangerously accepting invalid TLS information\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_hostnames)\n - [https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs](https://docs.rs/reqwest/latest/reqwest/struct.ClientBuilder.html#method.danger_accept_invalid_certs)\n", - "text": "Dangerously accepting invalid TLS information" - }, - "helpUri": "https://semgrep.dev/r/rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid", - "id": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid", - "name": "rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.lang.security.reqwest-accept-invalid.reqwest-accept-invalid" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation." - }, - "help": { - "markdown": "Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Flags cases of possible path traversal. If an unfiltered parameter is passed into 'fromFile', file from an arbitrary filesystem location could be read. This could lead to sensitive data exposure and other provles. Instead, sanitize the user input instead of performing direct string concatenation." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile", - "id": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile", - "name": "scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.path-traversal-fromfile.path-traversal-fromfile" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "help": { - "markdown": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use)\n - [https://www.php.net/manual/en/function.unlink](https://www.php.net/manual/en/function.unlink)\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\n", - "text": "Using user input when deleting files with `unlink()` is potentially dangerous. A malicious actor could use this to modify or access files they have no right to." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.unlink-use.unlink-use", - "id": "php.lang.security.unlink-use.unlink-use", - "name": "php.lang.security.unlink-use.unlink-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.unlink-use.unlink-use" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", - "id": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", - "name": "java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.java-jwt.security.jwt-hardcode.java-jwt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application stores potentially sensitive information in log files. This could lead to a vulnerability, if an attacker can gain access to logs and then use the sensitive information to perform further attacks. When dealing with HTTP requests, sensitive data could be, for instance, JWT tokens or other session identifiers. To prevent this vulnerability review the type of information being logged. Sensitive information can be identified and filtered or obfuscated before calling logging functions." - }, - "help": { - "markdown": "The application stores potentially sensitive information in log files. This could lead to a vulnerability, if an attacker can gain access to logs and then use the sensitive information to perform further attacks. When dealing with HTTP requests, sensitive data could be, for instance, JWT tokens or other session identifiers. To prevent this vulnerability review the type of information being logged. Sensitive information can be identified and filtered or obfuscated before calling logging functions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.log-http-headers.log-request-headers)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n", - "text": "The application stores potentially sensitive information in log files. This could lead to a vulnerability, if an attacker can gain access to logs and then use the sensitive information to perform further attacks. When dealing with HTTP requests, sensitive data could be, for instance, JWT tokens or other session identifiers. To prevent this vulnerability review the type of information being logged. Sensitive information can be identified and filtered or obfuscated before calling logging functions." - }, - "helpUri": "https://semgrep.dev/r/java.spring.log-http-headers.log-request-headers", - "id": "java.spring.log-http-headers.log-request-headers", - "name": "java.spring.log-http-headers.log-request-headers", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-532: Insertion of Sensitive Information into Log File", - "HIGH CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.log-http-headers.log-request-headers" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument." - }, - "help": { - "markdown": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb)\n", - "text": "pdb.set_trace() with the header argument is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use set_trace() without the header argument." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-pdb", - "id": "python.lang.compatibility.python37.python37-compatibility-pdb", - "name": "python.lang.compatibility.python37.python37-compatibility-pdb", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-pdb" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "help": { - "markdown": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications](https://stackoverflow.com/questions/26504653/is-it-possible-to-disable-sslv3-for-all-java-applications)\n", - "text": "Detects setting client protocols to insecure versions of TLS and SSL. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2", - "id": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2", - "name": "problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.disallow-old-tls-versions2.disallow-old-tls-versions2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "help": { - "markdown": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-3)\n", - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-3", - "id": "gitlab.find_sec_bugs.HARD_CODE_KEY-3", - "name": "gitlab.find_sec_bugs.HARD_CODE_KEY-3", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-321: Use of Hard-coded Cryptographic Key", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: gitlab.find_sec_bugs.HARD_CODE_KEY-3" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jdo.javax.secrets.hardcoded-connection-password.hardcoded-connection-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://db.apache.org/jdo/api30/apidocs/javax/jdo/PersistenceManagerFactory.html](https://db.apache.org/jdo/api30/apidocs/javax/jdo/PersistenceManagerFactory.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jdo.javax.secrets.hardcoded-connection-password.hardcoded-connection-password", - "id": "java.jdo.javax.secrets.hardcoded-connection-password.hardcoded-connection-password", - "name": "java.jdo.javax.secrets.hardcoded-connection-password.hardcoded-connection-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jdo.javax.secrets.hardcoded-connection-password.hardcoded-connection-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymysql.python-pymysql-empty-password.python-pymysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.pymysql.python-pymysql-empty-password.python-pymysql-empty-password", - "id": "python.pymysql.python-pymysql-empty-password.python-pymysql-empty-password", - "name": "python.pymysql.python-pymysql-empty-password.python-pymysql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymysql.python-pymysql-empty-password.python-pymysql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.java-sql-sqli.java-sql-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.java-sql-sqli.java-sql-sqli", - "id": "java.spring.security.java-sql-sqli.java-sql-sqli", - "name": "java.spring.security.java-sql-sqli.java-sql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.java-sql-sqli.java-sql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you're doing." - }, - "help": { - "markdown": "Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you're doing.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.unsafe.use-of-unsafe-block)\n - [https://cwe.mitre.org/data/definitions/242.html](https://cwe.mitre.org/data/definitions/242.html)\n", - "text": "Using the unsafe package in Go gives you low-level memory management and many of the strengths of the C language, but also steps around the type safety of Go and can lead to buffer overflows and possible arbitrary code execution by an attacker. Only use this package if you absolutely know what you're doing." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.unsafe.use-of-unsafe-block", - "id": "go.lang.security.audit.unsafe.use-of-unsafe-block", - "name": "go.lang.security.audit.unsafe.use-of-unsafe-block", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-242: Use of Inherently Dangerous Function", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.unsafe.use-of-unsafe-block" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-hardcoded-uri.jedis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jedis.secrets.jedis-hardcoded-uri.jedis-hardcoded-uri", - "id": "java.jedis.secrets.jedis-hardcoded-uri.jedis-hardcoded-uri", - "name": "java.jedis.secrets.jedis-hardcoded-uri.jedis-hardcoded-uri", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jedis.secrets.jedis-hardcoded-uri.jedis-hardcoded-uri" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mongo.ruby-mongo-empty-password.ruby-mongo-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/ruby.mongo.ruby-mongo-empty-password.ruby-mongo-empty-password", - "id": "ruby.mongo.ruby-mongo-empty-password.ruby-mongo-empty-password", - "name": "ruby.mongo.ruby-mongo-empty-password.ruby-mongo-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.mongo.ruby-mongo-empty-password.ruby-mongo-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "help": { - "markdown": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/scalaj/scalaj-http#simplified-http](https://github.com/scalaj/scalaj-http#simplified-http)\n", - "text": "A parameter being passed directly into `Http` can likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf", - "id": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf", - "name": "scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.scalaj-http-ssrf.scalaj-http-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'input_line' leaves a '\\r' (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning." - }, - "help": { - "markdown": "'input_line' leaves a '\\r' (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line)\n", - "text": "'input_line' leaves a '\\r' (CR) character when reading lines from a Windows text file, whose lines end in \"\\r\\n\" (CRLF). This is a problem for any Windows file that is being read either on a Unix-like platform or on Windows in binary mode. If the code already takes care of removing any trailing '\\r' after reading the line, add a '(* nosemgrep *)' comment to disable this warning." - }, - "helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.broken-input-line", - "id": "ocaml.lang.portability.crlf-support.broken-input-line", - "name": "ocaml.lang.portability.crlf-support.broken-input-line", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: ocaml.lang.portability.crlf-support.broken-input-line" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-empty-password.python-mariadb-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.mariadb.python-mariadb-empty-password.python-mariadb-empty-password", - "id": "python.mariadb.python-mariadb-empty-password.python-mariadb-empty-password", - "name": "python.mariadb.python-mariadb-empty-password.python-mariadb-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.mariadb.python-mariadb-empty-password.python-mariadb-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service" - }, - "help": { - "markdown": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil)\n - [https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658](https://github.com/golang/go/blob/go1.15.2/src/net/rpc/server.go#L643-L658)\n", - "text": "The `func ($O *$CODEC) ReadRequestBody($ARG $TYPE) error` function does not handle `nil` argument, as the `ServerCodec` interface requires. An incorrect implementation could lead to denial of service" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil", - "id": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil", - "name": "trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-476: NULL Pointer Dereference", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.servercodec-readrequestbody-unhandled-nil.servercodec-readrequestbody-unhandled-nil" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks bittrex-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks bittrex-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks bittrex-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key", - "id": "generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key", - "name": "generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.bittrex-secret-key.bittrex-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.urlconnection-hardcoded-secret-in-request-header.urlconnection-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.net.http.urlconnection-hardcoded-secret-in-request-header.urlconnection-hardcoded-secret-in-request-header", - "id": "java.lang.security.net.http.urlconnection-hardcoded-secret-in-request-header.urlconnection-hardcoded-secret-in-request-header", - "name": "java.lang.security.net.http.urlconnection-hardcoded-secret-in-request-header.urlconnection-hardcoded-secret-in-request-header", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.net.http.urlconnection-hardcoded-secret-in-request-header.urlconnection-hardcoded-secret-in-request-header" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties." - }, - "help": { - "markdown": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "URL rewriting has significant security risks. Since session ID appears in the URL, it may be easily seen by third parties." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.url-rewriting.url-rewriting", - "id": "java.lang.security.audit.url-rewriting.url-rewriting", - "name": "java.lang.security.audit.url-rewriting.url-rewriting", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.url-rewriting.url-rewriting" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument." - }, - "help": { - "markdown": "Found usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1)\n", - "text": "Found usage of the 'monetary' argument in a function call of 'locale.format_string'. This is only available on Python 3.7+ and is therefore not backwards compatible. Instead, remove the 'monetary' argument." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-locale1", - "id": "python.lang.compatibility.python37.python37-compatibility-locale1", - "name": "python.lang.compatibility.python37.python37-compatibility-locale1", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-locale1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-html-string.tainted-html-string", - "id": "python.aws-lambda.security.tainted-html-string.tainted-html-string", - "name": "python.aws-lambda.security.tainted-html-string.tainted-html-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.tainted-html-string.tainted-html-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.command-injection.tainted-system-command.tainted-system-command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.command-injection.tainted-system-command.tainted-system-command", - "id": "java.spring.command-injection.tainted-system-command.tainted-system-command", - "name": "java.spring.command-injection.tainted-system-command.tainted-system-command", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.command-injection.tainted-system-command.tainted-system-command" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead." - }, - "help": { - "markdown": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn)\n - [https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s](https://us-cert.cisa.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s)\n", - "text": "Avoid 'gets()'. This function does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' or 'gets_s()' instead." - }, - "helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn", - "id": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn", - "name": "c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-676: Use of Potentially Dangerous Function", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: c.lang.security.insecure-use-gets-fn.insecure-use-gets-fn" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Amazon MWS Auth Token detected" - }, - "help": { - "markdown": "Amazon MWS Auth Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Amazon MWS Auth Token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token", - "id": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token", - "name": "generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-amazon-mws-auth-token.detected-amazon-mws-auth-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-url-to-httpful.tainted-url-to-httpful)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/nategood/httpful](https://github.com/nategood/httpful)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.tainted-url-to-httpful.tainted-url-to-httpful", - "id": "php.lang.security.tainted-url-to-httpful.tainted-url-to-httpful", - "name": "php.lang.security.tainted-url-to-httpful.tainted-url-to-httpful", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.tainted-url-to-httpful.tainted-url-to-httpful" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the use of `$METHOD(\"$VALUE\")` which is considered a weak cryptographic algorithm. Where possible, leverage the industry standard recommendation which is to use a block cipher such as `AES` with at least `128-bit` strength, an example of a secure algorithm is `AES-256-GCM`. If your company has its own guidelines, you should follow your company's internal best practices." - }, - "help": { - "markdown": "Detected the use of `$METHOD(\"$VALUE\")` which is considered a weak cryptographic algorithm. Where possible, leverage the industry standard recommendation which is to use a block cipher such as `AES` with at least `128-bit` strength, an example of a secure algorithm is `AES-256-GCM`. If your company has its own guidelines, you should follow your company's internal best practices.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.weak-symmetric-algorithm.weak-symmetric-algorithm)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected the use of `$METHOD(\"$VALUE\")` which is considered a weak cryptographic algorithm. Where possible, leverage the industry standard recommendation which is to use a block cipher such as `AES` with at least `128-bit` strength, an example of a secure algorithm is `AES-256-GCM`. If your company has its own guidelines, you should follow your company's internal best practices." - }, - "helpUri": "https://semgrep.dev/r/javascript.crypto.weak-symmetric-algorithm.weak-symmetric-algorithm", - "id": "javascript.crypto.weak-symmetric-algorithm.weak-symmetric-algorithm", - "name": "javascript.crypto.weak-symmetric-algorithm.weak-symmetric-algorithm", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.crypto.weak-symmetric-algorithm.weak-symmetric-algorithm" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable." - }, - "help": { - "markdown": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key)\n - [https://rules.sonarsource.com/javascript/RSPEC-2068](https://rules.sonarsource.com/javascript/RSPEC-2068)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#key-management)\n", - "text": "Detected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key", - "id": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key", - "name": "javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.hardcoded-hmac-key.hardcoded-hmac-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside Command. Audit the input to 'exec.Command'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-command.dangerous-exec-command", - "id": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command", - "name": "go.lang.security.audit.dangerous-exec-command.dangerous-exec-command", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.intra42-client-secret.intra42-client-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks intra42-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.intra42-client-secret.intra42-client-secret", - "id": "generic.secrets.gitleaks.intra42-client-secret.intra42-client-secret", - "name": "generic.secrets.gitleaks.intra42-client-secret.intra42-client-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.intra42-client-secret.intra42-client-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Externally controlled data influences a format string. This can allow an attacker to leak information from memory or trigger memory corruption. Format strings should be constant strings to prevent these issues. If you need to print a user-controlled string then you can use `%s`." - }, - "help": { - "markdown": "Externally controlled data influences a format string. This can allow an attacker to leak information from memory or trigger memory corruption. Format strings should be constant strings to prevent these issues. If you need to print a user-controlled string then you can use `%s`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.format-string.format-string-injection.format-string-injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings](https://wiki.sei.cmu.edu/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings)\n", - "text": "Externally controlled data influences a format string. This can allow an attacker to leak information from memory or trigger memory corruption. Format strings should be constant strings to prevent these issues. If you need to print a user-controlled string then you can use `%s`." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.format-string.format-string-injection.format-string-injection", - "id": "cpp.lang.security.format-string.format-string-injection.format-string-injection", - "name": "cpp.lang.security.format-string.format-string-injection.format-string-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-134: Use of Externally-Controlled Format String", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.format-string.format-string-injection.format-string-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "help": { - "markdown": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.pickle.avoid-pickle", - "id": "python.lang.security.deserialization.pickle.avoid-pickle", - "name": "python.lang.security.deserialization.pickle.avoid-pickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.pickle.avoid-pickle" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-marshal-fastapi.tainted-marshal-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-marshal-fastapi.tainted-marshal-fastapi", - "id": "python.fastapi.deserialization.tainted-marshal-fastapi.tainted-marshal-fastapi", - "name": "python.fastapi.deserialization.tainted-marshal-fastapi.tainted-marshal-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-marshal-fastapi.tainted-marshal-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.sqli.csharp-sqli.csharp-sqli", - "id": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli", - "name": "csharp.lang.security.sqli.csharp-sqli.csharp-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.sqli.csharp-sqli.csharp-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Stripe Restricted API Key detected" - }, - "help": { - "markdown": "Stripe Restricted API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Stripe Restricted API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", - "id": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", - "name": "generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-stripe-restricted-api-key.detected-stripe-restricted-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-empty-password.ruby-redis-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/ruby.redis.ruby-redis-empty-password.ruby-redis-empty-password", - "id": "ruby.redis.ruby-redis-empty-password.ruby-redis-empty-password", - "name": "ruby.redis.ruby-redis-empty-password.ruby-redis-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.redis.ruby-redis-empty-password.ruby-redis-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks alibaba-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks alibaba-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks alibaba-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key", - "id": "generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key", - "name": "generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.alibaba-secret-key.alibaba-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem." - }, - "help": { - "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html](https://tools.ietf.org/id/draft-lvelvindron-tls-md5-sha1-deprecate-01.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n", - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Instead, use a suitable password hashing function such as bcrypt. You can use the `bcrypt` gem." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.md5-used-as-password.md5-used-as-password", - "id": "ruby.lang.security.md5-used-as-password.md5-used-as-password", - "name": "ruby.lang.security.md5-used-as-password.md5-used-as-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.md5-used-as-password.md5-used-as-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The size parameter to `snprintf` is derived from the source data, not the destination buffer. This may trigger a buffer overflow and memory corruption if `$SRC` is larger than `$DEST`." - }, - "help": { - "markdown": "The size parameter to `snprintf` is derived from the source data, not the destination buffer. This may trigger a buffer overflow and memory corruption if `$SRC` is larger than `$DEST`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.snprintf-source-size.snprintf-source-size)\n - [https://cwe.mitre.org/data/definitions/787.html](https://cwe.mitre.org/data/definitions/787.html)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n", - "text": "The size parameter to `snprintf` is derived from the source data, not the destination buffer. This may trigger a buffer overflow and memory corruption if `$SRC` is larger than `$DEST`." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.snprintf-source-size.snprintf-source-size", - "id": "cpp.lang.security.strings.snprintf-source-size.snprintf-source-size", - "name": "cpp.lang.security.strings.snprintf-source-size.snprintf-source-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-787: Out-of-bounds Write", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.snprintf-source-size.snprintf-source-size" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.path-traversal.file-taint.file-taint)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.path-traversal.file-taint.file-taint", - "id": "csharp.dotnet-core.path-traversal.file-taint.file-taint", - "name": "csharp.dotnet-core.path-traversal.file-taint.file-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.path-traversal.file-taint.file-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "help": { - "markdown": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected MD2 hash algorithm which is considered insecure. MD2 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", - "id": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", - "name": "python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md2.insecure-hash-algorithm-md2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied." - }, - "help": { - "markdown": "Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Hardcoded password is used as a default argument to '$FUNC'. This could be dangerous if a real password is not supplied." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument", - "id": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument", - "name": "python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.hardcoded-password-default-argument.hardcoded-password-default-argument" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below." - }, - "help": { - "markdown": "Found usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn)\n", - "text": "Found usage of the 'blocksize' argument in a HTTPSConnection call. This is only available on Python 3.7+ and is therefore not backwards compatible. Remove this in order for this code to work in Python 3.6 and below." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-httpsconn", - "id": "python.lang.compatibility.python37.python37-compatibility-httpsconn", - "name": "python.lang.compatibility.python37.python37-compatibility-httpsconn", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-httpsconn" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pgx-sqli-taint-med-conf.pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "helpUri": "https://semgrep.dev/r/go.net.sql.pgx-sqli-taint-med-conf.pgx-sqli-taint-med-conf", - "id": "go.net.sql.pgx-sqli-taint-med-conf.pgx-sqli-taint-med-conf", - "name": "go.net.sql.pgx-sqli-taint-med-conf.pgx-sqli-taint-med-conf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.sql.pgx-sqli-taint-med-conf.pgx-sqli-taint-med-conf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Running flask app with host 0.0.0.0 could expose the server publicly." - }, - "help": { - "markdown": "Running flask app with host 0.0.0.0 could expose the server publicly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Running flask app with host 0.0.0.0 could expose the server publicly." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host", - "id": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host", - "name": "python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-668: Exposure of Resource to Wrong Sphere", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.app-run-param-config.avoid_app_run_with_bad_host" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-missing.fastapi-cookie-httponly-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-missing.fastapi-cookie-httponly-missing", - "id": "python.fastapi.web.fastapi-cookie-httponly-missing.fastapi-cookie-httponly-missing", - "name": "python.fastapi.web.fastapi-cookie-httponly-missing.fastapi-cookie-httponly-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-missing.fastapi-cookie-httponly-missing" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`." - }, - "help": { - "markdown": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization)\n - [https://www.npmjs.com/package/dompurify](https://www.npmjs.com/package/dompurify)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Detected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`." - }, - "helpUri": "https://semgrep.dev/r/javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", - "id": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", - "name": "javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.audit.detect-replaceall-sanitization.detect-replaceall-sanitization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0" - }, - "help": { - "markdown": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.infinitematchtimeout)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0)\n", - "text": "Specifying the regex timeout leaves the system vulnerable to a regex-based Denial of Service (DoS) attack. Consider setting the timeout to a short amount of time like 2 or 3 seconds. If you are sure you need an infinite timeout, double check that your context meets the conditions outlined in the \"Notes to Callers\" section at the bottom of this page: https://docs.microsoft.com/en-us/dotnet/api/system.text.regularexpressions.regex.-ctor?view=net-6.0" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", - "id": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", - "name": "csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.regular-expression-dos.regular-expression-dos-infinite-timeout.regular-expression-dos-infinite-timeout" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli)\n - [https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql](https://guides.rubyonrails.org/active_record_querying.html#finding-by-sql)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `Example.find_by_sql [\"SELECT title FROM posts WHERE author = ? AND created > ?\", author_id, start_date]`" - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli", - "id": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli", - "name": "ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.activerecord-sqli.activerecord-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`readlink` does not NULL terminate the output buffer. This expression expects a NULL terminated string and will trigger an out-of-bounds read." - }, - "help": { - "markdown": "`readlink` does not NULL terminate the output buffer. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.readlink-null-terminator.readlink-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n", - "text": "`readlink` does not NULL terminate the output buffer. This expression expects a NULL terminated string and will trigger an out-of-bounds read." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.readlink-null-terminator.readlink-null-terminator", - "id": "cpp.lang.security.strings.readlink-null-terminator.readlink-null-terminator", - "name": "cpp.lang.security.strings.readlink-null-terminator.readlink-null-terminator", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.readlink-null-terminator.readlink-null-terminator" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "help": { - "markdown": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A Spring expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-jsp-eval.spring-jsp-eval", - "id": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval", - "name": "java.spring.security.audit.spring-jsp-eval.spring-jsp-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.audit.spring-jsp-eval.spring-jsp-eval" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n - [https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html](https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `render template` and make template files which will safely render HTML instead, or inspect that the HTML is absolutely rendered safely with a function like `sanitize`." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.raw-html-format.raw-html-format", - "id": "ruby.rails.security.injection.raw-html-format.raw-html-format", - "name": "ruby.rails.security.injection.raw-html-format.raw-html-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.injection.raw-html-format.raw-html-format" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.command-injection.rust-actix-command-injection.rust-actix-command-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.command-injection.rust-actix-command-injection.rust-actix-command-injection", - "id": "rust.actix.command-injection.rust-actix-command-injection.rust-actix-command-injection", - "name": "rust.actix.command-injection.rust-actix-command-injection.rust-actix-command-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.command-injection.rust-actix-command-injection.rust-actix-command-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'." - }, - "help": { - "markdown": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args)\n - [https://docs.python.org/3/library/asyncio-subprocess.html](https://docs.python.org/3/library/asyncio-subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Detected asyncio subprocess function with user controlled data. You may consider using 'shlex.escape()'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args", - "id": "python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args", - "name": "python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-asyncio-shell-tainted-env-args.dangerous-asyncio-shell-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-saxbuilder-xxe-spring.tainted-saxbuilder-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.xxe.tainted-saxbuilder-xxe-spring.tainted-saxbuilder-xxe-spring", - "id": "java.spring.security.xxe.tainted-saxbuilder-xxe-spring.tainted-saxbuilder-xxe-spring", - "name": "java.spring.security.xxe.tainted-saxbuilder-xxe-spring.tainted-saxbuilder-xxe-spring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.xxe.tainted-saxbuilder-xxe-spring.tainted-saxbuilder-xxe-spring" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.path-traversal.net-http-path-traversal-taint.net-http-path-traversal-taint)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Go, it is possible to sanitize user input and mitigate path traversal by using the built-in `filepath.Clean` function." - }, - "helpUri": "https://semgrep.dev/r/go.net.path-traversal.net-http-path-traversal-taint.net-http-path-traversal-taint", - "id": "go.net.path-traversal.net-http-path-traversal-taint.net-http-path-traversal-taint", - "name": "go.net.path-traversal.net-http-path-traversal-taint.net-http-path-traversal-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.path-traversal.net-http-path-traversal-taint.net-http-path-traversal-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie." - }, - "help": { - "markdown": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n", - "text": "A session cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie which mitigates XSS attacks. Set the 'HttpOnly' flag by setting 'HttpOnly' to 'true' in the Cookie." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly", - "id": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly", - "name": "go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-httponly.cookie-missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption." - }, - "help": { - "markdown": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key)\n - [https://cwe.mitre.org/data/definitions/327.html](https://cwe.mitre.org/data/definitions/327.html)\n - [https://cwe.mitre.org/data/definitions/310.html](https://cwe.mitre.org/data/definitions/310.html)\n", - "text": "Potential empty AES encryption key. Using an empty key in AES encryption can result in weak encryption and may allow attackers to easily decrypt sensitive data. Ensure that a strong, non-empty key is used for AES encryption." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.empty-aes-key.empty-aes-key", - "id": "python.cryptography.security.empty-aes-key.empty-aes-key", - "name": "python.cryptography.security.empty-aes-key.empty-aes-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-310: Cryptographic Issues", - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A6:2017 misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.empty-aes-key.empty-aes-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application appears to have disabled the CSRF token verification middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by enforcing usage and verification of the CSRF tokens associated with user requests. To enable the CSRF token verification middleware add `\\$APP\\Http\\Middleware\\VerifyCsrfToken` to the middleware group in your `$APP\\Http\\Kernel` class." - }, - "help": { - "markdown": "The application appears to have disabled the CSRF token verification middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by enforcing usage and verification of the CSRF tokens associated with user requests. To enable the CSRF token verification middleware add `\\$APP\\Http\\Middleware\\VerifyCsrfToken` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-csrf-not-verified.laravel-csrf-not-verified)\n - [https://laravel.com/docs/9.x/csrf#preventing-csrf-requests](https://laravel.com/docs/9.x/csrf#preventing-csrf-requests)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-request-forgery-csrf](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cross-site-request-forgery-csrf)\n", - "text": "The application appears to have disabled the CSRF token verification middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by enforcing usage and verification of the CSRF tokens associated with user requests. To enable the CSRF token verification middleware add `\\$APP\\Http\\Middleware\\VerifyCsrfToken` to the middleware group in your `$APP\\Http\\Kernel` class." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-csrf-not-verified.laravel-csrf-not-verified", - "id": "php.laravel.security.laravel-csrf-not-verified.laravel-csrf-not-verified", - "name": "php.laravel.security.laravel-csrf-not-verified.laravel-csrf-not-verified", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-csrf-not-verified.laravel-csrf-not-verified" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format)\n - [https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render](https://docs.djangoproject.com/en/3.2/topics/http/shortcuts/#render)\n - [https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection](https://docs.djangoproject.com/en/3.2/topics/security/#cross-site-scripting-xss-protection)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates (`django.shortcuts.render`) which will safely render HTML instead." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.raw-html-format.raw-html-format", - "id": "python.django.security.injection.raw-html-format.raw-html-format", - "name": "python.django.security.injection.raw-html-format.raw-html-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.raw-html-format.raw-html-format" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-numpy-pickle.tainted-numpy-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://numpy.org/doc/stable/reference/generated/numpy.load.html](https://numpy.org/doc/stable/reference/generated/numpy.load.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-numpy-pickle.tainted-numpy-pickle", - "id": "python.lang.deserialization.tainted-numpy-pickle.tainted-numpy-pickle", - "name": "python.lang.deserialization.tainted-numpy-pickle.tainted-numpy-pickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-numpy-pickle.tainted-numpy-pickle" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.ktor.session.hardcoded-signing-key.hardcoded-signing-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.ktor.session.hardcoded-signing-key.hardcoded-signing-key", - "id": "kotlin.ktor.session.hardcoded-signing-key.hardcoded-signing-key", - "name": "kotlin.ktor.session.hardcoded-signing-key.hardcoded-signing-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.ktor.session.hardcoded-signing-key.hardcoded-signing-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment." - }, - "help": { - "markdown": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n", - "text": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high", - "id": "ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high", - "name": "ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-permit-attributes-high.check-permit-attributes-high" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue." - }, - "help": { - "markdown": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue)\n - [https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-data-protection.html)\n", - "text": "Queue $X is missing encryption at rest. Add \"encryption: $Y.QueueEncryption.KMS\" or \"encryption: $Y.QueueEncryption.KMS_MANAGED\" to the queue props to enable encryption at rest for the queue." - }, - "helpUri": "https://semgrep.dev/r/typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue", - "id": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue", - "name": "typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.aws-cdk.security.audit.awscdk-sqs-unencryptedqueue.awscdk-sqs-unencryptedqueue" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist." - }, - "help": { - "markdown": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html](https://knowledge-base.secureflag.com/vulnerabilities/unvalidated_redirects___forwards/open_redirect_go_lang.html)\n", - "text": "An HTTP redirect was found to be crafted from user-input `$REQUEST`. This can lead to open redirect vulnerabilities, potentially allowing attackers to redirect users to malicious web sites. It is recommend where possible to not allow user-input to craft the redirect URL. When user-input is necessary to craft the request, it is recommended to follow OWASP best practices to restrict the URL to domains in an allowlist." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.injection.open-redirect.open-redirect", - "id": "go.lang.security.injection.open-redirect.open-redirect", - "name": "go.lang.security.injection.open-redirect.open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.injection.open-redirect.open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insecure transmission channel. 'URLopener.retrieve(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP." - }, - "help": { - "markdown": "Detected an insecure transmission channel. 'URLopener.retrieve(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.retrieve)\n", - "text": "Detected an insecure transmission channel. 'URLopener.retrieve(...)' is being used with 'ftp://'. Use SFTP instead. urllib does not support SFTP, so consider using a library which supports SFTP." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp", - "id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp", - "name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-retrieve-ftp.insecure-urlopener-retrieve-ftp" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.missing-secure.missing-secure)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will only be sent over HTTPS or to use the Cookie Policy Middleware to globally set the Secure flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.audit.cookies.missing-secure.missing-secure", - "id": "csharp.lang.audit.cookies.missing-secure.missing-secure", - "name": "csharp.lang.audit.cookies.missing-secure.missing-secure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.audit.cookies.missing-secure.missing-secure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a possible ZeroDivisionError." - }, - "help": { - "markdown": "Detected a possible ZeroDivisionError.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_divide_by_zero.rb)\n", - "text": "Detected a possible ZeroDivisionError." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.divide-by-zero.divide-by-zero", - "id": "ruby.lang.security.divide-by-zero.divide-by-zero", - "name": "ruby.lang.security.divide-by-zero.divide-by-zero", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-369: Divide By Zero", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.divide-by-zero.divide-by-zero" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "If unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", - "id": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", - "name": "javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.xml2json.security.audit.xml2json-xxe.xml2json-xxe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Evaluating non-constant commands. This can lead to command injection." - }, - "help": { - "markdown": "Evaluating non-constant commands. This can lead to command injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.eval-use.eval-use)\n - [https://www.php.net/manual/en/function.eval](https://www.php.net/manual/en/function.eval)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/NoEvalsSniff.php)\n", - "text": "Evaluating non-constant commands. This can lead to command injection." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.eval-use.eval-use", - "id": "php.lang.security.eval-use.eval-use", - "name": "php.lang.security.eval-use.eval-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.eval-use.eval-use" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs." - }, - "help": { - "markdown": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request)\n - [https://nodejs.org/api/http.html#http_http_request_options_callback](https://nodejs.org/api/http.html#http_http_request_options_callback)\n", - "text": "Checks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.http-request.http-request", - "id": "problem-based-packs.insecure-transport.js-node.http-request.http-request", - "name": "problem-based-packs.insecure-transport.js-node.http-request.http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.http-request.http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe)\n - [https://github.com/astro/node-expat](https://github.com/astro/node-expat)\n", - "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-expat-xxe.express-expat-xxe", - "id": "javascript.express.security.express-expat-xxe.express-expat-xxe", - "name": "javascript.express.security.express-expat-xxe.express-expat-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-expat-xxe.express-expat-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions." - }, - "help": { - "markdown": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n", - "text": "Detected a Jinja2 environment with 'autoescaping' disabled. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable 'autoescaping' by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions." - }, - "helpUri": "https://semgrep.dev/r/python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled", - "id": "python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled", - "name": "python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-116: Improper Encoding or Escaping of Output", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jinja2.security.audit.autoescape-disabled-false.incorrect-autoescape-disabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security." - }, - "help": { - "markdown": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.distributed.security.require-encryption)\n - [https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters](https://distributed.dask.org/en/latest/tls.html?highlight=require_encryption#parameters)\n", - "text": "Initializing a security context for Dask (`distributed`) without \"require_encryption\" keyword argument may silently fail to provide security." - }, - "helpUri": "https://semgrep.dev/r/python.distributed.security.require-encryption", - "id": "python.distributed.security.require-encryption", - "name": "python.distributed.security.require-encryption", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.distributed.security.require-encryption" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input." - }, - "help": { - "markdown": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval#never_use_eval!)\n", - "text": "Detected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", - "id": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", - "name": "javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.detect-eval-with-expression.detect-eval-with-expression" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko", - "id": "python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko", - "name": "python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-paramiko.tainted-flask-http-request-paramiko" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-shelve-flask.tainted-shelve-flask", - "id": "python.flask.file.tainted-shelve-flask.tainted-shelve-flask", - "name": "python.flask.file.tainted-shelve-flask.tainted-shelve-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-shelve-flask.tainted-shelve-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template." - }, - "help": { - "markdown": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path)\n - [https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/](https://brakemanscanner.org/docs/warning_types/dynamic_render_paths/)\n", - "text": "Avoid rendering user input. It may be possible for a malicious user to input a path that lets them access a template they shouldn't. To prevent this, check dynamic template paths against a predefined allowlist to make sure it's an allowed template." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path", - "id": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path", - "name": "ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-dynamic-path.avoid-render-dynamic-path" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte." - }, - "help": { - "markdown": "Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag)\n - [https://www.php.net/manual/en/language.basic-syntax.phptags.php](https://www.php.net/manual/en/language.basic-syntax.phptags.php)\n", - "text": "Found direct access to a PHP variable wihout HTML escaping inside an inline PHP statement setting data from `$_REQUEST[...]`. When untrusted input can be used to tamper with a web page rendering, it can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. In PHP you can encode or sanitize user input with `htmlspecialchars` or use automatic context-aware escaping with a template engine such as Latte." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag", - "id": "php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag", - "name": "php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.taint-unsafe-echo-tag.taint-unsafe-echo-tag" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks messagebird-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks messagebird-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks messagebird-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token", - "id": "generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token", - "name": "generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.messagebird-api-token.messagebird-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default", - "id": "python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default", - "name": "python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.os.tainted-os-command-stdlib-fastapi-secure-default.tainted-os-command-stdlib-fastapi-secure-default" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "SSL verification disabled, this allows for MitM attacks" - }, - "help": { - "markdown": "SSL verification disabled, this allows for MitM attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none)\n - [https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify](https://docs.rs/openssl/latest/openssl/ssl/struct.SslContextBuilder.html#method.set_verify)\n", - "text": "SSL verification disabled, this allows for MitM attacks" - }, - "helpUri": "https://semgrep.dev/r/rust.lang.security.ssl-verify-none.ssl-verify-none", - "id": "rust.lang.security.ssl-verify-none.ssl-verify-none", - "name": "rust.lang.security.ssl-verify-none.ssl-verify-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.lang.security.ssl-verify-none.ssl-verify-none" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The code must not contain any of Unicode Direction Control Characters" - }, - "help": { - "markdown": "The code must not contain any of Unicode Direction Control Characters\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters)\n - [https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo](https://entethalliance.org/specs/ethtrust-sl/v1/#req-1-unicode-bdo)\n", - "text": "The code must not contain any of Unicode Direction Control Characters" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.no-bidi-characters.no-bidi-characters", - "id": "solidity.security.no-bidi-characters.no-bidi-characters", - "name": "solidity.security.no-bidi-characters.no-bidi-characters", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-837: Improper Enforcement of a Single, Unique Action", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.no-bidi-characters.no-bidi-characters" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "help": { - "markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run", - "id": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run", - "name": "scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.dangerous-shell-run.dangerous-shell-run" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks adobe-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks adobe-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.adobe-client-id.adobe-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks adobe-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.adobe-client-id.adobe-client-id", - "id": "generic.secrets.gitleaks.adobe-client-id.adobe-client-id", - "name": "generic.secrets.gitleaks.adobe-client-id.adobe-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.adobe-client-id.adobe-client-id" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid cookie using an unsafe default for the secure option. Pyramid cookies should be handled securely by setting secure=True in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default", - "id": "python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default", - "name": "python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.set-cookie-secure-unsafe-default.pyramid-set-cookie-secure-unsafe-default" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "help": { - "markdown": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://github.com/gorilla/csrf](https://github.com/gorilla/csrf)\n", - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "helpUri": "https://semgrep.dev/r/go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection", - "id": "go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection", - "name": "go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.csrf.gorilla-csrf.go-net-http-route-without-gorilla-csrf-protection.go-net-http-route-without-gorilla-csrf-protection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep", - "id": "java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep", - "name": "java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.spring-sqli-deepsemgrep.spring-sqli-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user data flowing into exec. This is code injection and should be avoided." - }, - "help": { - "markdown": "Detected user data flowing into exec. This is code injection and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection)\n - [https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/exec_really_is_dangerous.html)\n", - "text": "Detected user data flowing into exec. This is code injection and should be avoided." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.user-exec.exec-injection", - "id": "python.flask.security.injection.user-exec.exec-injection", - "name": "python.flask.security.injection.user-exec.exec-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.user-exec.exec-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.hyper.sql.sqlx-taint.sqlx-taint", - "id": "rust.hyper.sql.sqlx-taint.sqlx-taint", - "name": "rust.hyper.sql.sqlx-taint.sqlx-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.hyper.sql.sqlx-taint.sqlx-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. " - }, - "help": { - "markdown": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file)\n - [https://kubernetes.io/docs/concepts/configuration/secret/](https://kubernetes.io/docs/concepts/configuration/secret/)\n - [https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF](https://media.defense.gov/2021/Aug/03/2002820425/-1/-1/0/CTR_Kubernetes_Hardening_Guidance_1.1_20220315.PDF)\n - [https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html](https://docs.gitlab.com/ee/user/clusters/agent/gitops/secrets_management.html)\n - [https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/](https://www.cncf.io/blog/2021/04/22/revealing-the-secrets-of-kubernetes-secrets/)\n - [https://github.com/bitnami-labs/sealed-secrets](https://github.com/bitnami-labs/sealed-secrets)\n - [https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/](https://www.cncf.io/blog/2022/01/25/secrets-management-essential-when-using-kubernetes/)\n - [https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/](https://blog.oddbit.com/post/2021-03-09-getting-started-with-ksops/)\n", - "text": "Secrets ($VALUE) should not be stored in infrastructure as code files. Use an alternative such as Bitnami Sealed Secrets or KSOPS to encrypt Kubernetes Secrets. " - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file", - "id": "yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file", - "name": "yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.secrets-in-config-file.secrets-in-config-file" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks shippo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks shippo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.shippo-api-token.shippo-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks shippo-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.shippo-api-token.shippo-api-token", - "id": "generic.secrets.gitleaks.shippo-api-token.shippo-api-token", - "name": "generic.secrets.gitleaks.shippo-api-token.shippo-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.shippo-api-token.shippo-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.gorm.gorm-empty-password.gorm-empty-password", - "id": "go.secrets.gorm.gorm-empty-password.gorm-empty-password", - "name": "go.secrets.gorm.gorm-empty-password.gorm-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.gorm.gorm-empty-password.gorm-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-user-token.slack-user-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-user-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-user-token.slack-user-token", - "id": "generic.secrets.gitleaks.slack-user-token.slack-user-token", - "name": "generic.secrets.gitleaks.slack-user-token.slack-user-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-user-token.slack-user-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "help": { - "markdown": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe)\n - [https://www.npmjs.com/package/xml2json](https://www.npmjs.com/package/xml2json)\n", - "text": "Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-xml2json-xxe.express-xml2json-xxe", - "id": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe", - "name": "javascript.express.security.express-xml2json-xxe.express-xml2json-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-xml2json-xxe.express-xml2json-xxe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead." - }, - "help": { - "markdown": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks](https://learn.microsoft.com/en-us/dotnet/api/system.random?view=net-6.0#remarks)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.randomnumbergenerator?view=net-6.0)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm?view=net-6.0#constructors)\n - [https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.symmetricalgorithm.key?view=net-6.0#system-security-cryptography-symmetricalgorithm-key)\n", - "text": "You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", - "id": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", - "name": "csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.use_weak_rng_for_keygeneration.use_weak_rng_for_keygeneration" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks npm-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks npm-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.npm-access-token.npm-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks npm-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.npm-access-token.npm-access-token", - "id": "generic.secrets.gitleaks.npm-access-token.npm-access-token", - "name": "generic.secrets.gitleaks.npm-access-token.npm-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.npm-access-token.npm-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "id": "java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "name": "java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe.saxparserfactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password", - "id": "ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password", - "name": "ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.mysql2.ruby-mysql2-empty-password.ruby-mysql2-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "help": { - "markdown": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A formatted or concatenated string was detected as input to a java.lang.Runtime call. This is dangerous if a variable is controlled by user input and could result in a command injection. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "id": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "name": "java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.command-injection-formatted-runtime-call.command-injection-formatted-runtime-call" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.react-href-url.react-href-url)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.react-href-url.react-href-url", - "id": "typescript.react.react-href-url.react-href-url", - "name": "typescript.react.react-href-url.react-href-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.react-href-url.react-href-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value." - }, - "help": { - "markdown": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n", - "text": "Found potentially unsafe handling of redirect behavior $X. Do not pass `params` to `redirect_to` without the `:only_path => true` hash value." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-redirect-to.check-redirect-to", - "id": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to", - "name": "ruby.rails.security.brakeman.check-redirect-to.check-redirect-to", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-redirect-to.check-redirect-to" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse", - "id": "java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse", - "name": "java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parse.documentbuilderfactory-xxe-parse" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file." - }, - "help": { - "markdown": "This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file)\n - [https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions](https://wiki.sei.cmu.edu/confluence/display/c/FIO06-C.+Create+files+with+appropriate+access+permissions)\n", - "text": "This call makes a world-writable file which allows any user on a machine to write to the file. This may allow attackers to influence the behaviour of this process by writing to the file." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.filesystem.world-writable-file.world-writable-file", - "id": "cpp.lang.security.filesystem.world-writable-file.world-writable-file", - "name": "cpp.lang.security.filesystem.world-writable-file.world-writable-file", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.filesystem.world-writable-file.world-writable-file" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "help": { - "markdown": "Ensure web app is using the latest version of TLS encryption\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure web app is using the latest version of TLS encryption" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version", - "id": "terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version", - "name": "terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.appservice.azure-appservice-min-tls-version.azure-appservice-min-tls-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url", - "id": "rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url", - "name": "rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-url.hardcoded-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet", - "id": "java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet", - "name": "java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xxe.tainted-schemafactory-xxe-servlet.tainted-schemafactory-xxe-servlet" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid", - "id": "python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid", - "name": "python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-pandas-pickle-pyramid.tainted-pandas-pickle-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask)\n - [https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command](https://docs.paramiko.org/en/latest/api/client.html#paramiko.client.SSHClient.exec_command)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask", - "id": "python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask", - "name": "python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.os.tainted-os-command-paramiko-flask.tainted-os-command-paramiko-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside exec.Cmd. Audit the input to 'exec.Cmd'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd", - "id": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd", - "name": "go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.dangerous-exec-cmd.dangerous-exec-cmd" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection." - }, - "helpUri": "https://semgrep.dev/r/python.flask.db.sqlalchemy-flask.sqlalchemy-flask", - "id": "python.flask.db.sqlalchemy-flask.sqlalchemy-flask", - "name": "python.flask.db.sqlalchemy-flask.sqlalchemy-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.db.sqlalchemy-flask.sqlalchemy-flask" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks sendinblue-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks sendinblue-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks sendinblue-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token", - "id": "generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token", - "name": "generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.sendinblue-api-token.sendinblue-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi", - "id": "python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi", - "name": "python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.file.tainted-pickleshare-fastapi.tainted-pickleshare-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User controlled data in a HTML string may result in XSS" - }, - "help": { - "markdown": "User controlled data in a HTML string may result in XSS\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat)\n - [https://owasp.org/www-community/attacks/xss/](https://owasp.org/www-community/attacks/xss/)\n", - "text": "User controlled data in a HTML string may result in XSS" - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.security.raw-html-concat.raw-html-concat", - "id": "javascript.browser.security.raw-html-concat.raw-html-concat", - "name": "javascript.browser.security.raw-html-concat.raw-html-concat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.security.raw-html-concat.raw-html-concat" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask", - "id": "python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask", - "name": "python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask.tainted-os-command-stdlib-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "help": { - "markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request)\n - [https://github.com/parnurzeal/gorequest](https://github.com/parnurzeal/gorequest)\n", - "text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request", - "id": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request", - "name": "problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.gorequest-http-request.gorequest-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password", - "id": "python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password", - "name": "python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.mysqlclient.python-mysqlclient-empty-password.python-mysqlclient-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false)\n - [https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware](https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-8.0#cookie-policy-middleware)\n - [https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.cookieoptions)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts or to use the Cookie Policy Middleware to globally set the HttpOnly flag. You can then use the CookieOptions class when instantiating the cookie, which inherits these settings and will require future developers to have to explicitly override them on a case-by-case basis if needed. This approach ensures cookies are secure by default." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.audit.cookies.httponly-false.httponly-false", - "id": "csharp.lang.audit.cookies.httponly-false.httponly-false", - "name": "csharp.lang.audit.cookies.httponly-false.httponly-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.audit.cookies.httponly-false.httponly-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri", - "id": "python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri", - "name": "python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.redis.python-redis-hardcoded-uri.python-redis-hardcoded-uri" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc", - "id": "csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc", - "name": "csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint-grpc.compile-taint-grpc" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection", - "id": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection", - "name": "javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.playwright.security.audit.playwright-addinitscript-code-injection.playwright-addinitscript-code-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask", - "id": "python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask", - "name": "python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-pickleshare-flask.tainted-pickleshare-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query." - }, - "help": { - "markdown": "Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli)\n - [https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf](https://owasp.org/www-pdf-archive/GOD16-NOSQL.pdf)\n", - "text": "Detected a `$IMPORT` statement that comes from a `$REQ` argument. This could lead to NoSQL injection if the variable is user-controlled and is not properly sanitized. Be sure to properly sanitize the data if you absolutely must pass request data into a mongo query." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli", - "id": "javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli", - "name": "javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.mongodb.express-mongo-nosqli.express-mongo-nosqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Found a Pyramid Authentication Ticket without the samesite option correctly set. Pyramid cookies should be handled securely by setting samesite='Lax'. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite", - "id": "python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite", - "name": "python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-samesite.pyramid-authtkt-cookie-samesite" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information." - }, - "help": { - "markdown": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server)\n - [https://nodejs.org/api/http.html#http_class_http_agent](https://nodejs.org/api/http.html#http_class_http_agent)\n - [https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY](https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY)\n", - "text": "Checks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server", - "id": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server", - "name": "problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.using-http-server.using-http-server" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-pyyaml-aws-lambda.tainted-pyyaml-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered." - }, - "help": { - "markdown": "The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "The use of the MD5 hashing algorithm was identified which is considered insecure. MD5 is not collision resistant and is therefore not suitable for cryptographic or secure use-cases. Use stronger algorithms such as SHA256, SHA512, or adaptive hashing algorithms such as argon2 or bcrypt. **Note**: MD5 is still considered acceptable when used for Message Authentication Purposes, e.g. with HMAC although better and stronger algorithms should be strongly considered." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5", - "id": "swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5", - "name": "swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-hashing-algorithm-md5.insecure-hashing-algorithm-md5" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "help": { - "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret", - "id": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret", - "name": "ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.jwt.security.jwt-hardcode.ruby-jwt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`." - }, - "help": { - "markdown": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n", - "text": "Detected wildcard access granted to Glacier Vault. This means anyone within your AWS account ID can perform actions on Glacier resources. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal", - "id": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal", - "name": "terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-glacier-vault-any-principal.aws-glacier-vault-any-principal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen." - }, - "help": { - "markdown": "The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/](https://blog.elcomsoft.com/2020/08/extracting-and-decrypting-ios-keychain-physical-logical-and-cloud-options-explored/)\n", - "text": "The application was observed to store keychain items with the accessibility type `kSecAttrAccessibleAlways` meaning that the data is not sufficiently protected at rest. Ideally, the application should use `kSecAttrAccessibleWhenUnlocked` to configure the data to be accessible only when the user has unlocked the screen." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always", - "id": "swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always", - "name": "swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.keychain-always-accessible.keychain-accessible-always" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "ERC721 onERC721Received() reentrancy" - }, - "help": { - "markdown": "ERC721 onERC721Received() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy)\n - [https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a](https://blocksecteam.medium.com/when-safemint-becomes-unsafe-lessons-from-the-hypebears-security-incident-2965209bda2a)\n - [https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef](https://etherscan.io/address/0x14e0a1f310e2b7e321c91f58847e98b8c802f6ef)\n", - "text": "ERC721 onERC721Received() reentrancy" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.erc721-reentrancy.erc721-reentrancy", - "id": "solidity.security.erc721-reentrancy.erc721-reentrancy", - "name": "solidity.security.erc721-reentrancy.erc721-reentrancy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.erc721-reentrancy.erc721-reentrancy" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar." - }, - "help": { - "markdown": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host)\n - [https://nginx.org/en/docs/http/ngx_http_map_module.html](https://nginx.org/en/docs/http/ngx_http_map_module.html)\n", - "text": "The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", - "id": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", - "name": "generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-host.dynamic-proxy-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret", - "id": "python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret", - "name": "python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.neo4j.python-neo4j-hardcoded-secret.python-neo4j-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret", - "id": "csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret", - "name": "csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.system.passwordauthenticationmethod-hardcoded-secret.passwordauthenticationmethod-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid Authentication Ticket cookie without the secure option correctly set. Pyramid cookies should be handled securely by setting secure=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value", - "id": "python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value", - "name": "python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-secure-unsafe-value.pyramid-authtkt-cookie-secure-unsafe-value" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option." - }, - "help": { - "markdown": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked", - "id": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked", - "name": "javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-jwt-not-revoked.express-jwt-not-revoked" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "help": { - "markdown": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request)\n - [https://golang.org/pkg/net/http/#Get](https://golang.org/pkg/net/http/#Get)\n", - "text": "Checks for requests sent via http.$FUNC to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.http-request.http-request", - "id": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request", - "name": "problem-based-packs.insecure-transport.go-stdlib.http-request.http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.http-request.http-request" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter." - }, - "help": { - "markdown": "The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp)\n - [https://docs.python.org/3/library/tempfile.html#tempfile.mktemp](https://docs.python.org/3/library/tempfile.html#tempfile.mktemp)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "The function `mktemp` is deprecated. When using this function, it is possible for an attacker to modify the created file before the filename is returned. Use `NamedTemporaryFile()` instead and pass it the `delete=False` parameter." - }, - "helpUri": "https://semgrep.dev/r/python.lang.file.avoid-mktemp.avoid-mktemp", - "id": "python.lang.file.avoid-mktemp.avoid-mktemp", - "name": "python.lang.file.avoid-mktemp.avoid-mktemp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-377: Insecure Temporary File", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.file.avoid-mktemp.avoid-mktemp" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli", - "id": "java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli", - "name": "java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.jdbctemplate-sqli.jdbctemplate-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." - }, - "help": { - "markdown": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n", - "text": "XML external entities are enabled for this XMLInputFactory. This is vulnerable to XML external entity attacks. Disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled", - "id": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled", - "name": "java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xmlinputfactory-external-entities-enabled.xmlinputfactory-external-entities-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep", - "id": "javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep", - "name": "javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.request.ssrf-deepsemgrep.ssrf-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "helpUri": "https://semgrep.dev/r/kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli", - "id": "kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli", - "name": "kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.spring.jdbctemplate-sqli.jdbctemplate-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret", - "id": "ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret", - "name": "ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.redis.ruby-redis-hardcoded-secret.ruby-redis-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice." - }, - "help": { - "markdown": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_cookie_serialization.rb)\n - [https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/](https://robertheaton.com/2013/07/22/how-to-hack-a-rails-app-using-its-secret-token/)\n", - "text": "Checks if code allows cookies to be deserialized using Marshal. If the attacker can craft a valid cookie, this could lead to remote code execution. The hybrid check is just to warn users to migrate to :json for best practice." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.cookie-serialization.cookie-serialization", - "id": "ruby.lang.security.cookie-serialization.cookie-serialization", - "name": "ruby.lang.security.cookie-serialization.cookie-serialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.cookie-serialization.cookie-serialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-dill-flask.tainted-dill-flask", - "id": "python.flask.deserialization.tainted-dill-flask.tainted-dill-flask", - "name": "python.flask.deserialization.tainted-dill-flask.tainted-dill-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-dill-flask.tainted-dill-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP." - }, - "help": { - "markdown": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.OpenerDirector.open)\n", - "text": "Detected an unsecured transmission channel. 'OpenerDirector.open(...)' is being used with 'ftp://'. Information sent over this connection will be unencrypted. Consider using SFTP instead. urllib does not support SFTP, so consider a library which supports SFTP." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp", - "id": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp", - "name": "python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-openerdirector-open-ftp.insecure-openerdirector-open-ftp" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens." - }, - "help": { - "markdown": "HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n", - "text": "HttpOnly cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.taint-cookie-http-false.taint-cookie-http-false", - "id": "php.lang.security.taint-cookie-http-false.taint-cookie-http-false", - "name": "php.lang.security.taint-cookie-http-false.taint-cookie-http-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.taint-cookie-http-false.taint-cookie-http-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach `vm2`." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Make sure that unverified user data can not reach `vm2`." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm2-injection.express-vm2-injection", - "id": "javascript.express.security.express-vm2-injection.express-vm2-injection", - "name": "javascript.express.security.express-vm2-injection.express-vm2-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-vm2-injection.express-vm2-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead" - }, - "help": { - "markdown": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n", - "text": "Hardcoded variable `SECRET_KEY` detected. Use environment variables or config files instead" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY", - "id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY", - "name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_SECRET_KEY" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jpa-sqli.jpa-sqli", - "id": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli", - "name": "java.lang.security.audit.sqli.jpa-sqli.jpa-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.sqli.jpa-sqli.jpa-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password", - "id": "python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password", - "name": "python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.neo4j.python-neo4j-empty-password.python-neo4j-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli)\n - [https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements](https://sequelize.org/docs/v6/core-concepts/raw-queries/#replacements)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.mysql.express-mysql-sqli.express-mysql-sqli", - "id": "javascript.express.mysql.express-mysql-sqli.express-mysql-sqli", - "name": "javascript.express.mysql.express-mysql-sqli.express-mysql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.mysql.express-mysql-sqli.express-mysql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens." - }, - "help": { - "markdown": "Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config)\n - [https://www.php.net/manual/en/function.setcookie.php](https://www.php.net/manual/en/function.setcookie.php)\n - [https://www.php.net/manual/en/function.session-set-cookie-params.php](https://www.php.net/manual/en/function.session-set-cookie-params.php)\n - [https://www.php.net/manual/en/configuration.file.php](https://www.php.net/manual/en/configuration.file.php)\n", - "text": "Secure cookie flag is explicitly disabled. This will cause cookies to be transmitted over unencrypted HTTP connections which can allow theft of confidential user data such as session tokens." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config", - "id": "php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config", - "name": "php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.search-cookie-secure-false-ini-config.search-cookie-secure-false-ini-config" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control." - }, - "help": { - "markdown": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails4/config/secrets.yml)\n", - "text": "$VALUE Found a string literal assignment to a production Rails session secret in `secrets.yaml`. Do not commit secret values to source control! Any user in possession of this value may falsify arbitrary session data in your application. Read this value from an environment variable, KMS, or file on disk outside of source control." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml", - "id": "ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml", - "name": "ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-540: Inclusion of Sensitive Information in Source Code", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-rails-secret-yaml.check-rails-secret-yaml" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SSLv3 is insecure and has multiple known vulnerabilities." - }, - "help": { - "markdown": "SSLv3 is insecure and has multiple known vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3)\n", - "text": "SSLv3 is insecure and has multiple known vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3", - "id": "mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3", - "name": "mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-327", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.crypto.insecure_ssl_v3.insecure_sslv3" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead." - }, - "help": { - "markdown": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n", - "text": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion", - "id": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion", - "name": "kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-704: Incorrect Type Conversion or Cast", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.bad-hexa-conversion.bad-hexa-conversion" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.sqlx.mysql-connection-url.mysql-connection-url", - "id": "rust.secrets.sqlx.mysql-connection-url.mysql-connection-url", - "name": "rust.secrets.sqlx.mysql-connection-url.mysql-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.sqlx.mysql-connection-url.mysql-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application." - }, - "help": { - "markdown": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment)\n - [https://cwe.mitre.org/data/definitions/915.html](https://cwe.mitre.org/data/definitions/915.html)\n - [https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md](https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa6-mass-assignment.md)\n", - "text": "Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.mass-assignment.mass-assignment", - "id": "csharp.dotnet.security.audit.mass-assignment.mass-assignment", - "name": "csharp.dotnet.security.audit.mass-assignment.mass-assignment", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "MEDIUM CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.audit.mass-assignment.mass-assignment" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL" - }, - "help": { - "markdown": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure all Cloud SQL database instance requires all incoming connections to use SSL" - }, - "helpUri": "https://semgrep.dev/r/terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl", - "id": "terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl", - "name": "terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header." - }, - "help": { - "markdown": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n", - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.templates.var-in-href.var-in-href", - "id": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href", - "name": "ruby.rails.security.audit.xss.templates.var-in-href.var-in-href", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.templates.var-in-href.var-in-href" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks telegram-bot-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks telegram-bot-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks telegram-bot-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token", - "id": "generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token", - "name": "generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.telegram-bot-api-token.telegram-bot-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions." - }, - "help": { - "markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors)\n - [https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin](https://developer.mozilla.org/ru/docs/Web/HTTP/Headers/Access-Control-Allow-Origin)\n", - "text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.php-permissive-cors.php-permissive-cors", - "id": "php.lang.security.php-permissive-cors.php-permissive-cors", - "name": "php.lang.security.php-permissive-cors.php-permissive-cors", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-346: Origin Validation Error", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.php-permissive-cors.php-permissive-cors" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://sqlobject.org/SQLBuilder.html](https://sqlobject.org/SQLBuilder.html)\n - [https://sqlobject.org/SQLObject.html](https://sqlobject.org/SQLObject.html)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Don’t manually concatenate values to a query, use SQLBuilder instead to avoid SQL injection." - }, - "helpUri": "https://semgrep.dev/r/python.flask.db.sqlobject-flask.sqlobject-flask", - "id": "python.flask.db.sqlobject-flask.sqlobject-flask", - "name": "python.flask.db.sqlobject-flask.sqlobject-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.db.sqlobject-flask.sqlobject-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability." - }, - "help": { - "markdown": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Untrusted user input in {url: ...} can result in Open Redirect vulnerability." - }, - "helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect", - "id": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect", - "name": "typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-open-redirect.nestjs-open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Generic Secret detected" - }, - "help": { - "markdown": "Generic Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Generic Secret detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-generic-secret.detected-generic-secret", - "id": "generic.secrets.security.detected-generic-secret.detected-generic-secret", - "name": "generic.secrets.security.detected-generic-secret.detected-generic-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-generic-secret.detected-generic-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input." - }, - "help": { - "markdown": "The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n", - "text": "The function `$FUN` does not impose any size limitation to what it writes to `$BUF`. That may lead to a stack buffer overflow if there is no validation on the size of the input." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer", - "id": "cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer", - "name": "cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.unbounded-copy-to-stack-buffer.unbounded-copy-to-stack-buffer" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask", - "id": "python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask", - "name": "python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-torch-pickle-flask.tainted-torch-pickle-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "CodeClimate detected" - }, - "help": { - "markdown": "CodeClimate detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "CodeClimate detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-codeclimate.detected-codeclimate", - "id": "generic.secrets.security.detected-codeclimate.detected-codeclimate", - "name": "generic.secrets.security.detected-codeclimate.detected-codeclimate", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-codeclimate.detected-codeclimate" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security." - }, - "help": { - "markdown": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context)\n - [https://tools.ietf.org/html/rfc7568](https://tools.ietf.org/html/rfc7568)\n - [https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html](https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-02.html)\n", - "text": "An insecure SSL context was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use SSLContext.getInstance(\"TLSv1.2\") for the best security." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.weak-ssl-context.weak-ssl-context", - "id": "java.lang.security.audit.weak-ssl-context.weak-ssl-context", - "name": "java.lang.security.audit.weak-ssl-context.weak-ssl-context", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.weak-ssl-context.weak-ssl-context" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used." - }, - "help": { - "markdown": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails6/app/controllers/accounts_controller.rb)\n", - "text": "Found an improperly constructed control flow block with `request.get?`. Rails will route HEAD requests as GET requests but they will fail the `request.get?` check, potentially causing unexpected behavior unless an `elif` condition is used." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion", - "id": "ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion", - "name": "ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-650: Trusting HTTP Permission Methods on the Server Side", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-http-verb-confusion.check-http-verb-confusion" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits." - }, - "help": { - "markdown": "Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", - "text": "Use of RSA-$BITS, which is considered weak. Based on NIST standards, RSA keys should be at least 2048 bits." - }, - "helpUri": "https://semgrep.dev/r/typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key", - "id": "typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key", - "name": "typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.typescript.node.security.node-rsa-weak-key.node-rsa-weak-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "help": { - "markdown": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", - "text": "Use of Blowfish was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered non-compliant. Instead, use a strong, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", - "id": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", - "name": "java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-blowfish.use-of-blowfish" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands." - }, - "help": { - "markdown": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command)\n - [https://www.stackhawk.com/blog/command-injection-java/](https://www.stackhawk.com/blog/command-injection-java/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java](https://github.com/github/codeql/blob/main/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.java)\n", - "text": "Detected user input entering a method which executes a system command. This could result in a command injection vulnerability, which allows an attacker to inject an arbitrary system command onto the server. The attacker could download malware onto or steal data from the server. Instead, use ProcessBuilder, separating the command into individual arguments, like this: `new ProcessBuilder(\"ls\", \"-al\", targetDirectory)`. Further, make sure you hardcode or allowlist the actual command so that attackers can't run arbitrary commands." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-system-command.tainted-system-command", - "id": "java.spring.security.injection.tainted-system-command.tainted-system-command", - "name": "java.spring.security.injection.tainted-system-command.tainted-system-command", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.injection.tainted-system-command.tainted-system-command" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The XML parser $PARSER is not securely configured. The current configuration allows for XXE attacks. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setExpandEntities(false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe", - "id": "kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe", - "name": "kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxbuilder-xxe.saxbuilder-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "File name based on user input risks server-side request forgery." - }, - "help": { - "markdown": "File name based on user input risks server-side request forgery.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "File name based on user input risks server-side request forgery." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-filename.tainted-filename", - "id": "php.lang.security.injection.tainted-filename.tainted-filename", - "name": "php.lang.security.injection.tainted-filename.tainted-filename", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.injection.tainted-filename.tainted-filename" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively." - }, - "help": { - "markdown": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex)\n - [https://brakemanscanner.org/docs/warning_types/format_validation/](https://brakemanscanner.org/docs/warning_types/format_validation/)\n - [https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb](https://github.com/presidentbeef/brakeman/blob/aef6253a8b7bcb97116f2af1ed2a561a6ae35bd5/test/apps/rails3/app/models/account.rb)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails3.1/app/models/account.rb)\n", - "text": "$V Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\\A` for beginning of line and `\\Z` for end of line, respectively." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex", - "id": "ruby.rails.security.brakeman.check-validation-regex.check-validation-regex", - "name": "ruby.rails.security.brakeman.check-validation-regex.check-validation-regex", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-185: Incorrect Regular Expression", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-validation-regex.check-validation-regex" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf", - "id": "go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf", - "name": "go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.sql.grpc-pgx-sqli-taint-med-conf.grpc-pgx-sqli-taint-med-conf" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib", - "id": "python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib", - "name": "python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.file.tainted-path-traversal-stdlib.tainted-path-traversal-stdlib" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency" - }, - "help": { - "markdown": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning)\n - [https://pytorch.org/docs/stable/data.html#memory-pinning](https://pytorch.org/docs/stable/data.html#memory-pinning)\n", - "text": "If possible, it is better to rely on automatic pinning in PyTorch to avoid undefined behavior and for efficiency" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.automatic-memory-pinning.automatic-memory-pinning", - "id": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning", - "name": "trailofbits.python.automatic-memory-pinning.automatic-memory-pinning", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-676: Use of Potentially Dangerous Function", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.automatic-memory-pinning.automatic-memory-pinning" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2", - "id": "python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2", - "name": "python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-httplib2.tainted-flask-http-request-httplib2" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.nosql.mongodb-taint.mongodb-taint", - "id": "rust.actix.nosql.mongodb-taint.mongodb-taint", - "name": "rust.actix.nosql.mongodb-taint.mongodb-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.nosql.mongodb-taint.mongodb-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "help": { - "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-url-host.tainted-url-host", - "id": "php.lang.security.injection.tainted-url-host.tainted-url-host", - "name": "php.lang.security.injection.tainted-url-host.tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.injection.tainted-url-host.tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` Beware, using a custom EntityResolver will render these settings useless and you will be responsible for handeling security in the implementation of you EntityResolver. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity", - "id": "java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity", - "name": "java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.documentbuilderfactory-xxe-parameter-entity.documentbuilderfactory-xxe-parameter-entity" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Dangerous client config used, ensure SSL verification" - }, - "help": { - "markdown": "Dangerous client config used, ensure SSL verification\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous)\n - [https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html](https://docs.rs/rustls/latest/rustls/client/struct.DangerousClientConfig.html)\n - [https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous](https://docs.rs/rustls/latest/rustls/client/struct.ClientConfig.html#method.dangerous)\n", - "text": "Dangerous client config used, ensure SSL verification" - }, - "helpUri": "https://semgrep.dev/r/rust.lang.security.rustls-dangerous.rustls-dangerous", - "id": "rust.lang.security.rustls-dangerous.rustls-dangerous", - "name": "rust.lang.security.rustls-dangerous.rustls-dangerous", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.lang.security.rustls-dangerous.rustls-dangerous" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. By setting a custom `EntityResolver` for all previous security configurations for are bypassed. It is your responsibility to handle security in the `EntityResolver` implementation instead. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver", - "id": "java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver", - "name": "java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xml-custom-entityresolver.xml-custom-entityresolver" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks new-relic-insert-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key", - "id": "generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key", - "name": "generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.new-relic-insert-key.new-relic-insert-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts." - }, - "help": { - "markdown": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/pages_security_tips_xss.htm)\n", - "text": "To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts. Please update your code to use either the JSENCODE method to escape URL parameters or the escape=\"true\" attribute on tags. Passing URL parameters directly into scripts and DOM sinks creates an opportunity for Cross-Site Scripting attacks. Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. To remediate this issue, ensure that all URL parameters are properly escaped before including them in scripts." - }, - "helpUri": "https://semgrep.dev/r/generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param", - "id": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param", - "name": "generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.visualforce.security.ncino.vf.xssfromunescapedurlparam.xss-from-unescaped-url-param" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks vault-batch-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks vault-batch-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.vault-batch-token.vault-batch-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks vault-batch-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.vault-batch-token.vault-batch-token", - "id": "generic.secrets.gitleaks.vault-batch-token.vault-batch-token", - "name": "generic.secrets.gitleaks.vault-batch-token.vault-batch-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.vault-batch-token.vault-batch-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'" - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli)\n - [https://pg.uptrace.dev/](https://pg.uptrace.dev/)\n - [https://pkg.go.dev/github.com/go-pg/pg/v10](https://pkg.go.dev/github.com/go-pg/pg/v10)\n", - "text": "Detected string concatenation with a non-literal variable in a go-pg SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead of string concatenation. You can use parameterized queries like so: '(SELECT ? FROM table, data1)'" - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-sqli.pg-sqli", - "id": "go.lang.security.audit.sqli.pg-sqli.pg-sqli", - "name": "go.lang.security.audit.sqli.pg-sqli.pg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.sqli.pg-sqli.pg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html)\n - [https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/12-Testing_for_Command_Injection)\n - [https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection](https://www.securecodewarrior.com/blog/coders-conquer-security-share-learn-series-os-command-injection)\n - [https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd](https://portal.securecodewarrior.com/#/learning-resources/application_security_weaknesses~2Fweb~2Fdata_handling~2Finjection~2Foscmd)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent command injection, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. For more information, see [JavaScript command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request", - "id": "java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request", - "name": "java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-cmd-from-http-request.tainted-cmd-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly." - }, - "help": { - "markdown": "The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "The use of the insecure RC4 stream cipher encryption algorithm was identified. RC4 is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4", - "id": "swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4", - "name": "swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-rc4.insecure-crypto-algorithm-rc4" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks atlassian-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks atlassian-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks atlassian-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token", - "id": "generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token", - "name": "generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.atlassian-api-token.atlassian-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. The xml parsing libraries are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, they are still vulnerable to denial of service attacks such as billion laughs and quadratic blowup. To mitigate these attacks, it is recommended to use a different parser such as defusedxml." - }, - "helpUri": "https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib", - "id": "python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib", - "name": "python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.xml.tainted-flask-xml-stdlib.tainted-flask-xml-stdlib" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Oracle update is not restricted in $F()" - }, - "help": { - "markdown": "Oracle update is not restricted in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control)\n - [https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0](https://medium.com/immunefi/sense-finance-access-control-issue-bugfix-review-32e0c806b1a0)\n", - "text": "Oracle update is not restricted in $F()" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control", - "id": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control", - "name": "solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.sense-missing-oracle-access-control.sense-missing-oracle-access-control" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible." - }, - "help": { - "markdown": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use)\n - [https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html](https://docs.oracle.com/javase/8/docs/technotes/guides/security/doprivileged.html)\n - [https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation](https://wiki.sei.cmu.edu/confluence/display/java/Privilege+Escalation)\n - [http://phrack.org/papers/escaping_the_java_sandbox.html](http://phrack.org/papers/escaping_the_java_sandbox.html)\n", - "text": "Marking code as privileged enables a piece of trusted code to temporarily enable access to more resources than are available directly to the code that called it. Be very careful in your use of the privileged construct, and always remember to make the privileged code section as small as possible." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.do-privileged-use.do-privileged-use", - "id": "java.lang.security.do-privileged-use.do-privileged-use", - "name": "java.lang.security.do-privileged-use.do-privileged-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.do-privileged-use.do-privileged-use" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password", - "id": "python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password", - "name": "python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.peewee.python-peewee-pg-empty-password.python-peewee-pg-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-textual-sql)\n - [https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm](https://www.tutorialspoint.com/sqlalchemy/sqlalchemy_quick_guide.htm)\n - [https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column](https://docs.sqlalchemy.org/en/14/core/tutorial.html#using-more-specific-text-with-table-expression-literal-column-and-expression-column)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as SQLAlchemy which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-sql-string.tainted-sql-string", - "id": "python.flask.security.injection.tainted-sql-string.tainted-sql-string", - "name": "python.flask.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-704: Incorrect Type Conversion or Cast", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself." - }, - "help": { - "markdown": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "It looks like you're using an implementation of XSSRequestWrapper from dzone. (https://www.javacodegeeks.com/2012/07/anti-cross-site-scripting-xss-filter.html) The XSS filtering in this code is not secure and can be bypassed by malicious actors. It is recommended to use a stack that automatically escapes in your view or templates instead of filtering yourself." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure", - "id": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure", - "name": "java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xssrequestwrapper-is-insecure.xssrequestwrapper-is-insecure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content." - }, - "help": { - "markdown": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "When data from an untrusted source is put into a logger and not neutralized correctly, an attacker could forge log entries or include malicious content." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", - "id": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", - "name": "java.lang.security.audit.crlf-injection-logs.crlf-injection-logs", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crlf-injection-logs.crlf-injection-logs" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files." - }, - "help": { - "markdown": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "Detected hardcoded password used in basic authentication in a controller class. Including this password in version control could expose this credential. Consider refactoring to use environment variables or configuration files." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller", - "id": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller", - "name": "ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.hardcoded-http-auth-in-controller.hardcoded-http-auth-in-controller" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag)\n - [https://owasp.org/www-community/controls/SecureCookieAttribute](https://owasp.org/www-community/controls/SecureCookieAttribute)\n", - "text": "A cookie was detected without setting the 'secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'secure' flag by calling '$COOKIE.setSecure(true);'" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag", - "id": "java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag", - "name": "java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.audit.cookie-missing-secure-flag.cookie-missing-secure-flag" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the file path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In PHP, this can lead to both local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-path-traversal.laravel-path-traversal", - "id": "php.laravel.security.laravel-path-traversal.laravel-path-traversal", - "name": "php.laravel.security.laravel-path-traversal.laravel-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-path-traversal.laravel-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password", - "id": "java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password", - "name": "java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.net.http.passwordauthentication-hardcoded-password.passwordauthentication-hardcoded-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi", - "id": "python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi", - "name": "python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.code.tainted-code-stdlib-fastapi.tainted-code-stdlib-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret", - "id": "go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret", - "name": "go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.pgx.pgx-hardcoded-secret.pgx-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "id": "java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "name": "java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.crypto.hardcoded-secret-key-spec.hardcoded-secret-key-spec" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string", - "id": "javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string", - "name": "javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.knex.node-knex-empty-password-connection-string.node-knex-empty-password-connection-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server." - }, - "help": { - "markdown": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.require-request.require-request)\n - [https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it](https://github.com/google/node-sec-roadmap/blob/master/chapter-2/dynamism.md#dynamism-when-you-need-it)\n", - "text": "If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.require-request.require-request", - "id": "javascript.express.security.require-request.require-request", - "name": "javascript.express.security.require-request.require-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-706: Use of Incorrectly-Resolved Name or Reference", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.require-request.require-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password", - "id": "ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password", - "name": "ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.pg.ruby-pg-empty-password.ruby-pg-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false", - "id": "python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false", - "name": "python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-httponly-false.flask-cookie-httponly-false" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://www.stackhawk.com/blog/command-injection-python/](https://www.stackhawk.com/blog/command-injection-python/)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/python.lang.code.tainted-code-stdlib.tainted-code-stdlib", - "id": "python.lang.code.tainted-code-stdlib.tainted-code-stdlib", - "name": "python.lang.code.tainted-code-stdlib.tainted-code-stdlib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.code.tainted-code-stdlib.tainted-code-stdlib" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `marshal` module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid", - "id": "python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid", - "name": "python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-marshal-pyramid.tainted-marshal-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks etsy-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks etsy-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.etsy-access-token.etsy-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks etsy-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.etsy-access-token.etsy-access-token", - "id": "generic.secrets.gitleaks.etsy-access-token.etsy-access-token", - "name": "generic.secrets.gitleaks.etsy-access-token.etsy-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.etsy-access-token.etsy-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "help": { - "markdown": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly)\n - [https://owasp.org/www-community/HttpOnly](https://owasp.org/www-community/HttpOnly)\n", - "text": "A cookie was detected without setting the 'HttpOnly' flag. The 'HttpOnly' flag for cookies instructs the browser to forbid client-side scripts from reading the cookie. Set the 'HttpOnly' flag by calling 'cookie.setHttpOnly(true);'" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "id": "java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "name": "java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.audit.cookie-missing-httponly.cookie-missing-httponly" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "External XML Schema is allowed for identified XML parser. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks via XML Schema (`.xsd` files). It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema", - "id": "java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema", - "name": "java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.schemafactory-xxe-schema.schemafactory-xxe-schema" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch up the data into a list and invoke your DML once on that list of data outside the loop." - }, - "help": { - "markdown": "Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch up the data into a list and invoke your DML once on that list of data outside the loop.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops)\n - [https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm](https://developer.salesforce.com/docs/atlas.en-us.apexcode.meta/apexcode/apex_gov_limits.htm)\n", - "text": "Avoid DML statements inside loops to avoid hitting the DML governor limit. Instead, try to batch up the data into a list and invoke your DML once on that list of data outside the loop." - }, - "helpUri": "https://semgrep.dev/r/apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops", - "id": "apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops", - "name": "apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: apex.lang.performance.ncino.operationsinloops.avoidnativedmlinloops.avoid-native-dml-in-loops" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)." - }, - "help": { - "markdown": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth)\n - [https://cwe.mitre.org/data/definitions/477.html](https://cwe.mitre.org/data/definitions/477.html)\n", - "text": "Warning MONGODB-CR was deprecated with the release of MongoDB 3.6 and is no longer supported by MongoDB 4.0 (see https://api.mongodb.com/python/current/examples/authentication.html for details)." - }, - "helpUri": "https://semgrep.dev/r/python.pymongo.security.mongodb.mongo-client-bad-auth", - "id": "python.pymongo.security.mongodb.mongo-client-bad-auth", - "name": "python.pymongo.security.mongodb.mongo-client-bad-auth", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-477: Use of Obsolete Function", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymongo.security.mongodb.mongo-client-bad-auth" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text." - }, - "help": { - "markdown": "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text)\n - [https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss](https://brakemanpro.com/2017/09/08/cross-site-scripting-in-rails#inline-renders---even-worse-than-xss)\n", - "text": "'render text: ...' actually sets the content-type to 'text/html'. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Instead, use 'render plain: ...' to render non-HTML text." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text", - "id": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text", - "name": "ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-render-text.avoid-render-text" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization", - "id": "java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization", - "name": "java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.deserialization.objectinputstream-deserialization.objectinputstream-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead." - }, - "help": { - "markdown": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor)\n - [https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption](https://stackoverflow.com/questions/1135186/whats-wrong-with-xor-encryption)\n", - "text": "Detected XOR cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use AES instead." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor", - "id": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor", - "name": "python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm.insecure-cipher-algorithm-xor" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks facebook-page-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks facebook-page-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks facebook-page-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token", - "id": "generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token", - "name": "generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.facebook-page-access-token.facebook-page-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "id": "kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "name": "kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.spring.tainted-ssrf-spring-format.tainted-ssrf-spring-format" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS." - }, - "help": { - "markdown": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n", - "text": "Detected direct use of jinja2. If not done properly, this may bypass HTML escaping which opens up the application to cross-site scripting (XSS) vulnerabilities. Prefer using the Flask method 'render_template()' and templates with a '.html' extension in order to prevent XSS." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2", - "id": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2", - "name": "python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.xss.audit.direct-use-of-jinja2.direct-use-of-jinja2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely." - }, - "help": { - "markdown": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_volume#encrypted)\n - [https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html)\n", - "text": "The AWS EBS volume is unencrypted. The volume, the disk I/O and any derived snapshots could be read if compromised. Volumes should be encrypted to ensure sensitive data is stored securely." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted", - "id": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted", - "name": "terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-unencrypted.aws-ebs-volume-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead." - }, - "help": { - "markdown": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http", - "id": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http", - "name": "python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication." - }, - "help": { - "markdown": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service)\n - [https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#apiservice-v1-apiregistration-k8s-io)\n", - "text": "Service is disabling TLS certificate verification when communicating with the server. This makes your HTTPS connections insecure. Remove the 'insecureSkipTLSVerify: true' key to secure communication." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service", - "id": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service", - "name": "yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.skip-tls-verify-service.skip-tls-verify-service" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption." - }, - "help": { - "markdown": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream#encryption_type)\n - [https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html](https://docs.aws.amazon.com/streams/latest/dev/server-side-encryption.html)\n", - "text": "The AWS Kinesis stream does not encrypt data at rest. The data could be read if the Kinesis stream storage layer is compromised. Enable Kinesis stream server-side encryption." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted", - "id": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted", - "name": "terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-311: Missing Encryption of Sensitive Data", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-unencrypted.aws-kinesis-stream-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands." - }, - "help": { - "markdown": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user controlled content when spawning a process. This is dangerous because it allows a malicious actor to execute commands." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args", - "id": "python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args", - "name": "python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-spawn-process-tainted-env-args.dangerous-spawn-process-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks kucoin-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks kucoin-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks kucoin-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key", - "id": "generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key", - "name": "generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.kucoin-secret-key.kucoin-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities", - "id": "kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities", - "name": "kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxreader-xxe-parameter-entities.saxreader-xxe-parameter-entities" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead." - }, - "help": { - "markdown": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel)\n - [https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ](https://yaml.readthedocs.io/en/latest/basicuse.html?highlight=typ)\n", - "text": "Avoid using unsafe `ruamel.yaml.YAML()`. `ruamel.yaml.YAML` can create arbitrary Python objects. A malicious actor could exploit this to run arbitrary code. Use `YAML(typ='rt')` or `YAML(typ='safe')` instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel", - "id": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel", - "name": "python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.avoid-unsafe-ruamel.avoid-unsafe-ruamel" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside `...`. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-subshell.dangerous-subshell", - "id": "ruby.lang.security.dangerous-subshell.dangerous-subshell", - "name": "ruby.lang.security.dangerous-subshell.dangerous-subshell", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.dangerous-subshell.dangerous-subshell" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.hyper.sql.postgres-taint.postgres-taint", - "id": "rust.hyper.sql.postgres-taint.postgres-taint", - "name": "rust.hyper.sql.postgres-taint.postgres-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.hyper.sql.postgres-taint.postgres-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements." - }, - "help": { - "markdown": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection)\n - [https://laravel.com/docs/8.x/queries](https://laravel.com/docs/8.x/queries)\n", - "text": "Detected a SQL query based on user input. This could lead to SQL injection, which could potentially result in sensitive data being exfiltrated by attackers. Instead, use parameterized queries and prepared statements." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-sql-injection.laravel-sql-injection", - "id": "php.laravel.security.laravel-sql-injection.laravel-sql-injection", - "name": "php.laravel.security.laravel-sql-injection.laravel-sql-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-sql-injection.laravel-sql-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string." - }, - "help": { - "markdown": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Detected a network listener listening on 0.0.0.0 or an empty string. This could unexpectedly expose the server publicly as it binds to all available interfaces. Instead, specify another IP address that is not 0.0.0.0 nor the empty string." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces", - "id": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces", - "name": "go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.bind_all.avoid-bind-to-all-interfaces" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader", - "id": "php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader", - "name": "php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-unsafe-entity-loader.laravel-unsafe-entity-loader" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.xss.xss)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. A popular library used to prevent XSS is DOMPurify. You can also use libraries and frameworks such as Angular, Vue, and React, which offer secure defaults when rendering input." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.xss.xss", - "id": "javascript.browser.xss.xss", - "name": "javascript.browser.xss.xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.xss.xss" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON." - }, - "help": { - "markdown": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization)\n - [https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/](https://mogwailabs.de/blog/2019/03/attacking-java-rmi-services-after-jep-290/)\n", - "text": "Using a non-primitive class with Java RMI may be an insecure deserialization vulnerability. Depending on the underlying implementation. This object could be manipulated by a malicious actor allowing them to execute code on your system. Instead, use an integer ID to look up your object, or consider alternative serialization schemes such as JSON." - }, - "helpUri": "https://semgrep.dev/r/java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization", - "id": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization", - "name": "java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.rmi.security.server-dangerous-class-deserialization.server-dangerous-class-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks intercom-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks intercom-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.intercom-api-key.intercom-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks intercom-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.intercom-api-key.intercom-api-key", - "id": "generic.secrets.gitleaks.intercom-api-key.intercom-api-key", - "name": "generic.secrets.gitleaks.intercom-api-key.intercom-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.intercom-api-key.intercom-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow." - }, - "help": { - "markdown": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/default_routes/index.markdown)\n", - "text": "Default routes are enabled in this routes file. This means any public method on a controller can be called as an action. It is very easy to accidentally expose a method you didn't mean to. Instead, remove this line and explicitly include all routes you intend external users to follow." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes", - "id": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes", - "name": "ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-276: Incorrect Default Permissions", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-default-routes.avoid-default-routes" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." - }, - "help": { - "markdown": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop)\n - [https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf](https://github.com/HoLyVieR/prototype-pollution-nsec18/blob/master/paper/JavaScript_prototype_pollution_attack_in_NodeJS.pdf)\n", - "text": "Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop", - "id": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop", - "name": "javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks alibaba-access-key-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id", - "id": "generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id", - "name": "generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.alibaba-access-key-id.alibaba-access-key-id" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret", - "id": "ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret", - "name": "ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.cassandra.ruby-cassandra-hardcoded-secret.ruby-cassandra-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." - }, - "help": { - "markdown": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n", - "text": "Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens." - }, - "helpUri": "https://semgrep.dev/r/ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials", - "id": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials", - "name": "ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.jwt.security.jwt-exposed-credentials.ruby-jwt-exposed-credentials" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element." - }, - "help": { - "markdown": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled)\n - [https://stackoverflow.com/a/7442668](https://stackoverflow.com/a/7442668)\n", - "text": "Detected an element with disabled HTML escaping. If external data can reach this, this is a cross-site scripting (XSS) vulnerability. Ensure no external data can reach here, or remove 'escape=false' from this element." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled", - "id": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled", - "name": "java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences", - "LOW CONFIDENCE", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xss.jsf.autoescape-disabled.autoescape-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib", - "id": "python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib", - "name": "python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.os.tainted-os-command-stdlib.tainted-os-command-stdlib" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret", - "id": "csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret", - "name": "csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.system.oracleconnectionstringbuilder-hardcoded-secret.oracleconnectionstringbuilder-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys." - }, - "help": { - "markdown": "The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MSC51-CPP.+Ensure+your+random+number+generator+is+properly+seeded)\n", - "text": "The seed value of a Pseudo Random Number Generator (PRNG) is directly derived from the time, which is highly predictable. Do not use values from this PRNG to derive a secrets, such as passwords or cryptographic keys." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time", - "id": "cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time", - "name": "cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.rng.predictable-seed-rng-time.predictable-seed-rng-time" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme." - }, - "help": { - "markdown": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected an insecure redirect in this nginx configuration. If no scheme is specified, nginx will forward the request with the incoming scheme. This could result in unencrypted communications. To fix this, include the 'https' scheme." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.insecure-redirect.insecure-redirect", - "id": "generic.nginx.security.insecure-redirect.insecure-redirect", - "name": "generic.nginx.security.insecure-redirect.insecure-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.insecure-redirect.insecure-redirect" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SendGrid API Key detected" - }, - "help": { - "markdown": "SendGrid API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "SendGrid API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key", - "id": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key", - "name": "generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-sendgrid-api-key.detected-sendgrid-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password", - "id": "python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password", - "name": "python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.tormysql.python-tormysql-empty-password.python-tormysql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RSA keys should be at least 2048 bits based on NIST recommendation." - }, - "help": { - "markdown": "RSA keys should be at least 2048 bits based on NIST recommendation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#algorithms)\n", - "text": "RSA keys should be at least 2048 bits based on NIST recommendation." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", - "id": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", - "name": "java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.weak-rsa.use-of-weak-rsa-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." - }, - "help": { - "markdown": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root)\n - [https://github.com/hadolint/hadolint/wiki/DL3002](https://github.com/hadolint/hadolint/wiki/DL3002)\n", - "text": "The last user in the container is 'root'. This is a security hazard because if an attacker gains control of the container they will have root access. Switch back to another user after running commands as 'root'." - }, - "helpUri": "https://semgrep.dev/r/dockerfile.security.last-user-is-root.last-user-is-root", - "id": "dockerfile.security.last-user-is-root.last-user-is-root", - "name": "dockerfile.security.last-user-is-root.last-user-is-root", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: dockerfile.security.last-user-is-root.last-user-is-root" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services." - }, - "help": { - "markdown": "The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n", - "text": "The application was observed to leverage biometrics via Local Authentication, which returns a simple boolean result for authentication. This design is subject to bypass with runtime tampering tools such as Frida, Substrate, and others. Although this is limited to rooted (jailbroken) devices, consider implementing biometric authentication the reliable way - via Keychain Services." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.local-biometrics.insecure-biometrics", - "id": "swift.biometrics-and-auth.local-biometrics.insecure-biometrics", - "name": "swift.biometrics-and-auth.local-biometrics.insecure-biometrics", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-305: Authentication Bypass by Primary Weakness", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.local-biometrics.insecure-biometrics" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections." - }, - "help": { - "markdown": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings)\n - [https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies](https://docs.microsoft.com/en-us/aspnet/web-api/overview/advanced/http-cookies)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.formsauthentication.requiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_FormsAuthentication_RequireSSL)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL](https://docs.microsoft.com/en-us/dotnet/api/system.web.security.roles.cookierequiressl?redirectedfrom=MSDN&view=netframework-4.8#System_Web_Security_Roles_CookieRequireSSL)\n", - "text": "Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings", - "id": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings", - "name": "csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.web-config-insecure-cookie-settings.web-config-insecure-cookie-settings" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.elasticsearch.python-elasticsearch-hardcoded-secret.python-elasticsearch-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.elasticsearch.python-elasticsearch-hardcoded-secret.python-elasticsearch-hardcoded-secret", - "id": "python.elasticsearch.python-elasticsearch-hardcoded-secret.python-elasticsearch-hardcoded-secret", - "name": "python.elasticsearch.python-elasticsearch-hardcoded-secret.python-elasticsearch-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.elasticsearch.python-elasticsearch-hardcoded-secret.python-elasticsearch-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration allows for insecure accessing of media content over HTTP connections. This means that images, video, and other media (AVFoundation) data may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration allows for insecure accessing of media content over HTTP connections. This means that images, video, and other media (AVFoundation) data may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-media-load.ATS-insecure-media-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration allows for insecure accessing of media content over HTTP connections. This means that images, video, and other media (AVFoundation) data may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-media-load.ATS-insecure-media-loads", - "id": "swift.insecure-communication.ats.ats-media-load.ATS-insecure-media-loads", - "name": "swift.insecure-communication.ats.ats-media-load.ATS-insecure-media-loads", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-media-load.ATS-insecure-media-loads" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n" - }, - "help": { - "markdown": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine)\n - [https://go101.org/article/concurrent-common-mistakes.html](https://go101.org/article/concurrent-common-mistakes.html)\n", - "text": "Calling `$WG.Add` inside of an anonymous goroutine may result in `$WG.Wait`\nwaiting for more or less calls to `$WG.Done()` than expected\n" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine", - "id": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine", - "name": "trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-667: Improper Locking", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.waitgroup-add-called-inside-goroutine.waitgroup-add-called-inside-goroutine" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution" - }, - "help": { - "markdown": "If unverified user data can reach the `exec` method it can result in Remote Code Execution\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "If unverified user data can reach the `exec` method it can result in Remote Code Execution" - }, - "helpUri": "https://semgrep.dev/r/javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", - "id": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", - "name": "javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.shelljs.security.shelljs-exec-injection.shelljs-exec-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SSH Password detected" - }, - "help": { - "markdown": "SSH Password detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "SSH Password detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-ssh-password.detected-ssh-password", - "id": "generic.secrets.security.detected-ssh-password.detected-ssh-password", - "name": "generic.secrets.security.detected-ssh-password.detected-ssh-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-ssh-password.detected-ssh-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly." - }, - "help": { - "markdown": "Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.file-inclusion.file-inclusion)\n - [https://www.php.net/manual/en/function.include.php](https://www.php.net/manual/en/function.include.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/EasyRFISniff.php)\n - [https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion](https://en.wikipedia.org/wiki/File_inclusion_vulnerability#Types_of_Inclusion)\n", - "text": "Detected non-constant file inclusion. This can lead to local file inclusion (LFI) or remote file inclusion (RFI) if user input reaches this statement. LFI and RFI could lead to sensitive files being obtained by attackers. Instead, explicitly specify what to include. If that is not a viable solution, validate user input thoroughly." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.file-inclusion.file-inclusion", - "id": "php.lang.security.file-inclusion.file-inclusion", - "name": "php.lang.security.file-inclusion.file-inclusion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.file-inclusion.file-inclusion" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks confluent-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks confluent-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.confluent-access-token.confluent-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks confluent-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.confluent-access-token.confluent-access-token", - "id": "generic.secrets.gitleaks.confluent-access-token.confluent-access-token", - "name": "generic.secrets.gitleaks.confluent-access-token.confluent-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.confluent-access-token.confluent-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-empty-password.hardcoded-connection-empty-password)\n - [https://docs.rs/mongodb/latest/mongodb/](https://docs.rs/mongodb/latest/mongodb/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.mongodb.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "id": "rust.secrets.mongodb.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "name": "rust.secrets.mongodb.hardcoded-connection-empty-password.hardcoded-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.mongodb.hardcoded-connection-empty-password.hardcoded-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", - "id": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", - "name": "java.lang.security.audit.crypto.use-of-sha1.use-of-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-sha1.use-of-sha1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdo-sqli.jdo-sqli", - "id": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli", - "name": "java.lang.security.audit.sqli.jdo-sqli.jdo-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.sqli.jdo-sqli.jdo-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection", - "id": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection", - "name": "javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-evaluate-arg-injection.puppeteer-evaluate-arg-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead." - }, - "help": { - "markdown": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of a Java socket that is not encrypted. As a result, the traffic could be read by an attacker intercepting the network traffic. Use an SSLSocket created by 'SSLSocketFactory' or 'SSLServerSocketFactory' instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", - "id": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", - "name": "java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.unencrypted-socket.unencrypted-socket" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself." - }, - "help": { - "markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.web-client.ssrf", - "id": "csharp.lang.security.ssrf.web-client.ssrf", - "name": "csharp.lang.security.ssrf.web-client.ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.ssrf.web-client.ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM." - }, - "help": { - "markdown": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n", - "text": "Detected DES cipher or Triple DES algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use a secure symmetric cipher from the cryptodome package instead. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des", - "id": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des", - "name": "python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-des.insecure-cipher-algorithm-des" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.decoded-xss.decoded-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.decoded-xss.decoded-xss", - "id": "javascript.browser.decoded-xss.decoded-xss", - "name": "javascript.browser.decoded-xss.decoded-xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.decoded-xss.decoded-xss" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.base64-encoded-hardcoded-secret.base64-encoded-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.net.http.base64-encoded-hardcoded-secret.base64-encoded-hardcoded-secret", - "id": "java.lang.security.net.http.base64-encoded-hardcoded-secret.base64-encoded-hardcoded-secret", - "name": "java.lang.security.net.http.base64-encoded-hardcoded-secret.base64-encoded-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.net.http.base64-encoded-hardcoded-secret.base64-encoded-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.file.tainted-shelve-aws-lambda.tainted-shelve-aws-lambda)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.file.tainted-shelve-aws-lambda.tainted-shelve-aws-lambda", - "id": "python.aws-lambda.file.tainted-shelve-aws-lambda.tainted-shelve-aws-lambda", - "name": "python.aws-lambda.file.tainted-shelve-aws-lambda.tainted-shelve-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.file.tainted-shelve-aws-lambda.tainted-shelve-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings" - }, - "help": { - "markdown": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/function_app#enabled)\n", - "text": "Enabling authentication ensures that all communications in the application are authenticated. The `auth_settings` block needs to be filled out with the appropriate auth backend settings" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled", - "id": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled", - "name": "terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.functionapp.functionapp-authentication-enabled.functionapp-authentication-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead." - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.tainted-html-string.tainted-html-string", - "id": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string", - "name": "javascript.aws-lambda.security.tainted-html-string.tainted-html-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.tainted-html-string.tainted-html-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "help": { - "markdown": "Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n", - "text": "Detects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2", - "id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2", - "name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions2.disallow-old-tls-versions2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath-sls.tainted-xpath-sls)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath-sls.tainted-xpath-sls", - "id": "java.micronaut.xpath.tainted-xpath-sls.tainted-xpath-sls", - "name": "java.micronaut.xpath.tainted-xpath-sls.tainted-xpath-sls", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.xpath.tainted-xpath-sls.tainted-xpath-sls" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.python-requests-hardcoded-auth.python-requests-hardcoded-auth)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.requests.python-requests-hardcoded-auth.python-requests-hardcoded-auth", - "id": "python.requests.python-requests-hardcoded-auth.python-requests-hardcoded-auth", - "name": "python.requests.python-requests-hardcoded-auth.python-requests-hardcoded-auth", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.requests.python-requests-hardcoded-auth.python-requests-hardcoded-auth" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mongodb.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.mongodb.mongo-hardcoded-secret.mongo-hardcoded-secret", - "id": "go.secrets.mongodb.mongo-hardcoded-secret.mongo-hardcoded-secret", - "name": "go.secrets.mongodb.mongo-hardcoded-secret.mongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.mongodb.mongo-hardcoded-secret.mongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A prompt is created and user-controlled data reaches that prompt. This can lead to prompt injection. Make sure the user inputs are properly segmented from the system's in your prompts." - }, - "help": { - "markdown": "A prompt is created and user-controlled data reaches that prompt. This can lead to prompt injection. Make sure the user inputs are properly segmented from the system's in your prompts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.ai.prompt-injection-fastapi.prompt-injection-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A prompt is created and user-controlled data reaches that prompt. This can lead to prompt injection. Make sure the user inputs are properly segmented from the system's in your prompts." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.ai.prompt-injection-fastapi.prompt-injection-fastapi", - "id": "python.fastapi.ai.prompt-injection-fastapi.prompt-injection-fastapi", - "name": "python.fastapi.ai.prompt-injection-fastapi.prompt-injection-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.ai.prompt-injection-fastapi.prompt-injection-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." - }, - "help": { - "markdown": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link)\n - [https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)\n", - "text": "This link points to a plaintext HTTP URL. Prefer an encrypted HTTPS URL if possible." - }, - "helpUri": "https://semgrep.dev/r/html.security.plaintext-http-link.plaintext-http-link", - "id": "html.security.plaintext-http-link.plaintext-http-link", - "name": "html.security.plaintext-http-link.plaintext-http-link", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: html.security.plaintext-http-link.plaintext-http-link" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret", - "id": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret", - "name": "javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.passport-jwt.security.passport-hardcode.hardcoded-passport-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection](https://docs.djangoproject.com/en/3.0/topics/security/#sql-injection-protection)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using the Django object-relational mappers (ORM) instead of raw SQL queries." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-sql-string.tainted-sql-string", - "id": "python.django.security.injection.tainted-sql-string.tainted-sql-string", - "name": "python.django.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-push.react-nextjs-router-push)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "helpUri": "https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-push.react-nextjs-router-push", - "id": "typescript.nextjs.react-nextjs-router-push.react-nextjs-router-push", - "name": "typescript.nextjs.react-nextjs-router-push.react-nextjs-router-push", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nextjs.react-nextjs-router-push.react-nextjs-router-push" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Artifactory token detected" - }, - "help": { - "markdown": "Artifactory token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Artifactory token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-artifactory-password.detected-artifactory-password", - "id": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password", - "name": "generic.secrets.security.detected-artifactory-password.detected-artifactory-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-artifactory-password.detected-artifactory-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted." - }, - "help": { - "markdown": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection)\n - [https://cwe.mitre.org/data/definitions/323.html](https://cwe.mitre.org/data/definitions/323.html)\n", - "text": "GCM detected, please check that IV/nonce is not reused, an Initialization Vector (IV) is a nonce used to randomize the encryption, so that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts are different.Unlike the Key, the IV usually does not need to be secret, rather it is important that it is random and unique. Certain encryption schemes the IV is exchanged in public as part of the ciphertext. Reusing same Initialization Vector with the same Key to encrypt multiple plaintext blocks allows an attacker to compare the ciphertexts and then, with some assumptions on the content of the messages, to gain important information about the data being encrypted." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.gcm-detection.gcm-detection", - "id": "kotlin.lang.security.gcm-detection.gcm-detection", - "name": "kotlin.lang.security.gcm-detection.gcm-detection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-323: Reusing a Nonce, Key Pair in Encryption", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.gcm-detection.gcm-detection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction." - }, - "help": { - "markdown": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n", - "text": "Ensure that groups of actions that include iam:PassRole and could result in privilege escalation are not all allowed for the same user. These actions could result in an attacker gaining full admin access of an AWS account. Try not to use these actions in conjuction." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles", - "id": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles", - "name": "terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-roles.no-iam-priv-esc-roles" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." - }, - "help": { - "markdown": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", - "text": "DOCTYPE declarations are enabled for $DBFACTORY. Without prohibiting external entity declarations, this is vulnerable to XML external entity attacks. Disable this by setting the feature \"http://apache.org/xml/features/disallow-doctype-decl\" to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features \"http://xml.org/sax/features/external-general-entities\" and \"http://xml.org/sax/features/external-parameter-entities\" to false." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", - "id": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", - "name": "java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xxe.documentbuilderfactory-disallow-doctype-decl-false.documentbuilderfactory-disallow-doctype-decl-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use." - }, - "help": { - "markdown": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher)\n - [https://golang.org/pkg/crypto/tls/#InsecureCipherSuites](https://golang.org/pkg/crypto/tls/#InsecureCipherSuites)\n", - "text": "Detected an insecure CipherSuite via the 'tls' module. This suite is considered weak. Use the function 'tls.CipherSuites()' to get a list of good cipher suites. See https://golang.org/pkg/crypto/tls/#InsecureCipherSuites for why and what other cipher suites to use." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.tls.tls-with-insecure-cipher", - "id": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher", - "name": "go.lang.security.audit.crypto.tls.tls-with-insecure-cipher", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.crypto.tls.tls-with-insecure-cipher" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://x-stream.github.io/security.html](https://x-stream.github.io/security.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "id": "java.servlets.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "name": "java.servlets.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege." - }, - "help": { - "markdown": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n - [https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati](https://developer.apple.com/documentation/webkit/wkpreferences/1536573-javascriptcanopenwindowsautomati)\n", - "text": "Webviews were observed that explictly allow JavaScript in an WKWebview to open windows automatically. Consider disabling this functionality if not required, following the principle of least privelege." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows", - "id": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows", - "name": "swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-js-window.swift-webview-config-allows-js-open-windows" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks twitter-bearer-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks twitter-bearer-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks twitter-bearer-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token", - "id": "generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token", - "name": "generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.twitter-bearer-token.twitter-bearer-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-secret.jetbrains-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.sql.jetbrains-hardcoded-secret.jetbrains-hardcoded-secret", - "id": "kotlin.sql.jetbrains-hardcoded-secret.jetbrains-hardcoded-secret", - "name": "kotlin.sql.jetbrains-hardcoded-secret.jetbrains-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.sql.jetbrains-hardcoded-secret.jetbrains-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "help": { - "markdown": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.wtforms.web.wtforms-csrf-false.wtforms-csrf-false)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://wtforms.readthedocs.io/en/2.3.x/meta/#module-wtforms.meta](https://wtforms.readthedocs.io/en/2.3.x/meta/#module-wtforms.meta)\n", - "text": "The application does not appear to verify inbound requests which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. To prevent this vulnerability start by identifying if the framework or library leveraged has built-in features or offers plugins for CSRF protection. CSRF tokens should be unique and securely random. The `Synchronizer Token` or `Double Submit Cookie` patterns with defense-in-depth mechanisms such as the `sameSite` cookie flag can help prevent CSRF. For more information, see: [Cross-site request forgery prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html)" - }, - "helpUri": "https://semgrep.dev/r/python.wtforms.web.wtforms-csrf-false.wtforms-csrf-false", - "id": "python.wtforms.web.wtforms-csrf-false.wtforms-csrf-false", - "name": "python.wtforms.web.wtforms-csrf-false.wtforms-csrf-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.wtforms.web.wtforms-csrf-false.wtforms-csrf-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks." - }, - "help": { - "markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n", - "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. By adding a `securityContext` to your Kubernetes pod, you can help to ensure that your containerized applications are more secure and less vulnerable to privilege escalation attacks." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext", - "id": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext", - "name": "yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-no-securitycontext.allow-privilege-escalation-no-securitycontext" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pickle.tainted-pickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The C implementations of the `pickle` module, called `cPickle` or `_pickle`, are also considered insecure." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-pickle.tainted-pickle", - "id": "python.lang.deserialization.tainted-pickle.tainted-pickle", - "name": "python.lang.deserialization.tainted-pickle.tainted-pickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-pickle.tainted-pickle" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks easypost-test-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks easypost-test-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks easypost-test-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token", - "id": "generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token", - "name": "generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.easypost-test-api-token.easypost-test-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected `$REQ` argument which enters `$RES.$HEADER`, this can lead to session fixation vulnerabilities if an attacker can control the cookie value. This vulnerability can lead to unauthorized access to accounts, and in some esoteric cases, Cross-Site-Scripting (XSS). Users should not be able to influence cookies directly, for session cookies, they should be generated securely using an approved session management library. If the cookie does need to be set by a user, consider using an allow-list based approach to restrict the cookies which can be set." - }, - "help": { - "markdown": "Detected `$REQ` argument which enters `$RES.$HEADER`, this can lead to session fixation vulnerabilities if an attacker can control the cookie value. This vulnerability can lead to unauthorized access to accounts, and in some esoteric cases, Cross-Site-Scripting (XSS). Users should not be able to influence cookies directly, for session cookies, they should be generated securely using an approved session management library. If the cookie does need to be set by a user, consider using an allow-list based approach to restrict the cookies which can be set.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.session-fixation.session-fixation)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n - [https://owasp.org/www-community/attacks/Session_fixation](https://owasp.org/www-community/attacks/Session_fixation)\n", - "text": "Detected `$REQ` argument which enters `$RES.$HEADER`, this can lead to session fixation vulnerabilities if an attacker can control the cookie value. This vulnerability can lead to unauthorized access to accounts, and in some esoteric cases, Cross-Site-Scripting (XSS). Users should not be able to influence cookies directly, for session cookies, they should be generated securely using an approved session management library. If the cookie does need to be set by a user, consider using an allow-list based approach to restrict the cookies which can be set." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.session-fixation.session-fixation", - "id": "javascript.express.session-fixation.session-fixation", - "name": "javascript.express.session-fixation.session-fixation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-384: Session Fixation", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.session-fixation.session-fixation" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `Kryo` unless you explicitly define permissions for types that are allowed to be deserialized by `Kryo`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `Kryo` unless you explicitly define permissions for types that are allowed to be deserialized by `Kryo`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.kryo-deserialization-deepsemgrep.kryo-deserialization-deepsemgrep)\n - [https://github.com/EsotericSoftware/kryo](https://github.com/EsotericSoftware/kryo)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `Kryo` unless you explicitly define permissions for types that are allowed to be deserialized by `Kryo`." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.kryo-deserialization-deepsemgrep.kryo-deserialization-deepsemgrep", - "id": "java.servlets.security.kryo-deserialization-deepsemgrep.kryo-deserialization-deepsemgrep", - "name": "java.servlets.security.kryo-deserialization-deepsemgrep.kryo-deserialization-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.kryo-deserialization-deepsemgrep.kryo-deserialization-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Externally controlled data is used to index a fixed-size array, `$BUFFER`. This could lead to an out-of-bounds read or write, triggering memory corruption." - }, - "help": { - "markdown": "Externally controlled data is used to index a fixed-size array, `$BUFFER`. This could lead to an out-of-bounds read or write, triggering memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.unvalidated-array-index.unvalidated-array-index)\n - [https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts](https://wiki.sei.cmu.edu/confluence/display/c/ARR30-C.+Do+not+form+or+use+out-of-bounds+pointers+or+array+subscripts)\n", - "text": "Externally controlled data is used to index a fixed-size array, `$BUFFER`. This could lead to an out-of-bounds read or write, triggering memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.unvalidated-array-index.unvalidated-array-index", - "id": "cpp.lang.security.memory.unvalidated-array-index.unvalidated-array-index", - "name": "cpp.lang.security.memory.unvalidated-array-index.unvalidated-array-index", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.unvalidated-array-index.unvalidated-array-index" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "id": "python.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "name": "python.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection", - "id": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection", - "name": "javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-code-injection.playwright-evaluate-code-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.path-traversal.tainted-path.tainted-path)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.path-traversal.tainted-path.tainted-path", - "id": "rust.actix.path-traversal.tainted-path.tainted-path", - "name": "rust.actix.path-traversal.tainted-path.tainted-path", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.path-traversal.tainted-path.tainted-path" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "id": "java.lang.security.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "name": "java.lang.security.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.xpath-injection.xpath-taint.xpath-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.xpath-injection.xpath-taint.xpath-taint", - "id": "csharp.dotnet-core.xpath-injection.xpath-taint.xpath-taint", - "name": "csharp.dotnet-core.xpath-injection.xpath-taint.xpath-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.xpath-injection.xpath-taint.xpath-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The 'phpinfo' function may reveal sensitive information about your environment." - }, - "help": { - "markdown": "The 'phpinfo' function may reveal sensitive information about your environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use)\n - [https://www.php.net/manual/en/function.phpinfo](https://www.php.net/manual/en/function.phpinfo)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/PhpinfosSniff.php)\n", - "text": "The 'phpinfo' function may reveal sensitive information about your environment." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.phpinfo-use.phpinfo-use", - "id": "php.lang.security.phpinfo-use.phpinfo-use", - "name": "php.lang.security.phpinfo-use.phpinfo-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.phpinfo-use.phpinfo-use" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution." - }, - "help": { - "markdown": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/90](https://cwe.mitre.org/data/definitions/90)\n - [https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example](https://cheatsheetseries.owasp.org/cheatsheets/LDAP_Injection_Prevention_Cheat_Sheet.html#safe-c-sharp-net-tba-example)\n", - "text": "LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.ldap-injection.ldap-injection", - "id": "csharp.dotnet.security.audit.ldap-injection.ldap-injection", - "name": "csharp.dotnet.security.audit.ldap-injection.ldap-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.audit.ldap-injection.ldap-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was found to use nscoding, which is not considered secure. When decoding serialized objects, it is not possible to determine what they are, until post-decoding. `NSSecureCoding` should be used in place of nscoding, and secure serialization and deserialization should be used in all cases where such functionality is required." - }, - "help": { - "markdown": "The application was found to use nscoding, which is not considered secure. When decoding serialized objects, it is not possible to determine what they are, until post-decoding. `NSSecureCoding` should be used in place of nscoding, and secure serialization and deserialization should be used in all cases where such functionality is required.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.ns.nscoding.swift-nscoding)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n", - "text": "The application was found to use nscoding, which is not considered secure. When decoding serialized objects, it is not possible to determine what they are, until post-decoding. `NSSecureCoding` should be used in place of nscoding, and secure serialization and deserialization should be used in all cases where such functionality is required." - }, - "helpUri": "https://semgrep.dev/r/swift.lang.ns.nscoding.swift-nscoding", - "id": "swift.lang.ns.nscoding.swift-nscoding", - "name": "swift.lang.ns.nscoding.swift-nscoding", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.lang.ns.nscoding.swift-nscoding" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks cloudflare-origin-ca-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key", - "id": "generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key", - "name": "generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.cloudflare-origin-ca-key.cloudflare-origin-ca-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website." - }, - "help": { - "markdown": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)\n", - "text": "The application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-open-redirect.express-open-redirect", - "id": "javascript.express.security.audit.express-open-redirect.express-open-redirect", - "name": "javascript.express.security.audit.express-open-redirect.express-open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-open-redirect.express-open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "`$SINK_VAR` has previously been deleted which will trigger a double-free vulnerability. This may lead to memory corruption." - }, - "help": { - "markdown": "`$SINK_VAR` has previously been deleted which will trigger a double-free vulnerability. This may lead to memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.deallocation.double-delete.double-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory)\n", - "text": "`$SINK_VAR` has previously been deleted which will trigger a double-free vulnerability. This may lead to memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.deallocation.double-delete.double-delete", - "id": "cpp.lang.security.memory.deallocation.double-delete.double-delete", - "name": "cpp.lang.security.memory.deallocation.double-delete.double-delete", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-415: Double Free", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.deallocation.double-delete.double-delete" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The App may use weak IVs like \"0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\" or \"0x01,0x02,0x03,0x04,0x05,0x06,0x07\". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack." - }, - "help": { - "markdown": "The App may use weak IVs like \"0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\" or \"0x01,0x02,0x03,0x04,0x05,0x06,0x07\". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_iv.weak_iv)\n", - "text": "The App may use weak IVs like \"0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00\" or \"0x01,0x02,0x03,0x04,0x05,0x06,0x07\". Not using a random IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.crypto.weak_iv.weak_iv", - "id": "mobsf.mobsfscan.crypto.weak_iv.weak_iv", - "name": "mobsf.mobsfscan.crypto.weak_iv.weak_iv", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-1204", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.crypto.weak_iv.weak_iv" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks gitlab-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks gitlab-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.gitlab-pat.gitlab-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks gitlab-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.gitlab-pat.gitlab-pat", - "id": "generic.secrets.gitleaks.gitlab-pat.gitlab-pat", - "name": "generic.secrets.gitleaks.gitlab-pat.gitlab-pat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.gitlab-pat.gitlab-pat" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters." - }, - "help": { - "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, hardcode the correct host, or ensure that the user data can only affect the path or parameters." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-url-host.tainted-url-host", - "id": "java.spring.security.injection.tainted-url-host.tainted-url-host", - "name": "java.spring.security.injection.tainted-url-host.tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.injection.tainted-url-host.tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1)\n - [https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1](https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sha-1)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "id": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "name": "python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "ERC677 callAfterTransfer() reentrancy" - }, - "help": { - "markdown": "ERC677 callAfterTransfer() reentrancy\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy)\n - [https://twitter.com/peckshield/status/1509431646818234369](https://twitter.com/peckshield/status/1509431646818234369)\n - [https://twitter.com/blocksecteam/status/1509466576848064512](https://twitter.com/blocksecteam/status/1509466576848064512)\n - [https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611](https://explorer.fuse.io/address/0x139Eb08579eec664d461f0B754c1F8B569044611)\n - [https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58](https://explorer.fuse.io/address/0x5De15b5543c178C111915d6B8ae929Af01a8cC58)\n", - "text": "ERC677 callAfterTransfer() reentrancy" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.erc677-reentrancy.erc677-reentrancy", - "id": "solidity.security.erc677-reentrancy.erc677-reentrancy", - "name": "solidity.security.erc677-reentrancy.erc677-reentrancy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.erc677-reentrancy.erc677-reentrancy" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks gitlab-ptt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks gitlab-ptt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks gitlab-ptt was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt", - "id": "generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt", - "name": "generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.gitlab-ptt.gitlab-ptt" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-hdf-pyramid.tainted-pandas-hdf-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-pandas-hdf-pyramid.tainted-pandas-hdf-pyramid", - "id": "python.pyramid.deserialization.tainted-pandas-hdf-pyramid.tainted-pandas-hdf-pyramid", - "name": "python.pyramid.deserialization.tainted-pandas-hdf-pyramid.tainted-pandas-hdf-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-pandas-hdf-pyramid.tainted-pandas-hdf-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 1.3M iterations should be used with SHA1" - }, - "help": { - "markdown": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 1.3M iterations should be used with SHA1\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha1.insufficient-pbkdf2-work-factor-sha1)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://pages.nist.gov/800-63-3/sp800-63b.html#sec5](https://pages.nist.gov/800-63-3/sp800-63b.html#sec5)\n", - "text": "PBKDF2 usage was identified with an insufficient work factor, i.e. an iteration count (rounds) lower than modern guidelines prescribe. Per OWASP guidance, 1.3M iterations should be used with SHA1" - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insufficient-pbkdf2-work-factor-sha1.insufficient-pbkdf2-work-factor-sha1", - "id": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha1.insufficient-pbkdf2-work-factor-sha1", - "name": "swift.commoncrypto.insufficient-pbkdf2-work-factor-sha1.insufficient-pbkdf2-work-factor-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-916: Use of Password Hash With Insufficient Computational Effort", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insufficient-pbkdf2-work-factor-sha1.insufficient-pbkdf2-work-factor-sha1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-dill-pyramid.tainted-dill-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-dill-pyramid.tainted-dill-pyramid", - "id": "python.pyramid.deserialization.tainted-dill-pyramid.tainted-dill-pyramid", - "name": "python.pyramid.deserialization.tainted-dill-pyramid.tainted-dill-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-dill-pyramid.tainted-dill-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "In $METHOD, $X is used to construct a SQL query via string concatenation." - }, - "help": { - "markdown": "In $METHOD, $X is used to construct a SQL query via string concatenation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "In $METHOD, $X is used to construct a SQL query via string concatenation." - }, - "helpUri": "https://semgrep.dev/r/java.jboss.security.session_sqli.find-sql-string-concatenation", - "id": "java.jboss.security.session_sqli.find-sql-string-concatenation", - "name": "java.jboss.security.session_sqli.find-sql-string-concatenation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jboss.security.session_sqli.find-sql-string-concatenation" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-legacy-workspace-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-legacy-workspace-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-legacy-workspace-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token", - "id": "generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token", - "name": "generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-legacy-workspace-token.slack-legacy-workspace-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code." - }, - "help": { - "markdown": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user controlled data inside InteractiveConsole/InteractiveInterpreter method. This is dangerous if external data can reach this function call because it allows a malicious actor to run arbitrary Python code." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args", - "id": "python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args", - "name": "python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-code-run-tainted-env-args.dangerous-interactive-code-run-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header-decoded.hardcoded-secret-in-request-header-decoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header-decoded.hardcoded-secret-in-request-header-decoded", - "id": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header-decoded.hardcoded-secret-in-request-header-decoded", - "name": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header-decoded.hardcoded-secret-in-request-header-decoded", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.okhttp.secrets.hardcoded-secret-in-request-header-decoded.hardcoded-secret-in-request-header-decoded" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`." - }, - "help": { - "markdown": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected input from a HTTPServletRequest going into the environment variables of an 'exec' command. Instead, call the command with user-supplied arguments by using the overloaded method with one String array as the argument. `exec({\"command\", \"arg1\", \"arg2\"})`." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", - "id": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", - "name": "java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-454: External Initialization of Trusted Variables or Data Stores", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.tainted-env-from-http-request.tainted-env-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.file.tainted-path-traversal-stdlib-aws-lambda.tainted-path-traversal-stdlib-aws-lambda)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.file.tainted-path-traversal-stdlib-aws-lambda.tainted-path-traversal-stdlib-aws-lambda", - "id": "python.aws-lambda.file.tainted-path-traversal-stdlib-aws-lambda.tainted-path-traversal-stdlib-aws-lambda", - "name": "python.aws-lambda.file.tainted-path-traversal-stdlib-aws-lambda.tainted-path-traversal-stdlib-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.file.tainted-path-traversal-stdlib-aws-lambda.tainted-path-traversal-stdlib-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/go.jwt-go.security.jwt.hardcoded-jwt-key", - "id": "go.jwt-go.security.jwt.hardcoded-jwt-key", - "name": "go.jwt-go.security.jwt.hardcoded-jwt-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.jwt-go.security.jwt.hardcoded-jwt-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret", - "id": "python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret", - "name": "python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymongo.python-pymongo-hardcoded-secret.python-pymongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information." - }, - "help": { - "markdown": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect)\n - [https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/](https://www.djm.org.uk/posts/djangos-little-protections-word-redirect-dangers/)\n - [https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231](https://github.com/django/django/blob/d1b7bd030b1db111e1a3505b1fc029ab964382cc/django/utils/http.py#L231)\n", - "text": "Data from request ($DATA) is passed to redirect(). This is an open redirect and could be exploited. Ensure you are redirecting to safe URLs by using django.utils.http.is_safe_url(). See https://cwe.mitre.org/data/definitions/601.html for more information." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.open-redirect.open-redirect", - "id": "python.django.security.injection.open-redirect.open-redirect", - "name": "python.django.security.injection.open-redirect.open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.open-redirect.open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "help": { - "markdown": "The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-rsa-pkcs1-encrypt.cryptography-rsa-pkcs1-encrypt)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n", - "text": "The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.cryptography-rsa-pkcs1-encrypt.cryptography-rsa-pkcs1-encrypt", - "id": "python.cryptography.cryptography-rsa-pkcs1-encrypt.cryptography-rsa-pkcs1-encrypt", - "name": "python.cryptography.cryptography-rsa-pkcs1-encrypt.cryptography-rsa-pkcs1-encrypt", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.cryptography-rsa-pkcs1-encrypt.cryptography-rsa-pkcs1-encrypt" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources." - }, - "help": { - "markdown": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Found a formatted string in BashOperator: $CMD. This could be vulnerable to injection. Be extra sure your variables are not controllable by external sources." - }, - "helpUri": "https://semgrep.dev/r/python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator", - "id": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator", - "name": "python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.airflow.security.audit.formatted-string-bashoperator.formatted-string-bashoperator" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel." - }, - "help": { - "markdown": "The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers)\n - [https://docs.python.org/3/library/ssl.html#cipher-selection](https://docs.python.org/3/library/ssl.html#cipher-selection)\n - [https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers](https://docs.python.org/3/library/ssl.html#ssl.SSLContext.set_ciphers)\n", - "text": "The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers", - "id": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers", - "name": "python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." - }, - "help": { - "markdown": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'." - }, - "helpUri": "https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", - "id": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", - "name": "dockerfile.security.missing-user-entrypoint.missing-user-entrypoint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity." - }, - "help": { - "markdown": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Data is being eval'd from a `curl` command. An attacker with control of the server in the `curl` command could inject malicious code into the `eval`, resulting in a system comrpomise. Avoid eval'ing untrusted data if you can. If you must do this, consider checking the SHA sum of the content returned by the server to verify its integrity." - }, - "helpUri": "https://semgrep.dev/r/bash.curl.security.curl-eval.curl-eval", - "id": "bash.curl.security.curl-eval.curl-eval", - "name": "bash.curl.security.curl-eval.curl-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: bash.curl.security.curl-eval.curl-eval" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks beamer-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks beamer-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.beamer-api-token.beamer-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks beamer-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.beamer-api-token.beamer-api-token", - "id": "generic.secrets.gitleaks.beamer-api-token.beamer-api-token", - "name": "generic.secrets.gitleaks.beamer-api-token.beamer-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.beamer-api-token.beamer-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements." - }, - "help": { - "markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection)\n - [https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data](https://docs.sqlalchemy.org/en/14/tutorial/data_select.html#tutorial-selecting-data)\n", - "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection", - "id": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection", - "name": "python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.security.sqlalchemy-sql-injection.pyramid-sqlalchemy-sql-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information." - }, - "help": { - "markdown": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Detected anonymous LDAP bind. This permits anonymous users to execute LDAP statements. Consider enforcing authentication for LDAP. See https://docs.oracle.com/javase/tutorial/jndi/ldap/auth_mechs.html for more information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind", - "id": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind", - "name": "java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.anonymous-ldap-bind.anonymous-ldap-bind" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Semgrep found a bash reverse shell" - }, - "help": { - "markdown": "Semgrep found a bash reverse shell\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Semgrep found a bash reverse shell" - }, - "helpUri": "https://semgrep.dev/r/generic.ci.security.bash-reverse-shell.bash_reverse_shell", - "id": "generic.ci.security.bash-reverse-shell.bash_reverse_shell", - "name": "generic.ci.security.bash-reverse-shell.bash_reverse_shell", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.ci.security.bash-reverse-shell.bash_reverse_shell" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "help": { - "markdown": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "XMLInputFactory being instantiated without calling the setProperty functions that are generally used for disabling entity processing. User controlled data in XML Document builder can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled", - "id": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled", - "name": "scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.xmlinputfactory-dtd-enabled.xmlinputfactory-dtd-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file." - }, - "help": { - "markdown": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase)\n - [https://cwe.mitre.org/data/definitions/522.html](https://cwe.mitre.org/data/definitions/522.html)\n", - "text": "Found the use of an hardcoded passphrase for RSA. The passphrase can be easily discovered, and therefore should not be stored in source-code. It is recommended to remove the passphrase from source-code, and use system environment variables or a restricted configuration file." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase", - "id": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase", - "name": "ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.hardcoded-secret-rsa-passphrase.hardcoded-secret-rsa-passphrase" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "help": { - "markdown": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n", - "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec-format-string.user-exec-format-string", - "id": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string", - "name": "python.django.security.injection.code.user-exec-format-string.user-exec-format-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.code.user-exec-format-string.user-exec-format-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Modifying an `std::vector` while iterating over it could cause the container to reallocate, triggering memory corruption." - }, - "help": { - "markdown": "Modifying an `std::vector` while iterating over it could cause the container to reallocate, triggering memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.containers.std-vector-invalidation.std-vector-invalidation)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n", - "text": "Modifying an `std::vector` while iterating over it could cause the container to reallocate, triggering memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.containers.std-vector-invalidation.std-vector-invalidation", - "id": "cpp.lang.security.containers.std-vector-invalidation.std-vector-invalidation", - "name": "cpp.lang.security.containers.std-vector-invalidation.std-vector-invalidation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-416: Use After Free", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.containers.std-vector-invalidation.std-vector-invalidation" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SoftLayer API Key detected" - }, - "help": { - "markdown": "SoftLayer API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "SoftLayer API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key", - "id": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key", - "name": "generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-softlayer-api-key.detected-softlayer-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content." - }, - "help": { - "markdown": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html)\n - [https://vuejs.org/v2/guide/syntax.html#Raw-HTML](https://vuejs.org/v2/guide/syntax.html#Raw-HTML)\n", - "text": "Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content." - }, - "helpUri": "https://semgrep.dev/r/javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html", - "id": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html", - "name": "javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.vue.security.audit.xss.templates.avoid-v-html.avoid-v-html" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk." - }, - "help": { - "markdown": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Remote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk." - }, - "helpUri": "https://semgrep.dev/r/javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools", - "id": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools", - "name": "javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.puppeteer.security.audit.puppeteer-exposed-chrome-devtools.puppeteer-exposed-chrome-devtools" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxreader-xxe.saxreader-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.saxreader-xxe.saxreader-xxe", - "id": "java.lang.security.xxe.saxreader-xxe.saxreader-xxe", - "name": "java.lang.security.xxe.saxreader-xxe.saxreader-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.saxreader-xxe.saxreader-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function" - }, - "help": { - "markdown": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "top-level app.run(...) is ignored by flask. Consider putting app.run(...) behind a guard, like inside a function" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly", - "id": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly", - "name": "python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-668: Exposure of Resource to Wrong Sphere", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.app-run-security-config.avoid_using_app_run_directly" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Externally controlled data influences the size of an allocation. This can usually lead to overflow or underflow and later trigger an out of bounds conditions." - }, - "help": { - "markdown": "Externally controlled data influences the size of an allocation. This can usually lead to overflow or underflow and later trigger an out of bounds conditions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.memory.allocation.tainted-allocation-size.tainted-allocation-size)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM05-C.+Avoid+large+stack+allocations](https://wiki.sei.cmu.edu/confluence/display/c/MEM05-C.+Avoid+large+stack+allocations)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM35-C.+Allocate+sufficient+memory+for+an+object](https://wiki.sei.cmu.edu/confluence/display/c/MEM35-C.+Allocate+sufficient+memory+for+an+object)\n - [https://www.securecoding.cert.org/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range](https://www.securecoding.cert.org/confluence/display/c/ARR32-C.+Ensure+size+arguments+for+variable+length+arrays+are+in+a+valid+range)\n", - "text": "Externally controlled data influences the size of an allocation. This can usually lead to overflow or underflow and later trigger an out of bounds conditions." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.memory.allocation.tainted-allocation-size.tainted-allocation-size", - "id": "cpp.lang.security.memory.allocation.tainted-allocation-size.tainted-allocation-size", - "name": "cpp.lang.security.memory.allocation.tainted-allocation-size.tainted-allocation-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.memory.allocation.tainted-allocation-size.tainted-allocation-size" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI." - }, - "help": { - "markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n", - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag", - "id": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag", - "name": "javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.var-in-script-tag.var-in-script-tag" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations." - }, - "help": { - "markdown": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n", - "text": "This GitHub Actions workflow file uses `pull_request_target` and checks out code from the incoming pull request. When using `pull_request_target`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations." - }, - "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout", - "id": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout", - "name": "yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-913: Improper Control of Dynamically-Managed Code Resources", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.github-actions.security.pull-request-target-code-checkout.pull-request-target-code-checkout" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability." - }, - "help": { - "markdown": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user-controlled data used in a system call. This could allow a malicious actor to execute commands. Use the 'subprocess' module instead, which is easier to use without accidentally exposing a command injection vulnerability." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-system-call.dangerous-system-call", - "id": "python.lang.security.dangerous-system-call.dangerous-system-call", - "name": "python.lang.security.dangerous-system-call.dangerous-system-call", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.dangerous-system-call.dangerous-system-call" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against all types of XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "id": "kotlin.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "name": "kotlin.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxparserfactory-xxe-parameter-entity.saxparserfactory-xxe-parameter-entity" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure S3 object copies are encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk", - "id": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk", - "name": "terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-s3-object-copy-encrypted-with-cmk.aws-s3-object-copy-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Hidden elements in view can be used to hide data from user. But this data can be leaked. If the view contains sensitive data, it might still be accessible through memory inspection. A good practice is to clear sensitive data before hiding it." - }, - "help": { - "markdown": "Hidden elements in view can be used to hide data from user. But this data can be leaked. If the view contains sensitive data, it might still be accessible through memory inspection. A good practice is to clear sensitive data before hiding it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.hidden_ui.android_hidden_ui)\n", - "text": "Hidden elements in view can be used to hide data from user. But this data can be leaked. If the view contains sensitive data, it might still be accessible through memory inspection. A good practice is to clear sensitive data before hiding it." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.hidden_ui.android_hidden_ui", - "id": "mobsf.mobsfscan.android.hidden_ui.android_hidden_ui", - "name": "mobsf.mobsfscan.android.hidden_ui.android_hidden_ui", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-919", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.hidden_ui.android_hidden_ui" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY." - }, - "help": { - "markdown": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Cipher in ECB mode is detected. ECB mode produces the same output for the same input each time which allows an attacker to intercept and replay the data. Further, ECB mode does not provide any integrity checking. See https://find-sec-bugs.github.io/bugs.htm#CIPHER_INTEGRITY." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.ecb-cipher.ecb-cipher", - "id": "kotlin.lang.security.ecb-cipher.ecb-cipher", - "name": "kotlin.lang.security.ecb-cipher.ecb-cipher", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.ecb-cipher.ecb-cipher" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD" - }, - "help": { - "markdown": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n", - "text": "Method $METHOD in API controller $CLASS provides user arg $ARG to requests method $REQMETHOD" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.flask-api-method-string-format.flask-api-method-string-format", - "id": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format", - "name": "python.flask.security.flask-api-method-string-format.flask-api-method-string-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-134: Use of Externally-Controlled Format String", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.flask-api-method-string-format.flask-api-method-string-format" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "help": { - "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.tainted-url-host.tainted-url-host", - "id": "python.flask.security.injection.tainted-url-host.tainted-url-host", - "name": "python.flask.security.injection.tainted-url-host.tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.tainted-url-host.tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host." - }, - "help": { - "markdown": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://www.playframework.com/documentation/2.8.x/ScalaWS](https://www.playframework.com/documentation/2.8.x/ScalaWS)\n", - "text": "A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/scala.play.security.webservice-ssrf.webservice-ssrf", - "id": "scala.play.security.webservice-ssrf.webservice-ssrf", - "name": "scala.play.security.webservice-ssrf.webservice-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.play.security.webservice-ssrf.webservice-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.python-requests-hardcoded-secret.python-requests-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.requests.python-requests-hardcoded-secret.python-requests-hardcoded-secret", - "id": "python.requests.python-requests-hardcoded-secret.python-requests-hardcoded-secret", - "name": "python.requests.python-requests-hardcoded-secret.python-requests-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.requests.python-requests-hardcoded-secret.python-requests-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol." - }, - "help": { - "markdown": "Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request)\n - [https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html](https://docs.ruby-lang.org/en/2.0.0/Net/FTP.html)\n", - "text": "Checks for outgoing connections to ftp servers with the 'net/ftp' package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request", - "id": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request", - "name": "problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.ruby-stdlib.net-ftp-request.net-ftp-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.ssh.ssh-empty-password.ssh-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.ssh.ssh-empty-password.ssh-empty-password", - "id": "go.secrets.ssh.ssh-empty-password.ssh-empty-password", - "name": "go.secrets.ssh.ssh-empty-password.ssh-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.ssh.ssh-empty-password.ssh-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation." - }, - "help": { - "markdown": "The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure)\n - [https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/](https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/)\n", - "text": "The profiling 'pprof' endpoint is automatically exposed on /debug/pprof. This could leak information about the server. Instead, use `import \"net/http/pprof\"`. See https://www.farsightsecurity.com/blog/txt-record/go-remote-profiling-20161028/ for more information and mitigation." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.pprof.pprof-debug-exposure", - "id": "go.lang.security.audit.net.pprof.pprof-debug-exposure", - "name": "go.lang.security.audit.net.pprof.pprof-debug-exposure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "LOW CONFIDENCE", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.pprof.pprof-debug-exposure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.okhttp.secrets.empty-credentials.empty.Credentials)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.okhttp.secrets.empty-credentials.empty.Credentials", - "id": "kotlin.okhttp.secrets.empty-credentials.empty.Credentials", - "name": "kotlin.okhttp.secrets.empty-credentials.empty.Credentials", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.okhttp.secrets.empty-credentials.empty.Credentials" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.jjwt.jjwt-hardcode.jjwt-hardcode)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.jjwt.jjwt-hardcode.jjwt-hardcode", - "id": "kotlin.jjwt.jjwt-hardcode.jjwt-hardcode", - "name": "kotlin.jjwt.jjwt-hardcode.jjwt-hardcode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.jjwt.jjwt-hardcode.jjwt-hardcode" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications." - }, - "help": { - "markdown": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection)\n - [https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool](https://urllib3.readthedocs.io/en/1.2.1/pools.html#urllib3.connectionpool.HTTPSConnectionPool)\n", - "text": "Detected HTTPConnectionPool. This will transmit data in cleartext. It is recommended to use HTTPSConnectionPool instead for to encrypt communications." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.network.http-not-https-connection.http-not-https-connection", - "id": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection", - "name": "python.lang.security.audit.network.http-not-https-connection.http-not-https-connection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.network.http-not-https-connection.http-not-https-connection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "this function is only available on Python 3.6+" - }, - "help": { - "markdown": "this function is only available on Python 3.6+\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl)\n", - "text": "this function is only available on Python 3.6+" - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python36.python36-compatibility-ssl", - "id": "python.lang.compatibility.python36.python36-compatibility-ssl", - "name": "python.lang.compatibility.python36.python36-compatibility-ssl", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python36.python36-compatibility-ssl" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Use the `html/template` package which will safely render HTML instead, or inspect that the HTML is rendered safely." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.injection.raw-html-format.raw-html-format", - "id": "go.lang.security.injection.raw-html-format.raw-html-format", - "name": "go.lang.security.injection.raw-html-format.raw-html-format", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.injection.raw-html-format.raw-html-format" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead." - }, - "help": { - "markdown": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsapkcs1keyexchangedeformatter)\n - [https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter](https://learn.microsoft.com/en-gb/dotnet/api/system.security.cryptography.rsaoaepkeyexchangedeformatter)\n", - "text": "You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", - "id": "csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", - "name": "csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-780: Use of RSA Algorithm without OAEP", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.use_weak_rsa_encryption_padding.use_weak_rsa_encryption_padding" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs." - }, - "help": { - "markdown": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.csv-writer-injection.csv-writer-injection)\n - [https://github.com/raphaelm/defusedcsv](https://github.com/raphaelm/defusedcsv)\n - [https://owasp.org/www-community/attacks/CSV_Injection](https://owasp.org/www-community/attacks/CSV_Injection)\n - [https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities](https://web.archive.org/web/20220516052229/https://www.contextis.com/us/blog/comma-separated-vulnerabilities)\n", - "text": "Detected user input into a generated CSV file using the built-in `csv` module. If user data is used to generate the data in this file, it is possible that an attacker could inject a formula when the CSV is imported into a spreadsheet application that runs an attacker script, which could steal data from the importing user or, at worst, install malware on the user's computer. `defusedcsv` is a drop-in replacement with the same API that will attempt to mitigate formula injection attempts. You can use `defusedcsv` instead of `csv` to safely generate CSVs." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.csv-writer-injection.csv-writer-injection", - "id": "python.flask.security.injection.csv-writer-injection.csv-writer-injection", - "name": "python.flask.security.injection.csv-writer-injection.csv-writer-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1236: Improper Neutralization of Formula Elements in a CSV File", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.csv-writer-injection.csv-writer-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-create-element-href.react-nextjs-router-create-element-href)\n - [https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts](https://github.com/segmentio/ui-box/blob/master/src/utils/safeHref.ts)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase." - }, - "helpUri": "https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-create-element-href.react-nextjs-router-create-element-href", - "id": "typescript.nextjs.react-nextjs-router-create-element-href.react-nextjs-router-create-element-href", - "name": "typescript.nextjs.react-nextjs-router-create-element-href.react-nextjs-router-create-element-href", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nextjs.react-nextjs-router-create-element-href.react-nextjs-router-create-element-href" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks." - }, - "help": { - "markdown": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification)\n - [https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate](https://stackoverflow.com/questions/12122159/how-to-do-a-https-request-with-bad-certificate)\n", - "text": "Checks for disabling of TLS/SSL certificate verification. This should only be used for debugging purposes because it leads to vulnerability to MTM attacks." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification", - "id": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification", - "name": "problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.bypass-tls-verification.bypass-tls-verification" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks" - }, - "help": { - "markdown": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas)\n - [https://lxml.de/FAQ.html](https://lxml.de/FAQ.html)\n", - "text": "Found usage of the `$FLAVOR` library, which is vulnerable to attacks such as XML external entity (XXE) attacks" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.lxml-in-pandas.lxml-in-pandas", - "id": "trailofbits.python.lxml-in-pandas.lxml-in-pandas", - "name": "trailofbits.python.lxml-in-pandas.lxml-in-pandas", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.lxml-in-pandas.lxml-in-pandas" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability." - }, - "help": { - "markdown": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration)\n - [https://en.wikipedia.org/wiki/Mass_assignment_vulnerability](https://en.wikipedia.org/wiki/Mass_assignment_vulnerability)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n", - "text": "Depending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-data-exfiltration.express-data-exfiltration", - "id": "javascript.express.security.express-data-exfiltration.express-data-exfiltration", - "name": "javascript.express.security.express-data-exfiltration.express-data-exfiltration", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-data-exfiltration.express-data-exfiltration" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "id": "kotlin.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "name": "kotlin.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.properties.properties-hardcoded-secret.properties-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc." - }, - "help": { - "markdown": "This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot)\n", - "text": "This app does not have capabilities to prevent against Screenshots from Recent Task History/ Now On Tap etc." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot", - "id": "mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot", - "name": "mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-200", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.flag_secure.android_prevent_screenshot" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'." - }, - "help": { - "markdown": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n", - "text": "Found an insecure gRPC server without 'grpc.Creds()' or options with credentials. This allows for a connection without encryption to this server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Include credentials derived from an SSL certificate in order to create a secure gRPC connection. You can create credentials using 'credentials.NewServerTLSFromFile(\"cert.pem\", \"cert.key\")'." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection", - "id": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection", - "name": "go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-300: Channel Accessible by Non-Endpoint", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.security.grpc-server-insecure-connection.grpc-server-insecure-connection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks." - }, - "help": { - "markdown": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "https://find-sec-bugs.github.io/bugs.htm#PERMISSIVE_CORS Permissive CORS policy will allow a malicious application to communicate with the victim application in an inappropriate way, leading to spoofing, data theft, relay and other attacks." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.permissive-cors.permissive-cors", - "id": "java.lang.security.audit.permissive-cors.permissive-cors", - "name": "java.lang.security.audit.permissive-cors.permissive-cors", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-183: Permissive List of Allowed Inputs", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.permissive-cors.permissive-cors" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks digitalocean-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks digitalocean-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks digitalocean-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token", - "id": "generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token", - "name": "generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.digitalocean-access-token.digitalocean-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The App uses an insecure Random Number Generator." - }, - "help": { - "markdown": "The App uses an insecure Random Number Generator.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_random.java_insecure_random)\n", - "text": "The App uses an insecure Random Number Generator." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.crypto.insecure_random.java_insecure_random", - "id": "mobsf.mobsfscan.crypto.insecure_random.java_insecure_random", - "name": "mobsf.mobsfscan.crypto.insecure_random.java_insecure_random", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-330", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.crypto.insecure_random.java_insecure_random" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code." - }, - "help": { - "markdown": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval)\n - [https://www.php.net/manual/en/function.mb-ereg-replace.php](https://www.php.net/manual/en/function.mb-ereg-replace.php)\n - [https://www.php.net/manual/en/function.mb-regex-set-options.php](https://www.php.net/manual/en/function.mb-regex-set-options.php)\n", - "text": "Calling mb_ereg_replace with user input in the options can lead to arbitrary code execution. The eval modifier (`e`) evaluates the replacement argument as code." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval", - "id": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval", - "name": "php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.mb-ereg-replace-eval.mb-ereg-replace-eval" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616)." - }, - "help": { - "markdown": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Automatic check of the referrer for cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected when an unsafe CSRF storage policy is used. Use 'pyramid.config.Configurator.set_default_csrf_options(check_origin=True)' to turn the automatic check for all unsafe methods (per RFC2616)." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally", - "id": "python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally", - "name": "python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.csrf-origin-check-disabled-globally.pyramid-csrf-origin-check-disabled-globally" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE" - }, - "help": { - "markdown": "Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPrivilegeEscalation.py)\n", - "text": "Ensure that IAM policies with permissions on other users don't allow for privilege escalation. This can lead to an attacker gaining full administrator access of AWS accounts. Instead, specify which user the permission should be used on or do not use the listed actions. $RESOURCE" - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users", - "id": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users", - "name": "terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-other-users.no-iam-priv-esc-other-users" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-legacy-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-legacy-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-legacy-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token", - "id": "generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token", - "name": "generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-legacy-token.slack-legacy-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "help": { - "markdown": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint.compile-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The application might dynamically evaluate untrusted input, which can lead to a code injection vulnerability. An attacker can execute arbitrary code, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing code containing user input. If this is unavoidable, validate and sanitize the input, and use safe alternatives for evaluating user input." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.code-injection.compile-taint.compile-taint", - "id": "csharp.dotnet-core.code-injection.compile-taint.compile-taint", - "name": "csharp.dotnet-core.code-injection.compile-taint.compile-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.code-injection.compile-taint.compile-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this." - }, - "help": { - "markdown": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath)\n - [https://kubernetes.io/docs/concepts/storage/volumes/#hostpath](https://kubernetes.io/docs/concepts/storage/volumes/#hostpath)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n", - "text": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from hostpath to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath", - "id": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath", - "name": "yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.exposing-docker-socket-hostpath.exposing-docker-socket-hostpath" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "help": { - "markdown": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "By default, AWS SecretManager secrets are encrypted using AWS-managed keys. However, for added security, it's recommended to configure your own AWS KMS encryption key to protect your secrets in the Secret Manager. You can either create a new aws_kms_key resource or use the ARN of an existing key in your AWS account to do so." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted", - "id": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted", - "name": "terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-secretsmanager-secret-unencrypted.aws-secretsmanager-secret-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat-sls.httpclient-taint-concat-sls)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat-sls.httpclient-taint-concat-sls", - "id": "java.micronaut.ssrf.httpclient-taint-concat-sls.httpclient-taint-concat-sls", - "name": "java.micronaut.ssrf.httpclient-taint-concat-sls.httpclient-taint-concat-sls", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat-sls.httpclient-taint-concat-sls" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint.file-access-taint)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint.file-access-taint", - "id": "java.micronaut.path-traversal.file-access-taint.file-access-taint", - "name": "java.micronaut.path-traversal.file-access-taint.file-access-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.path-traversal.file-access-taint.file-access-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'." - }, - "help": { - "markdown": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use)\n - [https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess](https://stackoverflow.com/questions/3172470/actual-meaning-of-shell-true-in-subprocess)\n - [https://docs.python.org/3/library/subprocess.html](https://docs.python.org/3/library/subprocess.html)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Detected subprocess function '$FUNC' with user controlled data. A malicious actor could leverage this to perform command injection. You may consider using 'shlex.escape()'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use", - "id": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use", - "name": "python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.dangerous-subprocess-use.dangerous-subprocess-use" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach `$VM`." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach `$VM`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Make sure that unverified user data can not reach `$VM`." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-vm-injection.express-vm-injection", - "id": "javascript.express.security.express-vm-injection.express-vm-injection", - "name": "javascript.express.security.express-vm-injection.express-vm-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-vm-injection.express-vm-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, the following configuration also provides protection against XXE attacks. `$FACTORY.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "id": "java.lang.security.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "name": "java.lang.security.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.saxtransformerfactory-xxe.saxtransformerfactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.ktor.sqli.ktor-exposed-unsafe-exec-sqli.ktor-exposed-unsafe-exec-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Kotlin, it is possible to adopt prepared statements using the `connection.PreparedStatement` class with parameterized queries. For more information, see: [Prepared statements in Kotlin](https://developer.android.com/reference/kotlin/java/sql/PreparedStatement)." - }, - "helpUri": "https://semgrep.dev/r/kotlin.ktor.sqli.ktor-exposed-unsafe-exec-sqli.ktor-exposed-unsafe-exec-sqli", - "id": "kotlin.ktor.sqli.ktor-exposed-unsafe-exec-sqli.ktor-exposed-unsafe-exec-sqli", - "name": "kotlin.ktor.sqli.ktor-exposed-unsafe-exec-sqli.ktor-exposed-unsafe-exec-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.ktor.sqli.ktor-exposed-unsafe-exec-sqli.ktor-exposed-unsafe-exec-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions." - }, - "help": { - "markdown": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version)\n - [https://www.acunetix.com/blog/web-security-zone/hardening-nginx/](https://www.acunetix.com/blog/web-security-zone/hardening-nginx/)\n - [https://nginx.org/en/docs/http/configuring_https_servers.html](https://nginx.org/en/docs/http/configuring_https_servers.html)\n", - "text": "This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.missing-ssl-version.missing-ssl-version", - "id": "generic.nginx.security.missing-ssl-version.missing-ssl-version", - "name": "generic.nginx.security.missing-ssl-version.missing-ssl-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.missing-ssl-version.missing-ssl-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using `sizeof(...)` on a pointer type is error prone and can lead to memory corruption if the incorrect size is used to allocate memory. An explicit length should be used instead of using `sizeof(...)`." - }, - "help": { - "markdown": "Using `sizeof(...)` on a pointer type is error prone and can lead to memory corruption if the incorrect size is used to allocate memory. An explicit length should be used instead of using `sizeof(...)`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.correctness.sizeof-pointer-type.sizeof-pointer-type)\n - [https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array](https://wiki.sei.cmu.edu/confluence/display/c/ARR01-C.+Do+not+apply+the+sizeof+operator+to+a+pointer+when+taking+the+size+of+an+array)\n", - "text": "Using `sizeof(...)` on a pointer type is error prone and can lead to memory corruption if the incorrect size is used to allocate memory. An explicit length should be used instead of using `sizeof(...)`." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.correctness.sizeof-pointer-type.sizeof-pointer-type", - "id": "cpp.lang.correctness.sizeof-pointer-type.sizeof-pointer-type", - "name": "cpp.lang.correctness.sizeof-pointer-type.sizeof-pointer-type", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-467: Use of sizeof() on a Pointer Type", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.correctness.sizeof-pointer-type.sizeof-pointer-type" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks mapbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks mapbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks mapbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token", - "id": "generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token", - "name": "generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.mapbox-api-token.mapbox-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection." - }, - "help": { - "markdown": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator)\n - [https://laravel.com/docs/9.x/validation#rule-unique](https://laravel.com/docs/9.x/validation#rule-unique)\n", - "text": "Found a request argument passed to an `ignore()` definition in a Rule constraint. This can lead to SQL injection." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator", - "id": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator", - "name": "php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-unsafe-validator.laravel-unsafe-validator" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "id": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "name": "python.aws-lambda.security.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead." - }, - "help": { - "markdown": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected RC4 cipher algorithm which is insecure. The algorithm has many known vulnerabilities. Use AES instead." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4", - "id": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4", - "name": "go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.crypto.use_of_weak_crypto.use-of-rc4" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an unsecured transmission channel. 'URLopener.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel." - }, - "help": { - "markdown": "Detected an unsecured transmission channel. 'URLopener.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open](https://docs.python.org/3/library/urllib.request.html#urllib.request.URLopener.open)\n", - "text": "Detected an unsecured transmission channel. 'URLopener.open(...)' is being used with 'http://'. Use 'https://' instead to secure the channel." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open", - "id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open", - "name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlopener-open.insecure-urlopener-open" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "help": { - "markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.eval-detected.eval-detected", - "id": "python.lang.security.audit.eval-detected.eval-detected", - "name": "python.lang.security.audit.eval-detected.eval-detected", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.eval-detected.eval-detected" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.ponyorm-fastapi.ponyorm-fastapi)\n - [https://docs.ponyorm.org/queries.html](https://docs.ponyorm.org/queries.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.db.ponyorm-fastapi.ponyorm-fastapi", - "id": "python.fastapi.db.ponyorm-fastapi.ponyorm-fastapi", - "name": "python.fastapi.db.ponyorm-fastapi.ponyorm-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.db.ponyorm-fastapi.ponyorm-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible." - }, - "help": { - "markdown": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat)\n - [https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval)\n - [https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback](https://nodejs.org/api/child_process.html#child_processexeccommand-options-callback)\n - [https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/](https://www.stackhawk.com/blog/nodejs-command-injection-examples-and-prevention/)\n - [https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html](https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html)\n", - "text": "Found data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.code-string-concat.code-string-concat", - "id": "javascript.lang.security.audit.code-string-concat.code-string-concat", - "name": "javascript.lang.security.audit.code-string-concat.code-string-concat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.code-string-concat.code-string-concat" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "help": { - "markdown": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.redirect.open-redirect.open-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "The application builds a URL using user-controlled input which can lead to an open redirect vulnerability. An attacker can manipulate the URL and redirect users to an arbitrary domain. Open redirect vulnerabilities can lead to issues such as Cross-site scripting (XSS) or redirecting to a malicious domain for activities such as phishing to capture users' credentials. To prevent this vulnerability perform strict input validation of the domain against an allowlist of approved domains. Notify a user in your application that they are leaving the website. Display a domain where they are redirected to the user. A user can then either accept or deny the redirect to an untrusted site." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.redirect.open-redirect.open-redirect", - "id": "java.micronaut.redirect.open-redirect.open-redirect", - "name": "java.micronaut.redirect.open-redirect.open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.redirect.open-redirect.open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "File creation in shared tmp directory without using ioutil.Tempfile" - }, - "help": { - "markdown": "File creation in shared tmp directory without using ioutil.Tempfile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "File creation in shared tmp directory without using ioutil.Tempfile" - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.bad_tmp.bad-tmp-file-creation", - "id": "go.lang.security.bad_tmp.bad-tmp-file-creation", - "name": "go.lang.security.bad_tmp.bad-tmp-file-creation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-377: Insecure Temporary File", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.bad_tmp.bad-tmp-file-creation" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority." - }, - "help": { - "markdown": "This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency)\n", - "text": "This app does not enforce TLS Certificate Transparency that helps to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency", - "id": "mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency", - "name": "mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-295", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.tls_certificate_transparency.android_certificate_transparency" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil." - }, - "help": { - "markdown": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization)\n - [https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html](https://ruby-doc.org/core-3.1.2/doc/security_rdoc.html)\n - [https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ](https://groups.google.com/g/rubyonrails-security/c/61bkgvnSGTQ/m/nehwjA8tQ8EJ)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_deserialize.rb)\n", - "text": "Deserialization of a string tainted by `event` object found. Objects in Ruby can be serialized into strings, then later loaded from strings. However, uses of `load` can cause remote code execution. Loading user input with MARSHAL, YAML or CSV can potentially be dangerous. If you need to deserialize untrusted data, you should use JSON as it is only capable of returning 'primitive' types such as strings, arrays, hashes, numbers and nil." - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization", - "id": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization", - "name": "ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.tainted-deserialization.tainted-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "No slippage check in a Uniswap v2/v3 trade" - }, - "help": { - "markdown": "No slippage check in a Uniswap v2/v3 trade\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check)\n - [https://uniswapv3book.com/docs/milestone_3/slippage-protection/](https://uniswapv3book.com/docs/milestone_3/slippage-protection/)\n", - "text": "No slippage check in a Uniswap v2/v3 trade" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.no-slippage-check.no-slippage-check", - "id": "solidity.security.no-slippage-check.no-slippage-check", - "name": "solidity.security.no-slippage-check.no-slippage-check", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-682: Incorrect Calculation", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.no-slippage-check.no-slippage-check" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls." - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli)\n - [https://pkg.go.dev/database/sql#DB.Query](https://pkg.go.dev/database/sql#DB.Query)\n", - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls." - }, - "helpUri": "https://semgrep.dev/r/go.aws-lambda.security.database-sqli.database-sqli", - "id": "go.aws-lambda.security.database-sqli.database-sqli", - "name": "go.aws-lambda.security.database-sqli.database-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.aws-lambda.security.database-sqli.database-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `wkhtmltoimage` it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection", - "id": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection", - "name": "javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.wkhtmltoimage.security.audit.wkhtmltoimage-injection.wkhtmltoimage-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands" - }, - "help": { - "markdown": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection)\n - [https://codeberg.org/fennix/funjection](https://codeberg.org/fennix/funjection)\n", - "text": "Using non-constant TwiML (Twilio Markup Language) argument when creating a Twilio conversation could allow the injection of additional TwiML commands" - }, - "helpUri": "https://semgrep.dev/r/python.twilio.security.twiml-injection.twiml-injection", - "id": "python.twilio.security.twiml-injection.twiml-injection", - "name": "python.twilio.security.twiml-injection.twiml-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-91: XML Injection", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.twilio.security.twiml-injection.twiml-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings." - }, - "help": { - "markdown": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n - [https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code](https://scala-slick.org/doc/3.2.0/sql-to-slick.html#non-optimal-sql-code)\n", - "text": "Detected a tainted SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using using user input for generating SQL strings." - }, - "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-slick-sqli.tainted-slick-sqli", - "id": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli", - "name": "scala.play.security.tainted-slick-sqli.tainted-slick-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.play.security.tainted-slick-sqli.tainted-slick-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.peewee.python-peewee-hardcoded-database-password-uri.python-peewee-hardcoded-database-password-uri)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.peewee.python-peewee-hardcoded-database-password-uri.python-peewee-hardcoded-database-password-uri", - "id": "python.peewee.python-peewee-hardcoded-database-password-uri.python-peewee-hardcoded-database-password-uri", - "name": "python.peewee.python-peewee-hardcoded-database-password-uri.python-peewee-hardcoded-database-password-uri", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.peewee.python-peewee-hardcoded-database-password-uri.python-peewee-hardcoded-database-password-uri" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." - }, - "help": { - "markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n", - "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", - "id": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", - "name": "python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.template-translate-as-no-escape.template-translate-as-no-escape" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher." - }, - "help": { - "markdown": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n", - "text": "The RSA key size $SIZE is insufficent by NIST standards. It is recommended to use a key length of 2048 or higher." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "id": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "name": "ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.insufficient-rsa-key-size.insufficient-rsa-key-size" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "help": { - "markdown": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS Workspace root volume is unencrypted. The AWS KMS encryption key protects root volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted", - "id": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted", - "name": "terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-workspaces-root-volume-unencrypted.aws-workspaces-root-volume-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated." - }, - "help": { - "markdown": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Application redirects a user to a destination URL specified by a user supplied parameter that is not validated." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", - "id": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", - "name": "java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.audit.spring-unvalidated-redirect.spring-unvalidated-redirect" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities." - }, - "help": { - "markdown": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n", - "text": "Data from request object is passed to a new server-side request. This could lead to a server-side request forgery (SSRF). To mitigate, ensure that schemes and hosts are validated against an allowlist, do not forward the response to the user, and ensure proper authentication and transport-layer security in the proxied request. See https://owasp.org/www-community/attacks/Server_Side_Request_Forgery to learn more about SSRF vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests", - "id": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests", - "name": "python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.ssrf.ssrf-injection-requests.ssrf-injection-requests" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules" - }, - "help": { - "markdown": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#bypass)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account_network_rules#bypass)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services](https://docs.microsoft.com/en-us/azure/storage/common/storage-network-security#trusted-microsoft-services)\n", - "text": "Some Microsoft services that interact with storage accounts operate from networks that can't be granted access through network rules. To help this type of service work as intended, allow the set of trusted Microsoft services to bypass the network rules" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass", - "id": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass", - "name": "terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.storage.storage-allow-microsoft-service-bypass.storage-allow-microsoft-service-bypass" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks." - }, - "help": { - "markdown": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string)\n - [https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html](https://nvisium.com/blog/2016/03/09/exploring-ssti-in-flask-jinja2.html)\n", - "text": "Found a template created with string formatting. This is susceptible to server-side template injection and cross-site scripting attacks." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.render-template-string.render-template-string", - "id": "python.flask.security.audit.render-template-string.render-template-string", - "name": "python.flask.security.audit.render-template-string.render-template-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.render-template-string.render-template-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "help": { - "markdown": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n", - "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval.user-eval", - "id": "python.django.security.injection.code.user-eval.user-eval", - "name": "python.django.security.injection.code.user-eval.user-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.code.user-eval.user-eval" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.python-requests-empty-password.python-requests-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.requests.python-requests-empty-password.python-requests-empty-password", - "id": "python.requests.python-requests-empty-password.python-requests-empty-password", - "name": "python.requests.python-requests-empty-password.python-requests-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.requests.python-requests-empty-password.python-requests-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`." - }, - "help": { - "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://www.php.net/password_hash](https://www.php.net/password_hash)\n", - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use `password_hash($PASSWORD, PASSWORD_BCRYPT, $OPTIONS);`." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.md5-used-as-password.md5-used-as-password", - "id": "php.lang.security.md5-used-as-password.md5-used-as-password", - "name": "php.lang.security.md5-used-as-password.md5-used-as-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.md5-used-as-password.md5-used-as-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-jsonpickle.tainted-jsonpickle)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://github.com/jsonpickle/jsonpickle#jsonpickle](https://github.com/jsonpickle/jsonpickle#jsonpickle)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `jsonpickle` module can execute arbitrary Python code. Do not load `jsonpickles` from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections, such as json, PyYAML, or ruamel.yaml." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-jsonpickle.tainted-jsonpickle", - "id": "python.lang.deserialization.tainted-jsonpickle.tainted-jsonpickle", - "name": "python.lang.deserialization.tainted-jsonpickle.tainted-jsonpickle", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-jsonpickle.tainted-jsonpickle" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher." - }, - "help": { - "markdown": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size)\n - [https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf](https://www.cosic.esat.kuleuven.be/ecrypt/ecrypt2/documents/D.SPA.20.pdf)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf)\n", - "text": "Detected an insufficient key size for DSA. NIST recommends a key size of 2048 or higher." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "id": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "name": "python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.insufficient-dsa-key-size.insufficient-dsa-key-size" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks vault-service-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks vault-service-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.vault-service-token.vault-service-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks vault-service-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.vault-service-token.vault-service-token", - "id": "generic.secrets.gitleaks.vault-service-token.vault-service-token", - "name": "generic.secrets.gitleaks.vault-service-token.vault-service-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.vault-service-token.vault-service-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/{{link}}'. You may also consider setting the Content Security Policy (CSP) header." - }, - "help": { - "markdown": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/{{link}}'. You may also consider setting the Content Security Policy (CSP) header.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href)\n - [https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI](https://flask.palletsprojects.com/en/1.1.x/security/#cross-site-scripting-xss#:~:text=javascript:%20URI)\n - [https://github.com/pugjs/pug/issues/2952](https://github.com/pugjs/pug/issues/2952)\n", - "text": "Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/{{link}}'. You may also consider setting the Content Security Policy (CSP) header." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.var-in-href.var-in-href", - "id": "javascript.express.security.audit.xss.mustache.var-in-href.var-in-href", - "name": "javascript.express.security.audit.xss.mustache.var-in-href.var-in-href", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.var-in-href.var-in-href" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks grafana-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks grafana-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.grafana-api-key.grafana-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks grafana-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.grafana-api-key.grafana-api-key", - "id": "generic.secrets.gitleaks.grafana-api-key.grafana-api-key", - "name": "generic.secrets.gitleaks.grafana-api-key.grafana-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.grafana-api-key.grafana-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/rust.hyper.ssrf.reqwest-taint.reqwest-taint", - "id": "rust.hyper.ssrf.reqwest-taint.reqwest-taint", - "name": "rust.hyper.ssrf.reqwest-taint.reqwest-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.hyper.ssrf.reqwest-taint.reqwest-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "`$KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is less than the recommended key size of 2048 bits." - }, - "help": { - "markdown": "`$KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is less than the recommended key size of 2048 bits.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.key.small-key-size.small-key-size)\n - [https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "`$KEY_FUNCTION` is using a key size of only $KEY_BITS bits. This is less than the recommended key size of 2048 bits." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.crypto.key.small-key-size.small-key-size", - "id": "cpp.lang.security.crypto.key.small-key-size.small-key-size", - "name": "cpp.lang.security.crypto.key.small-key-size.small-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.crypto.key.small-key-size.small-key-size" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This call to `$MEMSET` may be optimized out by the compiler because the buffer is not accessed later in the function. This could be an issue if `$BUF` contains sensitive data, such as passwords or cryptographic keys. Applications should use functions such as `memset_s` or `memset_explicit` to ensure that the sensitive data is cleared." - }, - "help": { - "markdown": "This call to `$MEMSET` may be optimized out by the compiler because the buffer is not accessed later in the function. This could be an issue if `$BUF` contains sensitive data, such as passwords or cryptographic keys. Applications should use functions such as `memset_s` or `memset_explicit` to ensure that the sensitive data is cleared.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.correctness.memset-removal.memset-removal)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations](https://wiki.sei.cmu.edu/confluence/display/c/MSC06-C.+Beware+of+compiler+optimizations)\n", - "text": "This call to `$MEMSET` may be optimized out by the compiler because the buffer is not accessed later in the function. This could be an issue if `$BUF` contains sensitive data, such as passwords or cryptographic keys. Applications should use functions such as `memset_s` or `memset_explicit` to ensure that the sensitive data is cleared." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.correctness.memset-removal.memset-removal", - "id": "cpp.lang.correctness.memset-removal.memset-removal", - "name": "cpp.lang.correctness.memset-removal.memset-removal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-14: Compiler Removal of Code to Clear Buffers", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.correctness.memset-removal.memset-removal" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Peewee provides a query builder which should allow to create the SQL query in a safe way. If you cannot use it, make sure to check the value exists in an allowlist, such that no user-controllable value can influence the eventual SQL query." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Peewee provides a query builder which should allow to create the SQL query in a safe way. If you cannot use it, make sure to check the value exists in an allowlist, such that no user-controllable value can influence the eventual SQL query.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.peewee-fastapi.peewee-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Peewee provides a query builder which should allow to create the SQL query in a safe way. If you cannot use it, make sure to check the value exists in an allowlist, such that no user-controllable value can influence the eventual SQL query." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.db.peewee-fastapi.peewee-fastapi", - "id": "python.fastapi.db.peewee-fastapi.peewee-fastapi", - "name": "python.fastapi.db.peewee-fastapi.peewee-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.db.peewee-fastapi.peewee-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input." - }, - "help": { - "markdown": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection)\n - [https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb](https://github.com/presidentbeef/brakeman/blob/main/test/apps/rails2/app/controllers/application_controller.rb)\n", - "text": "Found user-controllable input to Ruby reflection functionality. This allows a remote user to influence runtime behavior, up to and including arbitrary remote code execution. Do not provide user-controllable input to reflection functionality. Do not call symbol conversion on user-controllable input." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection", - "id": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection", - "name": "ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-unsafe-reflection.check-unsafe-reflection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled." - }, - "help": { - "markdown": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-universal-fileaccess.swift-webview-config-allows-universal-file-access)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n", - "text": "Webviews were observed that do not disable access to application files. If the WebView does not require loading content from the local filesystem of the application, this setting should be disabled." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-universal-fileaccess.swift-webview-config-allows-universal-file-access", - "id": "swift.webview.webview-universal-fileaccess.swift-webview-config-allows-universal-file-access", - "name": "swift.webview.webview-universal-fileaccess.swift-webview-config-allows-universal-file-access", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-universal-fileaccess.swift-webview-config-allows-universal-file-access" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method" - }, - "help": { - "markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n", - "text": "Functions reliant on pickle can result in arbitrary code execution. Consider using fickling or switching to a safer serialization method" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pandas.pickles-in-pandas", - "id": "trailofbits.python.pickles-in-pandas.pickles-in-pandas", - "name": "trailofbits.python.pickles-in-pandas.pickles-in-pandas", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.pickles-in-pandas.pickles-in-pandas" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`." - }, - "help": { - "markdown": "QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra)\n - [https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra](https://docs.djangoproject.com/en/3.0/ref/models/querysets/#django.db.models.query.QuerySet.extra)\n - [https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/](https://semgrep.dev/blog/2020/preventing-sql-injection-a-django-authors-perspective/)\n", - "text": "QuerySet.extra' does not provide safeguards against SQL injection and requires very careful use. SQL injection can lead to critical data being stolen by attackers. Instead of using '.extra', use the Django ORM and parameterized queries such as `People.objects.get(name='Bob')`." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.query-set-extra.avoid-query-set-extra", - "id": "python.django.security.audit.query-set-extra.avoid-query-set-extra", - "name": "python.django.security.audit.query-set-extra.avoid-query-set-extra", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.query-set-extra.avoid-query-set-extra" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "help": { - "markdown": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.security.eval-detected.eval-detected", - "id": "javascript.browser.security.eval-detected.eval-detected", - "name": "javascript.browser.security.eval-detected.eval-detected", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.security.eval-detected.eval-detected" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead." - }, - "help": { - "markdown": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Using less than 128 bits for Blowfish is considered insecure. Use 128 bits or more, or switch to use AES instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", - "id": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", - "name": "java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.blowfish-insufficient-key-size.blowfish-insufficient-key-size" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jdo.datanucleus.secrets.hardcoded-connection-password.hardcoded-connection-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n - [https://www.datanucleus.org/javadocs/api.jdo/5.0/org/datanucleus/api/jdo/JDOPersistenceManagerFactory.html](https://www.datanucleus.org/javadocs/api.jdo/5.0/org/datanucleus/api/jdo/JDOPersistenceManagerFactory.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jdo.datanucleus.secrets.hardcoded-connection-password.hardcoded-connection-password", - "id": "java.jdo.datanucleus.secrets.hardcoded-connection-password.hardcoded-connection-password", - "name": "java.jdo.datanucleus.secrets.hardcoded-connection-password.hardcoded-connection-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jdo.datanucleus.secrets.hardcoded-connection-password.hardcoded-connection-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into a JSON object, which can lead the decoder to consume considerable CPU and memory resources, potentially causing DoS (Denial of Service). The documentation for the `json` package recommends limiting the size of data to be parsed. " - }, - "help": { - "markdown": "The application may convert user-controlled data into a JSON object, which can lead the decoder to consume considerable CPU and memory resources, potentially causing DoS (Denial of Service). The documentation for the `json` package recommends limiting the size of data to be parsed. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-json-aws-lambda.tainted-json-aws-lambda)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into a JSON object, which can lead the decoder to consume considerable CPU and memory resources, potentially causing DoS (Denial of Service). The documentation for the `json` package recommends limiting the size of data to be parsed. " - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-json-aws-lambda.tainted-json-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-json-aws-lambda.tainted-json-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-json-aws-lambda.tainted-json-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-json-aws-lambda.tainted-json-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.injection.tainted-sql-string.tainted-sql-string", - "id": "javascript.express.security.injection.tainted-sql-string.tainted-sql-string", - "name": "javascript.express.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.mongo.ruby-mongo-hardcoded-secret.ruby-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/ruby.mongo.ruby-mongo-hardcoded-secret.ruby-mongo-hardcoded-secret", - "id": "ruby.mongo.ruby-mongo-hardcoded-secret.ruby-mongo-hardcoded-secret", - "name": "ruby.mongo.ruby-mongo-hardcoded-secret.ruby-mongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.mongo.ruby-mongo-hardcoded-secret.ruby-mongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`." - }, - "help": { - "markdown": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled)\n - [https://symfony.com/doc/current/security/csrf.html](https://symfony.com/doc/current/security/csrf.html)\n", - "text": "CSRF protection is disabled for this configuration. This is a security risk. Make sure that it is safe or consider setting `csrf_protection` property to `true`." - }, - "helpUri": "https://semgrep.dev/r/php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", - "id": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", - "name": "php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.symfony.security.audit.symfony-csrf-protection-disabled.symfony-csrf-protection-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities." - }, - "help": { - "markdown": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled", - "id": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled", - "name": "javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-sce-disabled.detect-angular-sce-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.path-traversal.file-taint-grpc.file-taint-grpc)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.path-traversal.file-taint-grpc.file-taint-grpc", - "id": "csharp.dotnet-core.path-traversal.file-taint-grpc.file-taint-grpc", - "name": "csharp.dotnet-core.path-traversal.file-taint-grpc.file-taint-grpc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.path-traversal.file-taint-grpc.file-taint-grpc" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks slack-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks slack-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.slack-app-token.slack-app-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks slack-app-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.slack-app-token.slack-app-token", - "id": "generic.secrets.gitleaks.slack-app-token.slack-app-token", - "name": "generic.secrets.gitleaks.slack-app-token.slack-app-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.slack-app-token.slack-app-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "help": { - "markdown": "'The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-rsa-pkcs1-signature.cryptography-rsa-pkcs1-signature)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#cryptography.hazmat.primitives.asymmetric.padding.PKCS1v15)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n", - "text": "'The implementation of the PKCS1 v1.5 padding scheme in the `cryptography` package is vulnerable to timing attacks. The RSA decryption raises an exception on failure, which takes a different amount of time than returning a value upon success. This is not considered secure and it is not recommended that PKCS1v15 is used in new applications. OAEP should be preferred for encryption and PSS should be preferred for signatures. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.cryptography-rsa-pkcs1-signature.cryptography-rsa-pkcs1-signature", - "id": "python.cryptography.cryptography-rsa-pkcs1-signature.cryptography-rsa-pkcs1-signature", - "name": "python.cryptography.cryptography-rsa-pkcs1-signature.cryptography-rsa-pkcs1-signature", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.cryptography-rsa-pkcs1-signature.cryptography-rsa-pkcs1-signature" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.reqwest.hardcoded-uri-password.hardcoded-uri-password)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.reqwest.hardcoded-uri-password.hardcoded-uri-password", - "id": "rust.secrets.reqwest.hardcoded-uri-password.hardcoded-uri-password", - "name": "rust.secrets.reqwest.hardcoded-uri-password.hardcoded-uri-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.reqwest.hardcoded-uri-password.hardcoded-uri-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module." - }, - "help": { - "markdown": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request)\n - [https://www.npmjs.com/package/ftp](https://www.npmjs.com/package/ftp)\n - [https://openbase.io/js/ftp](https://openbase.io/js/ftp)\n", - "text": "Checks for lack of usage of the \"secure: true\" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as \"implicit\" that still does not encrypt all traffic. ftp is the most utilized npm ftp module." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request", - "id": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request", - "name": "problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.ftp-request.ftp-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function." - }, - "help": { - "markdown": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion)\n - [https://lwn.net/Articles/606141/](https://lwn.net/Articles/606141/)\n", - "text": "Call to 'read()' without error checking is susceptible to file descriptor exhaustion. Consider using the 'getrandom()' function." - }, - "helpUri": "https://semgrep.dev/r/c.lang.security.random-fd-exhaustion.random-fd-exhaustion", - "id": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion", - "name": "c.lang.security.random-fd-exhaustion.random-fd-exhaustion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: c.lang.security.random-fd-exhaustion.random-fd-exhaustion" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks square-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks square-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.square-access-token.square-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks square-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.square-access-token.square-access-token", - "id": "generic.secrets.gitleaks.square-access-token.square-access-token", - "name": "generic.secrets.gitleaks.square-access-token.square-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.square-access-token.square-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint-msg.file-access-taint-msg)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.path-traversal.file-access-taint-msg.file-access-taint-msg", - "id": "java.micronaut.path-traversal.file-access-taint-msg.file-access-taint-msg", - "name": "java.micronaut.path-traversal.file-access-taint-msg.file-access-taint-msg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.path-traversal.file-access-taint-msg.file-access-taint-msg" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "help": { - "markdown": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "XML processor being instantiated without calling the `setFeature` functions that are generally used for disabling entity processing. User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like the disclosure of confidential data, denial of service, Server Side Request Forgery (SSRF), port scanning. Make sure to disable entity processing functionality." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled", - "id": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled", - "name": "scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.sax-dtd-enabled.sax-dtd-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected 'urllib.urlretrieve()' using 'http://'. This request will not be encrypted. Use 'https://' instead." - }, - "help": { - "markdown": "Detected 'urllib.urlretrieve()' using 'http://'. This request will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve](https://docs.python.org/3/library/urllib.request.html#urllib.request.urlretrieve)\n", - "text": "Detected 'urllib.urlretrieve()' using 'http://'. This request will not be encrypted. Use 'https://' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve", - "id": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve", - "name": "python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-urlretrieve.insecure-urlretrieve" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts." - }, - "help": { - "markdown": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active)\n - [https://cwe.mitre.org/data/definitions/778.html](https://cwe.mitre.org/data/definitions/778.html)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function#mode)\n - [https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html](https://docs.aws.amazon.com/lambda/latest/dg/services-xray.html)\n", - "text": "The AWS Lambda function does not have active X-Ray tracing enabled. X-Ray tracing enables end-to-end debugging and analysis of all function activity. This makes it easier to trace the flow of logs and identify bottlenecks, slow downs and timeouts." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active", - "id": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active", - "name": "terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "MEDIUM CONFIDENCE", - "OWASP-A09:2021 Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-lambda-x-ray-tracing-not-active.aws-lambda-x-ray-tracing-not-active" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument." - }, - "help": { - "markdown": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to)\n - [https://brakemanscanner.org/docs/warning_types/link_to/](https://brakemanscanner.org/docs/warning_types/link_to/)\n - [https://brakemanscanner.org/docs/warning_types/link_to_href/](https://brakemanscanner.org/docs/warning_types/link_to_href/)\n", - "text": "This code includes user input in `link_to`. In Rails 2.x, the body of `link_to` is not escaped. This means that user input which reaches the body will be executed when the HTML is rendered. Even in other versions, values starting with `javascript:` or `data:` are not escaped. It is better to create and use a safer function which checks the body argument." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to", - "id": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to", - "name": "ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-link-to.avoid-link-to" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'." - }, - "help": { - "markdown": "'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode)\n", - "text": "'open_out' behaves differently on Windows and on Unix-like systems with respect to line endings. To get the same behavior everywhere, use 'open_out_bin' or 'open_out_gen [Open_binary]'. If you really want LF-to-CRLF translations to take place when running on Windows, use 'open_out_gen [Open_text]'." - }, - "helpUri": "https://semgrep.dev/r/ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode", - "id": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode", - "name": "ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: ocaml.lang.portability.crlf-support.prefer-write-in-binary-mode" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." - }, - "help": { - "markdown": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector)\n - [https://cwe.mitre.org/data/definitions/329.html](https://cwe.mitre.org/data/definitions/329.html)\n", - "text": "Initialization Vectors (IVs) for block ciphers should be randomly generated each time they are used. Using a static IV means the same plaintext encrypts to the same ciphertext every time, weakening the strength of the encryption." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", - "id": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", - "name": "java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-329: Generation of Predictable IV with CBC Mode", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.no-static-initialization-vector.no-static-initialization-vector" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The constructor for SAXReader has an optional XMLReader argument. However, configuring this XMLReader before using it in the constructor has no effect on the security of the SAXReader. The SAXReader itself needs to be configured to prevent XXE vulnerabilities. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The constructor for SAXReader has an optional XMLReader argument. However, configuring this XMLReader before using it in the constructor has no effect on the security of the SAXReader. The SAXReader itself needs to be configured to prevent XXE vulnerabilities. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.saxreader-xmlreader-constructor.saxreader-xmlreader-constructor)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The constructor for SAXReader has an optional XMLReader argument. However, configuring this XMLReader before using it in the constructor has no effect on the security of the SAXReader. The SAXReader itself needs to be configured to prevent XXE vulnerabilities. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.saxreader-xmlreader-constructor.saxreader-xmlreader-constructor", - "id": "java.lang.security.audit.saxreader-xmlreader-constructor.saxreader-xmlreader-constructor", - "name": "java.lang.security.audit.saxreader-xmlreader-constructor.saxreader-xmlreader-constructor", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.saxreader-xmlreader-constructor.saxreader-xmlreader-constructor" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files. In Java, you may also consider using a utility method such as `org.apache.commons.io.FilenameUtils.getName(...)` to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep", - "id": "java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep", - "name": "java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.httpservlet-path-traversal-deepsemgrep.httpservlet-path-traversal-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'." - }, - "help": { - "markdown": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Cross-site scripting detected in HttpServletResponse writer with variable '$VAR'. User input was detected going directly from the HttpServletRequest into output. Ensure your data is properly encoded using org.owasp.encoder.Encode.forHtml: 'Encode.forHtml($VAR)'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", - "id": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", - "name": "java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.servletresponse-writer-xss.servletresponse-writer-xss" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure" - }, - "help": { - "markdown": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide](https://docs.microsoft.com/en-us/dotnet/standard/serialization/binaryformatter-security-guide)\n", - "text": "The BinaryFormatter type is dangerous and is not recommended for data processing. Applications should stop using BinaryFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. BinaryFormatter is insecure and can't be made secure" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", - "id": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", - "name": "csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.binary-formatter.insecure-binaryformatter-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", - "id": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", - "name": "java.java-jwt.security.jwt-none-alg.java-jwt-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.java-jwt.security.jwt-none-alg.java-jwt-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "help": { - "markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Ensure your variables are not controlled by users or sufficiently sanitized." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run", - "id": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run", - "name": "scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.dangerous-seq-run.dangerous-seq-run" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks linkedin-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks linkedin-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks linkedin-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id", - "id": "generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id", - "name": "generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.linkedin-client-id.linkedin-client-id" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument." - }, - "help": { - "markdown": "Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sh.security.string-concat.string-concat)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected string concatenation or formatting in a call to a command via 'sh'. This could be a command injection vulnerability if the data is user-controlled. Instead, use a list and append the argument." - }, - "helpUri": "https://semgrep.dev/r/python.sh.security.string-concat.string-concat", - "id": "python.sh.security.string-concat.string-concat", - "name": "python.sh.security.string-concat.string-concat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.sh.security.string-concat.string-concat" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead." - }, - "help": { - "markdown": "Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key)\n - [http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy](http://docs.paramiko.org/en/stable/api/client.html#paramiko.client.AutoAddPolicy)\n", - "text": "Detected a paramiko host key policy that implicitly trusts a server's host key. Host keys should be verified to ensure the connection is not to a malicious server. Use RejectPolicy or a custom subclass instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key", - "id": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key", - "name": "python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-322: Key Exchange without Entity Authentication", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.paramiko-implicit-trust-host-key.paramiko-implicit-trust-host-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities" - }, - "help": { - "markdown": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.security.insecure-document-method.insecure-document-method", - "id": "javascript.browser.security.insecure-document-method.insecure-document-method", - "name": "javascript.browser.security.insecure-document-method.insecure-document-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.security.insecure-document-method.insecure-document-method" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information." - }, - "help": { - "markdown": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system)\n - [https://owasp.org/www-community/attacks/Command_Injection](https://owasp.org/www-community/attacks/Command_Injection)\n", - "text": "Request data detected in os.system. This could be vulnerable to a command injection and should be avoided. If this must be done, use the 'subprocess' module instead and pass the arguments as a list. See https://owasp.org/www-community/attacks/Command_Injection for more information." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.command.command-injection-os-system.command-injection-os-system", - "id": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system", - "name": "python.django.security.injection.command.command-injection-os-system.command-injection-os-system", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.command.command-injection-os-system.command-injection-os-system" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON." - }, - "help": { - "markdown": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n", - "text": "Detected the use of an insecure deserialization library in a Flask route. These libraries are prone to code execution vulnerabilities. Ensure user data does not enter this function. To fix this, try to avoid serializing whole objects. Consider instead using a serializer such as JSON." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.insecure-deserialization.insecure-deserialization", - "id": "python.flask.security.insecure-deserialization.insecure-deserialization", - "name": "python.flask.security.insecure-deserialization.insecure-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.insecure-deserialization.insecure-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret", - "id": "kotlin.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret", - "name": "kotlin.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.sql.drivermanager-hardcoded-secret.drivermanager-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." - }, - "help": { - "markdown": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert)\n - [https://cwe.mitre.org/data/definitions/119.html](https://cwe.mitre.org/data/definitions/119.html)\n", - "text": "Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", - "id": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", - "name": "javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.detect-buffer-noassert.detect-buffer-noassert" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration leverages the in-built public key pinning mechanisms however has pins which are Certificate Authority Identities, rather than Leaf Identities. Trusting a Certificate Authority is much more lenient than trusting a single leaf identity. Consider pinning to leaf identities rather than CA, following the principle of least privelege." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration leverages the in-built public key pinning mechanisms however has pins which are Certificate Authority Identities, rather than Leaf Identities. Trusting a Certificate Authority is much more lenient than trusting a single leaf identity. Consider pinning to leaf identities rather than CA, following the principle of least privelege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pins.ATS-CA-pins)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration leverages the in-built public key pinning mechanisms however has pins which are Certificate Authority Identities, rather than Leaf Identities. Trusting a Certificate Authority is much more lenient than trusting a single leaf identity. Consider pinning to leaf identities rather than CA, following the principle of least privelege." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-pins.ATS-CA-pins", - "id": "swift.insecure-communication.ats.ats-pins.ATS-CA-pins", - "name": "swift.insecure-communication.ats.ats-pins.ATS-CA-pins", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-pins.ATS-CA-pins" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.openai.openai-hardcoded-secret.openai-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "id": "python.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "name": "python.openai.openai-hardcoded-secret.openai-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.openai.openai-hardcoded-secret.openai-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS." - }, - "help": { - "markdown": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URLConnection.html)\n - [https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection()](https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/net/URL.html#openConnection())\n", - "text": "Detected an HTTP request sent via HttpGet. This could lead to sensitive information being sent over an insecure channel. Instead, it is recommended to send requests over HTTPS." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.httpget-http-request.httpget-http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy." - }, - "help": { - "markdown": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens)\n - [https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376](https://quillaudits.medium.com/decoding-sentiment-protocols-1-million-exploit-quillaudits-f36bee77d376)\n - [https://hackmd.io/@sentimentxyz/SJCySo1z2](https://hackmd.io/@sentimentxyz/SJCySo1z2)\n", - "text": "$VAULT.getPoolTokens() call on a Balancer pool is not protected from the read-only reentrancy." - }, - "helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens", - "id": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens", - "name": "solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getpooltokens.balancer-readonly-reentrancy-getpooltokens" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection)\n - [https://owasp.org/Top10/A03_2021-Injection/](https://owasp.org/Top10/A03_2021-Injection/)\n - [https://cwe.mitre.org/data/definitions/643.html](https://cwe.mitre.org/data/definitions/643.html)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.audit.xpath-injection.xpath-injection", - "id": "csharp.dotnet.security.audit.xpath-injection.xpath-injection", - "name": "csharp.dotnet.security.audit.xpath-injection.xpath-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.audit.xpath-injection.xpath-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'." - }, - "help": { - "markdown": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n", - "text": "The Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite", - "id": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite", - "name": "javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.escape-function-overwrite.escape-function-overwrite" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret", - "id": "java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret", - "name": "java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.system.system-setproperty-hardcoded-secret.system-setproperty-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag." - }, - "help": { - "markdown": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag)\n - [https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug](https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug)\n - [https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page](https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page)\n", - "text": "Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.templates.debug-template-tag.debug-template-tag", - "id": "python.django.security.audit.templates.debug-template-tag.debug-template-tag", - "name": "python.django.security.audit.templates.debug-template-tag.debug-template-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "LOW CONFIDENCE", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.templates.debug-template-tag.debug-template-tag" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'." - }, - "help": { - "markdown": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption](https://blog.gopheracademy.com/advent-2019/go-grps-and-tls/#connection-without-encryption)\n", - "text": "Found an insecure gRPC connection using 'grpc.WithInsecure()'. This creates a connection without encryption to a gRPC server. A malicious attacker could tamper with the gRPC message, which could compromise the machine. Instead, establish a secure connection with an SSL certificate using the 'grpc.WithTransportCredentials()' function. You can create a create credentials using a 'tls.Config{}' struct with 'credentials.NewTLS()'. The final fix looks like this: 'grpc.WithTransportCredentials(credentials.NewTLS())'." - }, - "helpUri": "https://semgrep.dev/r/go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", - "id": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", - "name": "go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-300: Channel Accessible by Non-Endpoint", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.grpc.security.grpc-client-insecure-connection.grpc-client-insecure-connection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service." - }, - "help": { - "markdown": "The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml)\n - [https://docs.python.org/3/library/xml.html](https://docs.python.org/3/library/xml.html)\n - [https://github.com/tiran/defusedxml](https://github.com/tiran/defusedxml)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n", - "text": "The Python documentation recommends using `defusedxml` instead of `xml` because the native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and \"XML bombs\" can cause denial of service." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xml.use-defused-xml", - "id": "python.lang.security.use-defused-xml.use-defused-xml", - "name": "python.lang.security.use-defused-xml.use-defused-xml", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.use-defused-xml.use-defused-xml" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) PyYAML's `yaml` module is as powerful as `pickle` and so may call any Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) PyYAML's `yaml` module is as powerful as `pickle` and so may call any Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-pyyaml-pyramid.tainted-pyyaml-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) PyYAML's `yaml` module is as powerful as `pickle` and so may call any Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-pyyaml-pyramid.tainted-pyyaml-pyramid", - "id": "python.pyramid.deserialization.tainted-pyyaml-pyramid.tainted-pyyaml-pyramid", - "name": "python.pyramid.deserialization.tainted-pyyaml-pyramid.tainted-pyyaml-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-pyyaml-pyramid.tainted-pyyaml-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-url-to-guzzle-client.tainted-url-to-guzzle-client)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://docs.guzzlephp.org/en/stable/quickstart.html#making-a-request](https://docs.guzzlephp.org/en/stable/quickstart.html#making-a-request)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.tainted-url-to-guzzle-client.tainted-url-to-guzzle-client", - "id": "php.lang.security.tainted-url-to-guzzle-client.tainted-url-to-guzzle-client", - "name": "php.lang.security.tainted-url-to-guzzle-client.tainted-url-to-guzzle-client", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.tainted-url-to-guzzle-client.tainted-url-to-guzzle-client" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.diesel.pg-connection-empty-password.pg-connection-empty-password)\n - [https://docs.diesel.rs/master/diesel/index.html](https://docs.diesel.rs/master/diesel/index.html)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.diesel.pg-connection-empty-password.pg-connection-empty-password", - "id": "rust.secrets.diesel.pg-connection-empty-password.pg-connection-empty-password", - "name": "rust.secrets.diesel.pg-connection-empty-password.pg-connection-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.diesel.pg-connection-empty-password.pg-connection-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message." - }, - "help": { - "markdown": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The target origin of the window.postMessage() API is set to \"*\". This could allow for information disclosure due to the possibility of any origin allowed to receive the message." - }, - "helpUri": "https://semgrep.dev/r/javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", - "id": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", - "name": "javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-345: Insufficient Verification of Data Authenticity", - "MEDIUM CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.browser.security.wildcard-postmessage-configuration.wildcard-postmessage-configuration" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol." - }, - "help": { - "markdown": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request)\n - [https://godoc.org/github.com/jlaffaye/ftp#Dial](https://godoc.org/github.com/jlaffaye/ftp#Dial)\n - [https://github.com/jlaffaye/ftp](https://github.com/jlaffaye/ftp)\n", - "text": "Checks for outgoing connections to ftp servers with the ftp package. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network. Instead, connect via the SFTP protocol." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request", - "id": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request", - "name": "problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.ftp-request.ftp-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." - }, - "help": { - "markdown": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", - "id": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", - "name": "javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-116: Improper Encoding or Escaping of Output", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.detect-disable-mustache-escape.detect-disable-mustache-escape" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next." - }, - "help": { - "markdown": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain", - "id": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain", - "name": "javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.openai.openai-empty-secret.openai-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.openai.openai-empty-secret.openai-empty-secret", - "id": "go.secrets.openai.openai-empty-secret.openai-empty-secret", - "name": "go.secrets.openai.openai-empty-secret.openai-empty-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.openai.openai-empty-secret.openai-empty-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks yandex-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks yandex-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.yandex-api-key.yandex-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks yandex-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.yandex-api-key.yandex-api-key", - "id": "generic.secrets.gitleaks.yandex-api-key.yandex-api-key", - "name": "generic.secrets.gitleaks.yandex-api-key.yandex-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.yandex-api-key.yandex-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxparserfactory-xxe.saxparserfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "id": "kotlin.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "name": "kotlin.xxe.saxparserfactory-xxe.saxparserfactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxparserfactory-xxe.saxparserfactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data." - }, - "help": { - "markdown": "This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.root_detection.android_root_detection)\n", - "text": "This app does not have root detection capabilities. Running a sensitive application on a rooted device questions the device integrity and affects users data." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.root_detection.android_root_detection", - "id": "mobsf.mobsfscan.best_practices.root_detection.android_root_detection", - "name": "mobsf.mobsfscan.best_practices.root_detection.android_root_detection", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-919", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.root_detection.android_root_detection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not\ncollision resistant and is therefore not suitable as a cryptographic\nsignature. Use SHA256 or SHA3 instead.\n" - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not\ncollision resistant and is therefore not suitable as a cryptographic\nsignature. Use SHA256 or SHA3 instead.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.bandit.B303-6)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not\ncollision resistant and is therefore not suitable as a cryptographic\nsignature. Use SHA256 or SHA3 instead.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.bandit.B303-6", - "id": "gitlab.bandit.B303-6", - "name": "gitlab.bandit.B303-6", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327", - "OWASP-A3:2017-Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Use of a Broken or Risky Cryptographic Algorithm" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"." - }, - "help": { - "markdown": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)\n - [https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections](https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections)\n - [https://securitylab.github.com/research/github-actions-untrusted-input/](https://securitylab.github.com/research/github-actions-untrusted-input/)\n", - "text": "Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: \"$ENVVAR\"." - }, - "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection", - "id": "yaml.github-actions.security.run-shell-injection.run-shell-injection", - "name": "yaml.github-actions.security.run-shell-injection.run-shell-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection)\n - [https://pptr.dev/api/puppeteer.page](https://pptr.dev/api/puppeteer.page)\n", - "text": "If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-puppeteer-injection.express-puppeteer-injection", - "id": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection", - "name": "javascript.express.security.express-puppeteer-injection.express-puppeteer-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-puppeteer-injection.express-puppeteer-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.actix.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/rust.actix.ssrf.reqwest-taint.reqwest-taint", - "id": "rust.actix.ssrf.reqwest-taint.reqwest-taint", - "name": "rust.actix.ssrf.reqwest-taint.reqwest-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.actix.ssrf.reqwest-taint.reqwest-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.node-sequelize-empty-password-connection-string.node-sequelize-empty-password-connection-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.sequelize.node-sequelize-empty-password-connection-string.node-sequelize-empty-password-connection-string", - "id": "javascript.sequelize.node-sequelize-empty-password-connection-string.node-sequelize-empty-password-connection-string", - "name": "javascript.sequelize.node-sequelize-empty-password-connection-string.node-sequelize-empty-password-connection-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sequelize.node-sequelize-empty-password-connection-string.node-sequelize-empty-password-connection-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands." - }, - "help": { - "markdown": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Found dynamic content used for the external process. This is dangerous if arbitrary data can reach this function call because it allows a malicious actor to execute commands. Use `Seq(...)` for dynamically generated commands." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run", - "id": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run", - "name": "scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.scala-dangerous-process-run.scala-dangerous-process-run" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this." - }, - "help": { - "markdown": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume)\n - [https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference](https://docs.docker.com/compose/compose-file/compose-file-v3/#volume-configuration-reference)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers)\n", - "text": "Exposing host's Docker socket to containers via a volume. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host. Remove 'docker.sock' from volumes to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume", - "id": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume", - "name": "yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.exposing-docker-socket-volume.exposing-docker-socket-volume" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users." - }, - "help": { - "markdown": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter)\n - [https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/](https://blogtitle.github.io/robn-go-security-pearls-cross-site-scripting-xss/)\n", - "text": "Detected 'printf' or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package to render data to users." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter", - "id": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter", - "name": "go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.xss.no-printf-in-responsewriter.no-printf-in-responsewriter" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detects direct creations of $HTTPS servers that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "help": { - "markdown": "Detects direct creations of $HTTPS servers that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1)\n - [https://us-cert.cisa.gov/ncas/alerts/TA14-290A](https://us-cert.cisa.gov/ncas/alerts/TA14-290A)\n - [https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs](https://stackoverflow.com/questions/40434934/how-to-disable-the-ssl-3-0-and-tls-1-0-in-nodejs)\n - [https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener](https://nodejs.org/api/https.html#https_https_createserver_options_requestlistener)\n", - "text": "Detects direct creations of $HTTPS servers that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1", - "id": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1", - "name": "problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.disallow-old-tls-versions1.disallow-old-tls-versions1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application." - }, - "help": { - "markdown": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "<- A new object is created where the class name is based on user input. This could lead to remote code execution, as it allows to instantiate any class in the application." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation", - "id": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation", - "name": "php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.injection.tainted-object-instantiation.tainted-object-instantiation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`." - }, - "help": { - "markdown": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS RDS has no retention. Missing retention can cause losing important event information. To fix this, set a `backup_retention_period`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention", - "id": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention", - "name": "terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-rds-backup-no-retention.aws-rds-backup-no-retention" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself." - }, - "help": { - "markdown": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "SSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.ssrf.rest-client.ssrf", - "id": "csharp.lang.security.ssrf.rest-client.ssrf", - "name": "csharp.lang.security.ssrf.rest-client.ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.ssrf.rest-client.ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got." - }, - "help": { - "markdown": "Checks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n - [https://www.npmjs.com/package/got](https://www.npmjs.com/package/got)\n - [https://www.npmjs.com/package/node-rest-client](https://www.npmjs.com/package/node-rest-client)\n", - "text": "Checks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support", - "id": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support", - "name": "problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.rest-http-client-support.rest-http-client-support" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." - }, - "help": { - "markdown": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Detected user input controlling a file path. An attacker could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-file-path.tainted-file-path", - "id": "java.spring.security.injection.tainted-file-path.tainted-file-path", - "name": "java.spring.security.injection.tainted-file-path.tainted-file-path", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-23: Relative Path Traversal", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.injection.tainted-file-path.tainted-file-path" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks flutterwave-public-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks flutterwave-public-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks flutterwave-public-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key", - "id": "generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key", - "name": "generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.flutterwave-public-key.flutterwave-public-key" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks plaid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks plaid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.plaid-api-token.plaid-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks plaid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.plaid-api-token.plaid-api-token", - "id": "generic.secrets.gitleaks.plaid-api-token.plaid-api-token", - "name": "generic.secrets.gitleaks.plaid-api-token.plaid-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.plaid-api-token.plaid-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.xmlreader-xxe.xmlreader-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.xmlreader-xxe.xmlreader-xxe", - "id": "kotlin.xxe.xmlreader-xxe.xmlreader-xxe", - "name": "kotlin.xxe.xmlreader-xxe.xmlreader-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.xmlreader-xxe.xmlreader-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`." - }, - "help": { - "markdown": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected an AWS CloudFront Distribution with an insecure TLS version. TLS versions less than 1.2 are considered insecure because they can be broken. To fix this, set your `minimum_protocol_version` to `\"TLSv1.2_2018\", \"TLSv1.2_2019\" or \"TLSv1.2_2021\"`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version", - "id": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version", - "name": "terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-cloudfront-insecure-tls.aws-insecure-cloudfront-distribution-tls-version" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep", - "id": "java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep", - "name": "java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-xpath-from-http-request-deepsemgrep.tainted-xpath-from-http-request-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.needle.ssrf.ssrf)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.needle.ssrf.ssrf", - "id": "javascript.express.needle.ssrf.ssrf", - "name": "javascript.express.needle.ssrf.ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.needle.ssrf.ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "help": { - "markdown": "Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape)\n - [https://github.com/janl/mustache.js/#variables](https://github.com/janl/mustache.js/#variables)\n - [https://ractive.js.org/v0.x/0.7/mustaches#variables](https://ractive.js.org/v0.x/0.7/mustaches#variables)\n", - "text": "Detected an explicit unescape in a Mustache template, using triple braces '{{{...}}}' or ampersand '&'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape", - "id": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape", - "name": "javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.mustache.explicit-unescape.template-explicit-unescape" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks gitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks gitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.gitter-access-token.gitter-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks gitter-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.gitter-access-token.gitter-access-token", - "id": "generic.secrets.gitleaks.gitter-access-token.gitter-access-token", - "name": "generic.secrets.gitleaks.gitter-access-token.gitter-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.gitter-access-token.gitter-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions." - }, - "help": { - "markdown": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled)\n - [https://jinja.palletsprojects.com/en/2.11.x/api/#basics](https://jinja.palletsprojects.com/en/2.11.x/api/#basics)\n", - "text": "Detected a Jinja2 environment without autoescaping. Jinja2 does not autoescape by default. This is dangerous if you are rendering to a browser because this allows for cross-site scripting (XSS) attacks. If you are in a web context, enable autoescaping by setting 'autoescape=True.' You may also consider using 'jinja2.select_autoescape()' to only enable automatic escaping for certain file extensions." - }, - "helpUri": "https://semgrep.dev/r/python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled", - "id": "python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled", - "name": "python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-116: Improper Encoding or Escaping of Output", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jinja2.security.audit.missing-autoescape-disabled.missing-autoescape-disabled" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-dill-aws-lambda.tainted-dill-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-dill-aws-lambda.tainted-dill-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-dill-aws-lambda.tainted-dill-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-dill-aws-lambda.tainted-dill-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-dill-aws-lambda.tainted-dill-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks dropbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks dropbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks dropbox-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token", - "id": "generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token", - "name": "generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.dropbox-api-token.dropbox-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.sql.sql-injection.sql-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.sql.sql-injection.sql-injection", - "id": "cpp.lang.security.sql.sql-injection.sql-injection", - "name": "cpp.lang.security.sql.sql-injection.sql-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.sql.sql-injection.sql-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct." - }, - "help": { - "markdown": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure)\n - [https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go](https://github.com/0c34/govwa/blob/139693e56406b5684d2a6ae22c0af90717e149b8/util/cookie.go)\n - [https://golang.org/src/net/http/cookie.go](https://golang.org/src/net/http/cookie.go)\n", - "text": "A session cookie was detected without setting the 'Secure' flag. The 'secure' flag for cookies prevents the client from transmitting the cookie over insecure channels such as HTTP. Set the 'Secure' flag by setting 'Secure' to 'true' in the Options struct." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure", - "id": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure", - "name": "go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.cookie-missing-secure.cookie-missing-secure" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie." - }, - "help": { - "markdown": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage)\n - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies)\n", - "text": "Storing JWT tokens in localStorage known to be a bad practice, consider moving your tokens from localStorage to a HTTP cookie." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage", - "id": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage", - "name": "typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-922: Insecure Storage of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.security.audit.react-jwt-in-localstorage.react-jwt-in-localstorage" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2." - }, - "help": { - "markdown": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata_options)\n - [https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service](https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service)\n", - "text": "The EC2 launch template has Instance Metadata Service Version 1 (IMDSv1) enabled. IMDSv2 introduced session authentication tokens which improve security when talking to IMDS. You should either disable IMDS or require the use of IMDSv2." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled", - "id": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled", - "name": "terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1390: Weak Authentication", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ec2-launch-template-metadata-service-v1-enabled.aws-ec2-launch-template-metadata-service-v1-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or execute other typical XSS attacks." - }, - "help": { - "markdown": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or execute other typical XSS attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-evaluatejavascript-xss.swift-evaluate-js)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n", - "text": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or execute other typical XSS attacks." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-evaluatejavascript-xss.swift-evaluate-js", - "id": "swift.webview.webview-evaluatejavascript-xss.swift-evaluate-js", - "name": "swift.webview.webview-evaluatejavascript-xss.swift-evaluate-js", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-evaluatejavascript-xss.swift-evaluate-js" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure." - }, - "help": { - "markdown": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Origin check for the CSRF token is disabled for this view. This might represent a security risk if the CSRF storage policy is not known to be secure." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled", - "id": "python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled", - "name": "python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.csrf-origin-check-disabled.pyramid-csrf-origin-check-disabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RDS instance accessible from the Internet detected." - }, - "help": { - "markdown": "RDS instance accessible from the Internet detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access)\n - [https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance#publicly_accessible)\n - [https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_VPC.WorkingWithRDSInstanceinaVPC.html#USER_VPC.Hiding)\n", - "text": "RDS instance accessible from the Internet detected." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.rds-public-access.rds-public-access", - "id": "terraform.lang.security.rds-public-access.rds-public-access", - "name": "terraform.lang.security.rds-public-access.rds-public-access", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.rds-public-access.rds-public-access" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements." - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n", - "text": "Detected string concatenation with a non-literal variable in a go-pg ORM SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, do not use strings concatenated with user-controlled input. Instead, use parameterized statements." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli", - "id": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli", - "name": "go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.sqli.pg-orm-sqli.pg-orm-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev()." - }, - "help": { - "markdown": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2)\n", - "text": "os.pwritev() is only available on Python 3.3+ and is therefore not backwards compatible. Instead, use a combination of pwrite() and writev()." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os2-ok2", - "id": "python.lang.compatibility.python37.python37-compatibility-os2-ok2", - "name": "python.lang.compatibility.python37.python37-compatibility-os2-ok2", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os2-ok2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration disables Perfect Forward Secrecy (PFS) for one or more domains. PFS is a cryptographic technique to ensure the confidentiality of prior communications, even if the long-term secret keys are compromised in the future." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration disables Perfect Forward Secrecy (PFS) for one or more domains. PFS is a cryptographic technique to ensure the confidentiality of prior communications, even if the long-term secret keys are compromised in the future.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pfs.ATS-disables-PFS)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration disables Perfect Forward Secrecy (PFS) for one or more domains. PFS is a cryptographic technique to ensure the confidentiality of prior communications, even if the long-term secret keys are compromised in the future." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-pfs.ATS-disables-PFS", - "id": "swift.insecure-communication.ats.ats-pfs.ATS-disables-PFS", - "name": "swift.insecure-communication.ats.ats-pfs.ATS-disables-PFS", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-pfs.ATS-disables-PFS" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "id": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "name": "kotlin.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "id": "java.spring.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "name": "java.spring.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library." - }, - "help": { - "markdown": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Data from request is passed to a file name `$FILE`. This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name", - "id": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name", - "name": "python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-file-name.path-traversal-file-name" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'." - }, - "help": { - "markdown": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default)\n - [https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password](https://docs.djangoproject.com/en/3.0/ref/contrib/auth/#django.contrib.auth.models.User.set_password)\n", - "text": "'$VAR' is using the empty string as its default and is being used to set the password on '$MODEL'. If you meant to set an unusable password, set the default value to 'None' or call 'set_unusable_password()'." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.passwords.use-none-for-password-default.use-none-for-password-default", - "id": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default", - "name": "python.django.security.passwords.use-none-for-password-default.use-none-for-password-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-521: Weak Password Requirements", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.passwords.use-none-for-password-default.use-none-for-password-default" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized." - }, - "help": { - "markdown": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Found user-controlled request data passed into '.write(...)'. This could be dangerous if a malicious actor is able to control data into sensitive files. For example, a malicious actor could force rolling of critical log files, or cause a denial-of-service by using up available disk space. Instead, ensure that request data is properly escaped or sanitized." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-write.request-data-write", - "id": "python.django.security.injection.request-data-write.request-data-write", - "name": "python.django.security.injection.request-data-write.request-data-write", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.request-data-write.request-data-write" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside $PIPE. Audit the input to '$PIPE'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline", - "id": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline", - "name": "ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.dangerous-open3-pipeline.dangerous-open3-pipeline" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory." - }, - "help": { - "markdown": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", - "text": "DOCTYPE declarations are enabled for this SAXParserFactory. This is vulnerable to XML external entity attacks. Disable this by setting the feature `http://apache.org/xml/features/disallow-doctype-decl` to true. Alternatively, allow DOCTYPE declarations and only prohibit external entities declarations. This can be done by setting the features `http://xml.org/sax/features/external-general-entities` and `http://xml.org/sax/features/external-parameter-entities` to false. NOTE - The previous links are not meant to be clicked. They are the literal config key values that are supposed to be used to disable these features. For more information, see https://semgrep.dev/docs/cheat-sheets/java-xxe/#3a-documentbuilderfactory." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", - "id": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", - "name": "java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xxe.saxparserfactory-disallow-doctype-decl-missing.saxparserfactory-disallow-doctype-decl-missing" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class." - }, - "help": { - "markdown": "Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection", - "id": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection", - "name": "ruby.lang.security.missing-csrf-protection.missing-csrf-protection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead." - }, - "help": { - "markdown": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection)\n - [https://github.com/argoproj/argo-workflows/issues/5061](https://github.com/argoproj/argo-workflows/issues/5061)\n - [https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370](https://github.com/argoproj/argo-workflows/issues/5114#issue-808865370)\n", - "text": "Using input or workflow parameters in here-scripts can lead to command injection or code injection. Convert the parameters to env variables instead." - }, - "helpUri": "https://semgrep.dev/r/yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection", - "id": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection", - "name": "yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 – Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.argo.security.argo-workflow-parameter-command-injection.argo-workflow-parameter-command-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks." - }, - "help": { - "markdown": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.path-traversal-open.path-traversal-open", - "id": "python.flask.security.injection.path-traversal-open.path-traversal-open", - "name": "python.flask.security.injection.path-traversal-open.path-traversal-open", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.path-traversal-open.path-traversal-open" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." - }, - "help": { - "markdown": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privileged)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)\n", - "text": "Container or pod is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.privileged-container.privileged-container", - "id": "yaml.kubernetes.security.privileged-container.privileged-container", - "name": "yaml.kubernetes.security.privileged-container.privileged-container", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.privileged-container.privileged-container" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Sauce Token detected" - }, - "help": { - "markdown": "Sauce Token detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Sauce Token detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sauce-token.detected-sauce-token", - "id": "generic.secrets.security.detected-sauce-token.detected-sauce-token", - "name": "generic.secrets.security.detected-sauce-token.detected-sauce-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-sauce-token.detected-sauce-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.asana-client-id.asana-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks asana-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.asana-client-id.asana-client-id", - "id": "generic.secrets.gitleaks.asana-client-id.asana-client-id", - "name": "generic.secrets.gitleaks.asana-client-id.asana-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.asana-client-id.asana-client-id" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.nosql.gorilla-mongo-nosqli-taint.gorilla-mongo-nosqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.nosql.gorilla-mongo-nosqli-taint.gorilla-mongo-nosqli-taint", - "id": "go.gorilla.nosql.gorilla-mongo-nosqli-taint.gorilla-mongo-nosqli-taint", - "name": "go.gorilla.nosql.gorilla-mongo-nosqli-taint.gorilla-mongo-nosqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.nosql.gorilla-mongo-nosqli-taint.gorilla-mongo-nosqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.ponyorm-flask.ponyorm-flask)\n - [https://docs.ponyorm.org/queries.html](https://docs.ponyorm.org/queries.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use generator expressions syntax provided by Pony ORM to build SQL queries instead to avoid SQL injection." - }, - "helpUri": "https://semgrep.dev/r/python.flask.db.ponyorm-flask.ponyorm-flask", - "id": "python.flask.db.ponyorm-flask.ponyorm-flask", - "name": "python.flask.db.ponyorm-flask.ponyorm-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.db.ponyorm-flask.ponyorm-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.command-injection.rust-rocket-command-injection.rust-rocket-command-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/rust.rocket.command-injection.rust-rocket-command-injection.rust-rocket-command-injection", - "id": "rust.rocket.command-injection.rust-rocket-command-injection.rust-rocket-command-injection", - "name": "rust.rocket.command-injection.rust-rocket-command-injection.rust-rocket-command-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.rocket.command-injection.rust-rocket-command-injection.rust-rocket-command-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function" - }, - "help": { - "markdown": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex)\n - [https://pkg.go.dev/sync#RWMutex](https://pkg.go.dev/sync#RWMutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n", - "text": "Missing `RUnlock` on an `RWMutex` (`$T` variable) lock before returning from a function" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex", - "id": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex", - "name": "trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-667: Improper Locking", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.missing-runlock-on-rwmutex.missing-runlock-on-rwmutex" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://node-postgres.com/features/queries](https://node-postgres.com/features/queries)\n", - "text": "Detected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`" - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.pg-sqli.pg-sqli", - "id": "javascript.aws-lambda.security.pg-sqli.pg-sqli", - "name": "javascript.aws-lambda.security.pg-sqli.pg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.pg-sqli.pg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library." - }, - "help": { - "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://golang.org/doc/database/sql-injection](https://golang.org/doc/database/sql-injection)\n - [https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/](https://www.stackhawk.com/blog/golang-sql-injection-guide-examples-and-prevention/)\n", - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`db.Query(\"SELECT * FROM t WHERE id = ?\", id)`) or a safe library." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.injection.tainted-sql-string.tainted-sql-string", - "id": "go.lang.security.injection.tainted-sql-string.tainted-sql-string", - "name": "go.lang.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this." - }, - "help": { - "markdown": "Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://blog.atomist.com/security-of-docker-kubernetes/](https://blog.atomist.com/security-of-docker-kubernetes/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-8-set-filesystem-and-volumes-to-read-only)\n", - "text": "Container $CONTAINER is running with a writable root filesystem. This may allow malicious applications to download and run additional payloads, or modify container files. If an application inside a container has to save something temporarily consider using a tmpfs. Add 'readOnlyRootFilesystem: true' to this container to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container", - "id": "yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container", - "name": "yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.writable-filesystem-container.writable-filesystem-container" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-missing.flask-cookie-secure-missing)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-secure-missing.flask-cookie-secure-missing", - "id": "python.flask.web.flask-cookie-secure-missing.flask-cookie-secure-missing", - "name": "python.flask.web.flask-cookie-secure-missing.flask-cookie-secure-missing", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-secure-missing.flask-cookie-secure-missing" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://x-stream.github.io/security.html](https://x-stream.github.io/security.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `XStream` unless you explicitly define permissions for types that are allowed to be deserialized by `XStream`." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "id": "java.spring.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "name": "java.spring.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.xstream-anytype-deserialization-deepsemgrep.xstream-anytype-deserialization-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets", - "id": "java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets", - "name": "java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.objectinputstream-deserialization-servlets.objectinputstream-deserialization-servlets" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection." - }, - "help": { - "markdown": "Use of $window.location.href can lead to open-redirect if user input is used for redirection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsJs](https://docs.angularjs.org/api/ng/service/$sce#trustAsJs)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "Use of $window.location.href can lead to open-redirect if user input is used for redirection." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect", - "id": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect", - "name": "javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-open-redirect.detect-angular-open-redirect" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing." - }, - "help": { - "markdown": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n", - "text": "The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-res-sendfile.express-res-sendfile", - "id": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile", - "name": "javascript.express.security.audit.express-res-sendfile.express-res-sendfile", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-73: External Control of File Name or Path", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-res-sendfile.express-res-sendfile" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-shelve-pyramid.tainted-shelve-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://docs.python.org/3/library/shelve.html](https://docs.python.org/3/library/shelve.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) The `shelve` module uses `pickle` and should not be used with data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-shelve-pyramid.tainted-shelve-pyramid", - "id": "python.pyramid.deserialization.tainted-shelve-pyramid.tainted-shelve-pyramid", - "name": "python.pyramid.deserialization.tainted-shelve-pyramid.tainted-shelve-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-shelve-pyramid.tainted-shelve-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-talisman-decorator-cookie-secure-false.flask-talisman-decorator-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-talisman-decorator-cookie-secure-false.flask-talisman-decorator-cookie-secure-false", - "id": "python.flask.web.flask-talisman-decorator-cookie-secure-false.flask-talisman-decorator-cookie-secure-false", - "name": "python.flask.web.flask-talisman-decorator-cookie-secure-false.flask-talisman-decorator-cookie-secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-talisman-decorator-cookie-secure-false.flask-talisman-decorator-cookie-secure-false" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks sentry-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks sentry-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.sentry-access-token.sentry-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks sentry-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.sentry-access-token.sentry-access-token", - "id": "generic.secrets.gitleaks.sentry-access-token.sentry-access-token", - "name": "generic.secrets.gitleaks.sentry-access-token.sentry-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.sentry-access-token.sentry-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.secrets.database-password.database-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/php.secrets.database-password.database-password", - "id": "php.secrets.database-password.database-password", - "name": "php.secrets.database-password.database-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.secrets.database-password.database-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks flutterwave-encryption-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks flutterwave-encryption-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks flutterwave-encryption-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key", - "id": "generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key", - "name": "generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.flutterwave-encryption-key.flutterwave-encryption-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities" - }, - "help": { - "markdown": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "User controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup", - "id": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup", - "name": "javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.fbjs.security.audit.insecure-createnodesfrommarkup.insecure-createnodesfrommarkup" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views." - }, - "help": { - "markdown": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a request with potential user-input going into an `Ok()` response. This bypasses any view or template environments, including HTML escaping, which may expose this application to cross-site scripting (XSS) vulnerabilities. Consider using a view technology such as Twirl which automatically escapes HTML views." - }, - "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-html-response.tainted-html-response", - "id": "scala.play.security.tainted-html-response.tainted-html-response", - "name": "scala.play.security.tainted-html-response.tainted-html-response", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.play.security.tainted-html-response.tainted-html-response" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-fs-flask.tainted-path-traversal-fs-flask)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-path-traversal-fs-flask.tainted-path-traversal-fs-flask", - "id": "python.flask.file.tainted-path-traversal-fs-flask.tainted-path-traversal-fs-flask", - "name": "python.flask.file.tainted-path-traversal-fs-flask.tainted-path-traversal-fs-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-path-traversal-fs-flask.tainted-path-traversal-fs-flask" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks discord-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks discord-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.discord-client-id.discord-client-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks discord-client-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.discord-client-id.discord-client-id", - "id": "generic.secrets.gitleaks.discord-client-id.discord-client-id", - "name": "generic.secrets.gitleaks.discord-client-id.discord-client-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.discord-client-id.discord-client-id" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." - }, - "help": { - "markdown": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request)\n - [https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html](https://docs.oracle.com/javase/7/docs/api/java/sql/PreparedStatement.html)\n", - "text": "User data flows into this manually-constructed SQL string. User data can be safely inserted into SQL strings using prepared statements or an object-relational mapper (ORM). Manually-constructed SQL strings is a possible indicator of SQL injection, which could let an attacker steal or manipulate data from the database. Instead, use prepared statements (`connection.PreparedStatement`) or a safe library." - }, - "helpUri": "https://semgrep.dev/r/scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request", - "id": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request", - "name": "scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.play.security.tainted-sql-from-http-request.tainted-sql-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks." - }, - "help": { - "markdown": "Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate)\n", - "text": "Insecure Implementation of SSL. Trusting all the certificates or accepting self signed certificates is a critical Security Hole. This application is vulnerable to MITM attacks." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate", - "id": "mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate", - "name": "mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-295", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.network.accept_self_signed.accept_self_signed_certificate" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location." - }, - "help": { - "markdown": "Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape)\n - [http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/](http://www.managerjs.com/blog/2015/05/will-ejs-escape-save-me-from-xss-sorta/)\n", - "text": "Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape", - "id": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape", - "name": "javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks finicity-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks finicity-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks finicity-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret", - "id": "generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret", - "name": "generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.finicity-client-secret.finicity-client-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string-deepsemgrep.formatted-sql-string-deepsemgrep)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps](https://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html#create_ps)\n - [https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement](https://software-security.sans.org/developer-how-to/fix-sql-injection-in-java-using-prepared-callable-statement)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in Java, it is possible to adopt prepared statements by using the `java.sql.PreparedStatement` class with bind variables." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.formatted-sql-string-deepsemgrep.formatted-sql-string-deepsemgrep", - "id": "java.lang.security.audit.formatted-sql-string-deepsemgrep.formatted-sql-string-deepsemgrep", - "name": "java.lang.security.audit.formatted-sql-string-deepsemgrep.formatted-sql-string-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.formatted-sql-string-deepsemgrep.formatted-sql-string-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pgx-sqli-taint.pgx-sqli-taint)\n - [https://github.com/jackc/pgx](https://github.com/jackc/pgx)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool](https://pkg.go.dev/github.com/jackc/pgx/v4#hdr-Connection_Pool)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Create parameterized queries in pgx by using positional parameters (`$1`, `$2`, ...) and adding the values as additional arguments to the function call. It is also possible to create prepared statements through the `Prepare` function. This function uses the same placeholders for bound parameters." - }, - "helpUri": "https://semgrep.dev/r/go.net.sql.pgx-sqli-taint.pgx-sqli-taint", - "id": "go.net.sql.pgx-sqli-taint.pgx-sqli-taint", - "name": "go.net.sql.pgx-sqli-taint.pgx-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.sql.pgx-sqli-taint.pgx-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-numpy-pickle-fastapi.tainted-numpy-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/marshal.html](https://docs.python.org/3/library/marshal.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://numpy.org/doc/stable/reference/generated/numpy.load.html](https://numpy.org/doc/stable/reference/generated/numpy.load.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Using `pickle` for object deserialization can lead to insecure deserialization vulnerabilities. The `numpy.load()` function allows `pickle` for object deserialization. This behaviour is turned off by default in version 1.16.3. If the usage of `pickle` was intentionally allowed, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly set `allow_pickle` to `True`, as the numpy library is now otherwise secure against these types of attacks." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-numpy-pickle-fastapi.tainted-numpy-pickle-fastapi", - "id": "python.fastapi.deserialization.tainted-numpy-pickle-fastapi.tainted-numpy-pickle-fastapi", - "name": "python.fastapi.deserialization.tainted-numpy-pickle-fastapi.tainted-numpy-pickle-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-numpy-pickle-fastapi.tainted-numpy-pickle-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi." - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli)\n - [https://knexjs.org/#Builder-fromRaw](https://knexjs.org/#Builder-fromRaw)\n - [https://knexjs.org/#Builder-whereRaw](https://knexjs.org/#Builder-whereRaw)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Detected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli", - "id": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli", - "name": "javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxparser-xxe-servlet.tainted-saxparser-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxparser-xxe-servlet.tainted-saxparser-xxe-servlet", - "id": "java.servlets.security.xxe.tainted-saxparser-xxe-servlet.tainted-saxparser-xxe-servlet", - "name": "java.servlets.security.xxe.tainted-saxparser-xxe-servlet.tainted-saxparser-xxe-servlet", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xxe.tainted-saxparser-xxe-servlet.tainted-saxparser-xxe-servlet" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible." - }, - "help": { - "markdown": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_model_attr_accessible.rb)\n", - "text": "Checks for dangerous permitted attributes that can lead to mass assignment vulnerabilities. Query parameters allowed using permit and attr_accessible are checked for allowance of dangerous attributes admin, banned, role, and account_id. Also checks for usages of params.permit!, which allows everything. Fix: don't allow admin, banned, role, and account_id using permit or attr_accessible." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.model-attr-accessible.model-attr-accessible", - "id": "ruby.lang.security.model-attr-accessible.model-attr-accessible", - "name": "ruby.lang.security.model-attr-accessible.model-attr-accessible", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.model-attr-accessible.model-attr-accessible" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks microsoft-teams-webhook was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks microsoft-teams-webhook was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks microsoft-teams-webhook was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook", - "id": "generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook", - "name": "generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.microsoft-teams-webhook.microsoft-teams-webhook" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks github-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks github-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.github-pat.github-pat)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks github-pat was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.github-pat.github-pat", - "id": "generic.secrets.gitleaks.github-pat.github-pat", - "name": "generic.secrets.gitleaks.github-pat.github-pat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.github-pat.github-pat" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.command-injection.gin-command-injection.gin-command-injection-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/os/exec](https://pkg.go.dev/os/exec)\n - [https://pkg.go.dev/syscall#Exec](https://pkg.go.dev/syscall#Exec)\n - [https://semgrep.dev/docs/cheat-sheets/go-command-injection/](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/go.gin.command-injection.gin-command-injection.gin-command-injection-taint", - "id": "go.gin.command-injection.gin-command-injection.gin-command-injection-taint", - "name": "go.gin.command-injection.gin-command-injection.gin-command-injection-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gin.command-injection.gin-command-injection.gin-command-injection-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymongo.python-pymongo-empty-password.python-pymongo-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.pymongo.python-pymongo-empty-password.python-pymongo-empty-password", - "id": "python.pymongo.python-pymongo-empty-password.python-pymongo-empty-password", - "name": "python.pymongo.python-pymongo-empty-password.python-pymongo-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymongo.python-pymongo-empty-password.python-pymongo-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis." - }, - "help": { - "markdown": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#logging)\n - [https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet](https://docs.microsoft.com/en-us/azure/storage/common/storage-analytics-logging?tabs=dotnet)\n", - "text": "Storage Analytics logs detailed information about successful and failed requests to a storage service. This information can be used to monitor individual requests and to diagnose issues with a storage service. Requests are logged on a best-effort basis." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging", - "id": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging", - "name": "terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "LOW CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "OWASP-A10:2017 - Insufficient Logging & Monitoring", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.storage.storage-queue-services-logging.storage-queue-services-logging" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "id": "java.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "name": "java.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.okhttp.secrets.hardcoded-secret-in-request-header.hardcoded-secret-in-request-header" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret", - "id": "java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret", - "name": "java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jsch.jsch-hardcoded-secret.jsch-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to leverage biometrics, without verifying that biometric changes have not taken place. Failure to do so means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass the authentication mechanism within the app. The application should check first that biometric changes have not been made, then proceed." - }, - "help": { - "markdown": "The application was observed to leverage biometrics, without verifying that biometric changes have not taken place. Failure to do so means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass the authentication mechanism within the app. The application should check first that biometric changes have not been made, then proceed.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.no-verify.verify-biometric-changes)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n - [https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df](https://shirazkhan030.medium.com/biometric-authentication-in-ios-6c53c54f17df)\n", - "text": "The application was observed to leverage biometrics, without verifying that biometric changes have not taken place. Failure to do so means that an attacker with knowledge of the victim's passcode or the ability to guess the passcode - can register their own biometrics, and bypass the authentication mechanism within the app. The application should check first that biometric changes have not been made, then proceed." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.no-verify.verify-biometric-changes", - "id": "swift.biometrics-and-auth.no-verify.verify-biometric-changes", - "name": "swift.biometrics-and-auth.no-verify.verify-biometric-changes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-305: Authentication Bypass by Primary Weakness", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.no-verify.verify-biometric-changes" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.couchbase.python-couchbase-empty-password.python-couchbase-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.couchbase.python-couchbase-empty-password.python-couchbase-empty-password", - "id": "python.couchbase.python-couchbase-empty-password.python-couchbase-empty-password", - "name": "python.couchbase.python-couchbase-empty-password.python-couchbase-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.couchbase.python-couchbase-empty-password.python-couchbase-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks adafruit-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks adafruit-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks adafruit-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key", - "id": "generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key", - "name": "generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.adafruit-api-key.adafruit-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.httponly-false.httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.audit.cookies.httponly-false.httponly-false", - "id": "java.micronaut.audit.cookies.httponly-false.httponly-false", - "name": "java.micronaut.audit.cookies.httponly-false.httponly-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.audit.cookies.httponly-false.httponly-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.secure-false.secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.audit.cookies.secure-false.secure-false", - "id": "java.micronaut.audit.cookies.secure-false.secure-false", - "name": "java.micronaut.audit.cookies.secure-false.secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.audit.cookies.secure-false.secure-false" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pkg.go.dev/os/exec](https://pkg.go.dev/os/exec)\n - [https://pkg.go.dev/syscall#Exec](https://pkg.go.dev/syscall#Exec)\n - [https://semgrep.dev/docs/cheat-sheets/go-command-injection/](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. In Go, it is possible to use the `exec.Command` function in combination with the `bash -c` command to run the user input as a shell command. To sanitize the user input, you can use a library like `shellescape` to escape any special characters before constructing the command. For more information, see: [Go command injection prevention](https://semgrep.dev/docs/cheat-sheets/go-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint", - "id": "go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint", - "name": "go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.command-injection.net-http-command-injection-taint.net-http-command-injection-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of the insecure Blowfish encryption algorithm was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered unfit for purpose. " - }, - "help": { - "markdown": "The use of the insecure Blowfish encryption algorithm was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered unfit for purpose. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-blowfish.insecure-crypto-algorithm-blowfish)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/87278/why-dont-we-use-blowfish-if-it-hasnt-been-cracked](https://crypto.stackexchange.com/questions/87278/why-dont-we-use-blowfish-if-it-hasnt-been-cracked)\n", - "text": "The use of the insecure Blowfish encryption algorithm was detected. Blowfish uses a 64-bit block size that makes it vulnerable to birthday attacks, and is therefore considered unfit for purpose. " - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-blowfish.insecure-crypto-algorithm-blowfish", - "id": "swift.commoncrypto.insecure-crypto-algorithm-blowfish.insecure-crypto-algorithm-blowfish", - "name": "swift.commoncrypto.insecure-crypto-algorithm-blowfish.insecure-crypto-algorithm-blowfish", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-blowfish.insecure-crypto-algorithm-blowfish" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API." - }, - "help": { - "markdown": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method)\n - [https://docs.angularjs.org/api/ng/service/$sce](https://docs.angularjs.org/api/ng/service/$sce)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "The use of $sce.trustAs can be dangerous if unsanitized user input flows through this API." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method", - "id": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method", - "name": "javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-angular-trust-as-method.detect-angular-trust-as-method" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead." - }, - "help": { - "markdown": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish)\n - [https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers](https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#weak-ciphers)\n - [https://tools.ietf.org/html/rfc5469](https://tools.ietf.org/html/rfc5469)\n", - "text": "Blowfish is a block cipher developed by Bruce Schneier. It is known to be susceptible to attacks when using weak keys. The author has recommended that users of Blowfish move to newer algorithms such as AES. With the `cryptography` package it is recommended to use `Fernet` which is a secure implementation of AES in CBC mode with a 128-bit key. Alternatively, keep using the `Cipher` class from the hazmat primitives but use the AES algorithm instead." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish", - "id": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish", - "name": "python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.security.insecure-cipher-algorithms-blowfish.insecure-cipher-algorithm-blowfish" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure Kinesis stream is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk", - "id": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk", - "name": "terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-kinesis-stream-encrypted-with-cmk.aws-kinesis-stream-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks bittrex-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks bittrex-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks bittrex-access-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key", - "id": "generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key", - "name": "generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.bittrex-access-key.bittrex-access-key" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature." - }, - "help": { - "markdown": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-login-session-protection-none.flask-login-session-protection-none)\n - [https://flask-login.readthedocs.io/en/latest/#session-protection](https://flask-login.readthedocs.io/en/latest/#session-protection)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Flask-Login provides session protection to help prevent user sessions from being stolen. When this is active, sessions will be marked as non-fresh when the user's IP or user agent is changed. It is not advised to disable this feature." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-login-session-protection-none.flask-login-session-protection-none", - "id": "python.flask.web.flask-login-session-protection-none.flask-login-session-protection-none", - "name": "python.flask.web.flask-login-session-protection-none.flask-login-session-protection-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-613: Insufficient Session Expiration", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-login-session-protection-none.flask-login-session-protection-none" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "source_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function." - }, - "help": { - "markdown": "source_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib)\n", - "text": "source_hash' is only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Instead, use another hash function." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib", - "id": "python.lang.compatibility.python37.python37-compatibility-importlib", - "name": "python.lang.compatibility.python37.python37-compatibility-importlib", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None." - }, - "help": { - "markdown": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie)\n - [https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie](https://docs.djangoproject.com/en/3.0/ref/request-response/#django.http.HttpResponse.set_cookie)\n - [https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/](https://semgrep.dev/blog/2020/bento-check-keeping-cookies-safe-in-flask/)\n - [https://bento.dev/checks/flask/secure-set-cookie/](https://bento.dev/checks/flask/secure-set-cookie/)\n", - "text": "Django cookies should be handled securely by setting secure=True, httponly=True, and samesite='Lax' in response.set_cookie(...). If your situation calls for different settings, explicitly disable the setting. If you want to send the cookie over http, set secure=False. If you want to let client-side JavaScript read the cookie, set httponly=False. If you want to attach cookies to requests for external sites, set samesite=None." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.secure-cookies.django-secure-set-cookie", - "id": "python.django.security.audit.secure-cookies.django-secure-set-cookie", - "name": "python.django.security.audit.secure-cookies.django-secure-set-cookie", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.secure-cookies.django-secure-set-cookie" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.tainted-xml-decoder-deepsemgrep.tainted-xml-decoder-deepsemgrep)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.tainted-xml-decoder-deepsemgrep.tainted-xml-decoder-deepsemgrep", - "id": "java.servlets.security.tainted-xml-decoder-deepsemgrep.tainted-xml-decoder-deepsemgrep", - "name": "java.servlets.security.tainted-xml-decoder-deepsemgrep.tainted-xml-decoder-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.tainted-xml-decoder-deepsemgrep.tainted-xml-decoder-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or conduct other typical XSS attacks." - }, - "help": { - "markdown": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or conduct other typical XSS attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-loadhtmlstring-xss.swift-webview-xss)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n", - "text": "Potential cross site scripting (XSS) occurs due to untrusted input being loaded into a WebView. The impact of such issues can vary depending on the features, permissions and exposure of data & functionality that the WebView contains. For example, in some applications the presence of JavaScript bridges may allow for the instrumentation of application code, and potentially arbitrary code execution in the context of the app. In other instances, it may be possible to manipulate the DOM to redraw the UI and phish users, or conduct other typical XSS attacks." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-loadhtmlstring-xss.swift-webview-xss", - "id": "swift.webview.webview-loadhtmlstring-xss.swift-webview-xss", - "name": "swift.webview.webview-loadhtmlstring-xss.swift-webview-xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79:Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-loadhtmlstring-xss.swift-webview-xss" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-saxparser-xxe-spring.tainted-saxparser-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the SAXParserFactory with `factory.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations for the SAXParserFactory also provide protection against XXE attacks. `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`, enabling both of `factory.setFeature(\"http://xml.org/sax/features/external-general-entities\", and `factory.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. Furthermore, you can configure the SAXParser itself with `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` to provide protection against XXE attacks. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.xxe.tainted-saxparser-xxe-spring.tainted-saxparser-xxe-spring", - "id": "java.spring.security.xxe.tainted-saxparser-xxe-spring.tainted-saxparser-xxe-spring", - "name": "java.spring.security.xxe.tainted-saxparser-xxe-spring.tainted-saxparser-xxe-spring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.xxe.tainted-saxparser-xxe-spring.tainted-saxparser-xxe-spring" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected." - }, - "help": { - "markdown": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n", - "text": "The libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-libxml-noent.express-libxml-noent", - "id": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent", - "name": "javascript.express.security.audit.express-libxml-noent.express-libxml-noent", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-libxml-noent.express-libxml-noent" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided." - }, - "help": { - "markdown": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://cwe.mitre.org/data/definitions/942.html](https://cwe.mitre.org/data/definitions/942.html)\n", - "text": "CORS policy allows any origin (using wildcard '*'). This is insecure and should be avoided." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.security.wildcard-cors.wildcard-cors", - "id": "python.fastapi.security.wildcard-cors.wildcard-cors", - "name": "python.fastapi.security.wildcard-cors.wildcard-cors", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.security.wildcard-cors.wildcard-cors" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: 'cur.execute(\"SELECT %s FROM table\", (user_value,))'." - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: 'cur.execute(\"SELECT %s FROM table\", (user_value,))'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli)\n - [https://github.com/aio-libs/aiopg](https://github.com/aio-libs/aiopg)\n", - "text": "Detected string concatenation with a non-literal variable in an aiopg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries instead. You can create parameterized queries like so: 'cur.execute(\"SELECT %s FROM table\", (user_value,))'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli", - "id": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli", - "name": "python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.sqli.aiopg-sqli.aiopg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "help": { - "markdown": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes)\n - [https://pugjs.org/language/attributes.html#attributes](https://pugjs.org/language/attributes.html#attributes)\n", - "text": "Detected a unescaped variables using '&attributes'. If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. If you must do this, ensure no external data can reach this location." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes", - "id": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes", - "name": "javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.xss.pug.and-attributes.template-and-attributes" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "UIWebView instances were observed where the baseURL is misconfigured as nil, which allows for origin abuse within the webview. In order to remove the effective origin, the application should explicitly set the baseURL to `about:blank` or similar." - }, - "help": { - "markdown": "UIWebView instances were observed where the baseURL is misconfigured as nil, which allows for origin abuse within the webview. In order to remove the effective origin, the application should explicitly set the baseURL to `about:blank` or similar.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.webview.webview-baseurl.swift-webview-config-base-url)\n - [https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/](https://mas.owasp.org/MASVS/controls/MASVS-PLATFORM-2/)\n", - "text": "UIWebView instances were observed where the baseURL is misconfigured as nil, which allows for origin abuse within the webview. In order to remove the effective origin, the application should explicitly set the baseURL to `about:blank` or similar." - }, - "helpUri": "https://semgrep.dev/r/swift.webview.webview-baseurl.swift-webview-config-base-url", - "id": "swift.webview.webview-baseurl.swift-webview-config-base-url", - "name": "swift.webview.webview-baseurl.swift-webview-config-base-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.webview.webview-baseurl.swift-webview-config-base-url" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret", - "id": "csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret", - "name": "csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.system.networkcredential-hardcoded-secret.networkcredential-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities." - }, - "help": { - "markdown": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile)\n - [https://cwe.mitre.org/data/definitions/250.html](https://cwe.mitre.org/data/definitions/250.html)\n - [https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user](https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)\n", - "text": "Avoid using sudo in Dockerfiles. Running processes as a non-root user can help reduce the potential impact of configuration errors and security vulnerabilities." - }, - "helpUri": "https://semgrep.dev/r/dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", - "id": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", - "name": "dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: dockerfile.security.no-sudo-in-dockerfile.no-sudo-in-dockerfile" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"." - }, - "help": { - "markdown": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.net.httplistener?view=net-6.0)\n", - "text": "The top level wildcard bindings $PREFIX leaves your application open to security vulnerabilities and give attackers more control over where traffic is routed. If you must use wildcards, consider using subdomain wildcard binding. For example, you can use \"*.asdf.gov\" if you own all of \"asdf.gov\"." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", - "id": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", - "name": "csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-706: Use of Incorrectly-Resolved Name or Reference", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.http.http-listener-wildcard-bindings.http-listener-wildcard-bindings" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "help": { - "markdown": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec)\n - [https://owasp.org/www-community/attacks/Code_Injection](https://owasp.org/www-community/attacks/Code_Injection)\n", - "text": "Found user data in a call to 'exec'. This is extremely dangerous because it can enable an attacker to execute arbitrary remote code on the system. Instead, refactor your code to not use 'eval' and instead use a safe library for the specific functionality you need." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-exec.user-exec", - "id": "python.django.security.injection.code.user-exec.user-exec", - "name": "python.django.security.injection.code.user-exec.user-exec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.code.user-exec.user-exec" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network." - }, - "help": { - "markdown": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request)\n - [https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server](https://www.codejava.net/java-se/ftp/connect-and-login-to-a-ftp-server)\n - [https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html](https://commons.apache.org/proper/commons-net/apidocs/org/apache/commons/net/ftp/FTPClient.html)\n", - "text": "Checks for outgoing connections to ftp servers. FTP does not encrypt traffic, possibly leading to PII being sent plaintext over the network." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.ftp-request.ftp-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret", - "id": "csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret", - "name": "csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.mongo.csharp-mongo-hardcoded-secret.csharp-mongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." - }, - "help": { - "markdown": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf](https://www.blackhat.com/docs/us-15/materials/us-15-Wang-FileCry-The-New-Age-Of-XXE-java-wp.pdf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser)\n", - "text": "XML external entities are not explicitly disabled for this XMLInputFactory. This could be vulnerable to XML external entity vulnerabilities. Explicitly disable external entities by setting \"javax.xml.stream.isSupportingExternalEntities\" to false." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", - "id": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", - "name": "java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xmlinputfactory-possible-xxe.xmlinputfactory-possible-xxe" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls." - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli)\n - [https://golang.org/pkg/database/sql/](https://golang.org/pkg/database/sql/)\n", - "text": "Detected string concatenation with a non-literal variable in a \"database/sql\" Go SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements with the 'Prepare' and 'PrepareContext' calls." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.sqli.gosql-sqli.gosql-sqli", - "id": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli", - "name": "go.lang.security.audit.sqli.gosql-sqli.gosql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.sqli.gosql-sqli.gosql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged." - }, - "help": { - "markdown": "Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.log.tainted-log-injection-log-formatter-flask.tainted-log-injection-log-formatter-flask)\n - [https://cwe.mitre.org/data/definitions/117.html](https://cwe.mitre.org/data/definitions/117.html)\n - [https://flask.palletsprojects.com/en/2.3.x/logging/](https://flask.palletsprojects.com/en/2.3.x/logging/)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures)\n", - "text": "Detected a logger that logs user input without properly neutralizing the output. The log message could contain characters like ` ` and ` ` and cause an attacker to forge log entries or include malicious content into the logs. Use proper input validation and/or output encoding to prevent log entries from being forged." - }, - "helpUri": "https://semgrep.dev/r/python.flask.log.tainted-log-injection-log-formatter-flask.tainted-log-injection-log-formatter-flask", - "id": "python.flask.log.tainted-log-injection-log-formatter-flask.tainted-log-injection-log-formatter-flask", - "name": "python.flask.log.tainted-log-injection-log-formatter-flask.tainted-log-injection-log-formatter-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-117: Improper Output Neutralization for Logs", - "HIGH CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.log.tainted-log-injection-log-formatter-flask.tainted-log-injection-log-formatter-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "help": { - "markdown": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request)\n - [https://hc.apache.org/httpcomponents-client-ga/quickstart.html](https://hc.apache.org/httpcomponents-client-ga/quickstart.html)\n", - "text": "Checks for requests sent via Apache HTTP Components to http:// URLS. This is dangerous because the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, send requests only to https:// URLS." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.http-components-request.http-components-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side." - }, - "help": { - "markdown": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count)\n", - "text": "Using QUERY.count() instead of len(QUERY.all()) sends less data to the client since the SQLAlchemy method is performed server-side." - }, - "helpUri": "https://semgrep.dev/r/python.sqlalchemy.performance.performance-improvements.len-all-count", - "id": "python.sqlalchemy.performance.performance-improvements.len-all-count", - "name": "python.sqlalchemy.performance.performance-improvements.len-all-count", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.sqlalchemy.performance.performance-improvements.len-all-count" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments." - }, - "help": { - "markdown": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.openssl-disabled-cert-validation.openssl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.crypto.certificate.openssl-disabled-cert-validation.openssl-disabled-cert-validation", - "id": "cpp.lang.security.crypto.certificate.openssl-disabled-cert-validation.openssl-disabled-cert-validation", - "name": "cpp.lang.security.crypto.certificate.openssl-disabled-cert-validation.openssl-disabled-cert-validation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "HIGH CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.crypto.certificate.openssl-disabled-cert-validation.openssl-disabled-cert-validation" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'." - }, - "help": { - "markdown": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1)\n", - "text": "IPv6Network.subnet_of is only available on Python 3.7+ and is therefore not backwards compatible. Instead, check if the subnet is in 'subnets'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-ipv6network1", - "id": "python.lang.compatibility.python37.python37-compatibility-ipv6network1", - "name": "python.lang.compatibility.python37.python37-compatibility-ipv6network1", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-ipv6network1" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxtransformerfactory-xxe-servlet.tainted-saxtransformerfactory-xxe-servlet)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxtransformerfactory-xxe-servlet.tainted-saxtransformerfactory-xxe-servlet", - "id": "java.servlets.security.xxe.tainted-saxtransformerfactory-xxe-servlet.tainted-saxtransformerfactory-xxe-servlet", - "name": "java.servlets.security.xxe.tainted-saxtransformerfactory-xxe-servlet.tainted-saxtransformerfactory-xxe-servlet", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xxe.tainted-saxtransformerfactory-xxe-servlet.tainted-saxtransformerfactory-xxe-servlet" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616)." - }, - "help": { - "markdown": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Automatic check of cross-site request forgery tokens has been explicitly disabled globally, which might leave views unprotected. Use 'pyramid.config.Configurator.set_default_csrf_options(require_csrf=True)' to turn the automatic check for all unsafe methods (per RFC2616)." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally", - "id": "python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally", - "name": "python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.security.csrf-check-disabled-globally.pyramid-csrf-check-disabled-globally" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.xml.tainted-fastapi-xml-xpath-stdlib.tainted-fastapi-xml-xpath-stdlib)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_Security_Cheat_Sheet.html)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can. The xml parsing library are safe from several known high-impact vulnerabilities such as external entity expansion and DTD retrieval. However, search queries in the XML documents are still vulnerable to XPath injection attacks." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.xml.tainted-fastapi-xml-xpath-stdlib.tainted-fastapi-xml-xpath-stdlib", - "id": "python.fastapi.xml.tainted-fastapi-xml-xpath-stdlib.tainted-fastapi-xml-xpath-stdlib", - "name": "python.fastapi.xml.tainted-fastapi-xml-xpath-stdlib.tainted-fastapi-xml-xpath-stdlib", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.xml.tainted-fastapi-xml-xpath-stdlib.tainted-fastapi-xml-xpath-stdlib" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements." - }, - "help": { - "markdown": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Distinct, Having, Group_by, Order_by, and Filter in SQLAlchemy can cause sql injections if the developer inputs raw SQL into the before-mentioned clauses. This pattern captures relevant cases in which the developer inputs raw SQL into the distinct, having, group_by, order_by or filter clauses and injects user-input into the raw SQL with any function besides \"bindparams\". Use bindParams to securely bind user-input to SQL statements." - }, - "helpUri": "https://semgrep.dev/r/python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection", - "id": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection", - "name": "python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.sqlalchemy.security.sqlalchemy-sql-injection.sqlalchemy-sql-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach `vm2`." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach `vm2`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Make sure that unverified user data can not reach `vm2`." - }, - "helpUri": "https://semgrep.dev/r/javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection", - "id": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection", - "name": "javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.vm2.security.audit.vm2-context-injection.vm2-context-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs." - }, - "help": { - "markdown": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret)\n - [https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY](https://flask.palletsprojects.com/en/2.2.x/config/#SECRET_KEY)\n - [http://carnage.github.io/2015/08/cryptanalysis-of-hashids](http://carnage.github.io/2015/08/cryptanalysis-of-hashids)\n", - "text": "The Flask secret key is used as salt in HashIDs. The HashID mechanism is not secure. By observing sufficient HashIDs, the salt used to construct them can be recovered. This means the Flask secret key can be obtained by attackers, through the HashIDs." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret", - "id": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret", - "name": "python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 – Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.hashids-with-flask-secret.hashids-with-flask-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries." - }, - "help": { - "markdown": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string)\n - [https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet](https://rorsecurity.info/portfolio/ruby-on-rails-sql-injection-cheat-sheet)\n", - "text": "Detected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as ActiveRecord which will protect your queries." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.injection.tainted-sql-string.tainted-sql-string", - "id": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string", - "name": "ruby.rails.security.injection.tainted-sql-string.tainted-sql-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.injection.tainted-sql-string.tainted-sql-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-bearer-token.hardcoded-bearer-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.axios.hardcoded-bearer-token.hardcoded-bearer-token", - "id": "javascript.axios.hardcoded-bearer-token.hardcoded-bearer-token", - "name": "javascript.axios.hardcoded-bearer-token.hardcoded-bearer-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.axios.hardcoded-bearer-token.hardcoded-bearer-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded", - "id": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded", - "name": "kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "MEDIUM CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.gradle.security.build-gradle-password-hardcoded.build-gradle-password-hardcoded" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." - }, - "help": { - "markdown": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions](https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html#do-not-use-dangerous-functions)\n", - "text": "Detected non-literal calls to $EXEC(). This could lead to a command injection vulnerability." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell", - "id": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell", - "name": "javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.dangerous-spawn-shell.dangerous-spawn-shell" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint-grpc.systemdata-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint-grpc.systemdata-taint-grpc", - "id": "csharp.dotnet-core.sqli.systemdata-taint-grpc.systemdata-taint-grpc", - "name": "csharp.dotnet-core.sqli.systemdata-taint-grpc.systemdata-taint-grpc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint-grpc.systemdata-taint-grpc" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Starting from `ruamel.yaml` version 0.15.0 The default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Starting from `ruamel.yaml` version 0.15.0 The default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.deserialization.tainted-ruamel-pyramid.tainted-ruamel-pyramid)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Starting from `ruamel.yaml` version 0.15.0 The default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.deserialization.tainted-ruamel-pyramid.tainted-ruamel-pyramid", - "id": "python.pyramid.deserialization.tainted-ruamel-pyramid.tainted-ruamel-pyramid", - "name": "python.pyramid.deserialization.tainted-ruamel-pyramid.tainted-ruamel-pyramid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.deserialization.tainted-ruamel-pyramid.tainted-ruamel-pyramid" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.ktor.xss.ktor-request-xss.ktor-request-xss)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "helpUri": "https://semgrep.dev/r/kotlin.ktor.xss.ktor-request-xss.ktor-request-xss", - "id": "kotlin.ktor.xss.ktor-request-xss.ktor-request-xss", - "name": "kotlin.ktor.xss.ktor-request-xss.ktor-request-xss", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.ktor.xss.ktor-request-xss.ktor-request-xss" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.facebook-access-token.facebook-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks facebook-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.facebook-access-token.facebook-access-token", - "id": "generic.secrets.gitleaks.facebook-access-token.facebook-access-token", - "name": "generic.secrets.gitleaks.facebook-access-token.facebook-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.facebook-access-token.facebook-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-dill-fastapi.tainted-dill-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-dill-fastapi.tainted-dill-fastapi", - "id": "python.fastapi.deserialization.tainted-dill-fastapi.tainted-dill-fastapi", - "name": "python.fastapi.deserialization.tainted-dill-fastapi.tainted-dill-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-dill-fastapi.tainted-dill-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.rocket.sql.sqlx-taint.sqlx-taint", - "id": "rust.rocket.sql.sqlx-taint.sqlx-taint", - "name": "rust.rocket.sql.sqlx-taint.sqlx-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.rocket.sql.sqlx-taint.sqlx-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask", - "id": "python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask", - "name": "python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-path-traversal-stdlib-flask.tainted-path-traversal-stdlib-flask" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks launchdarkly-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks launchdarkly-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks launchdarkly-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token", - "id": "generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token", - "name": "generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.launchdarkly-access-token.launchdarkly-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring $FACTORY with `$FACTORY.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$FACTORY.setExpandEntityReferences(false)` `$FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)` `$FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$FACTORY.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe", - "id": "kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe", - "name": "kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.documentbuilderfactory-xxe.documentbuilderfactory-xxe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked." - }, - "help": { - "markdown": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createspan?view=net-6.0)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.memorymarshal.createreadonlyspan?view=net-6.0)\n", - "text": "MemoryMarshal.CreateSpan and MemoryMarshal.CreateReadOnlySpan should be used with caution, as the length argument is not checked." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span", - "id": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span", - "name": "csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.memory.memory-marshal-create-span.memory-marshal-create-span" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information." - }, - "help": { - "markdown": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled)\n - [https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance](https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#asp-net-web-forms-guidance)\n - [https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx](https://msdn.microsoft.com/en-us/library/e8z01xdh.aspx)\n", - "text": "OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled", - "id": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled", - "name": "csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1323: Improper Management of Sensitive Trace Data", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.net-webconfig-trace-enabled.net-webconfig-trace-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret", - "id": "kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret", - "name": "kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.sql.drivermanager-hardcoded-empty-secret.drivermanager-hardcoded-empty-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret", - "id": "kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret", - "name": "kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.mongo.mongo-hardcoded-secret.mongo-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.airtable-api-key.airtable-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks airtable-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.airtable-api-key.airtable-api-key", - "id": "generic.secrets.gitleaks.airtable-api-key.airtable-api-key", - "name": "generic.secrets.gitleaks.airtable-api-key.airtable-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.airtable-api-key.airtable-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment." - }, - "help": { - "markdown": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Mass_Assignment_Cheat_Sheet.html)\n", - "text": "Calling `permit` on security-critical properties like `$ATTRIBUTE` may leave your application vulnerable to mass assignment." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium", - "id": "ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium", - "name": "ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-permit-attributes-medium.check-permit-attributes-medium" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." - }, - "help": { - "markdown": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service)\n - [https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html](https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html)\n - [https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/](https://containerjournal.com/topics/container-security/why-running-a-privileged-container-is-not-a-good-idea/)\n", - "text": "Service '$SERVICE' is running in privileged mode. This grants the container the equivalent of root capabilities on the host machine. This can lead to container escapes, privilege escalation, and other security concerns. Remove the 'privileged' key to disable this capability." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.privileged-service.privileged-service", - "id": "yaml.docker-compose.security.privileged-service.privileged-service", - "name": "yaml.docker-compose.security.privileged-service.privileged-service", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.privileged-service.privileged-service" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used." - }, - "help": { - "markdown": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification)\n - [https://nodejs.org/api/https.html#https_https_request_options_callback](https://nodejs.org/api/https.html#https_https_request_options_callback)\n - [https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100](https://stackoverflow.com/questions/20433287/node-js-request-cert-has-expired#answer-29397100)\n", - "text": "Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification", - "id": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification", - "name": "problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. " - }, - "help": { - "markdown": "This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api)\n", - "text": "This app does not uses SafetyNet Attestation API that provides cryptographically-signed attestation, assessing the device's integrity. This check helps to ensure that the servers are interacting with the genuine app running on a genuine Android device. " - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api", - "id": "mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api", - "name": "mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-353", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.best_practices.android_safetynetapi.android_safetynet_api" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli", - "id": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli", - "name": "java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.sqli.hibernate-sqli.hibernate-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret", - "id": "javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret", - "name": "javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.mssql.node-mssql-hardcoded-secret.node-mssql-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks dynatrace-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks dynatrace-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks dynatrace-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token", - "id": "generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token", - "name": "generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.dynatrace-api-token.dynatrace-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands." - }, - "help": { - "markdown": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Detected user input entering a `subprocess` call unsafely. This could result in a command injection vulnerability. An attacker could use this vulnerability to execute arbitrary commands on the host, which allows them to download malware, scan sensitive data, or run any command they wish on the server. Do not let users choose the command to run. In general, prefer to use Python API versions of system commands. If you must use subprocess, use a dictionary to allowlist a set of commands." - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.injection.subprocess-injection.subprocess-injection", - "id": "python.flask.security.injection.subprocess-injection.subprocess-injection", - "name": "python.flask.security.injection.subprocess-injection.subprocess-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.injection.subprocess-injection.subprocess-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "help": { - "markdown": "DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa)\n - [https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/](https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dsa/)\n - [https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography/04-Testing_for_Weak_Encryption)\n - [https://words.filippo.io/dispatches/dsa/](https://words.filippo.io/dispatches/dsa/)\n", - "text": "DSA is a legacy algorithm and should generally be avoided in favor of choices like EdDSA using curve25519 or ECDSA. In general, low-level cryptographic primitives, found in the `cryptography.hazmat package`, are complex and potentially dangerous, requiring deep cryptographic knowledge. It is recommended to use the higher-level recipes layer as a secure default and resort to the hazmat layer only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.cryptography.cryptography-dsa.cryptography-dsa", - "id": "python.cryptography.cryptography-dsa.cryptography-dsa", - "name": "python.cryptography.cryptography-dsa.cryptography-dsa", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cryptography.cryptography-dsa.cryptography-dsa" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it." - }, - "help": { - "markdown": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "Detected the decoding of a JWT token without a verify step. JWT tokens must be verified before use, otherwise the token's integrity is unknown. This means a malicious actor could forge a JWT token with any claims. Validate the token before using it." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify", - "id": "csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify", - "name": "csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-345: Insufficient Verification of Data Authenticity", - "HIGH CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.jwt.jwt-decode-without-verify.jwt-decode-without-verify" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. The driver API has the ability to bind parameters to the query in a safe way. Make sure not to dynamically create SQL queries from user-influenced inputs. If you cannot avoid this, either escape the data properly or create an allowlist to check the value." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi", - "id": "python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi", - "name": "python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.db.generic-sql-fastapi.generic-sql-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password", - "id": "ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password", - "name": "ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.redis.ruby-redis-sentinels-empty-password.ruby-redis-sentinels-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead." - }, - "help": { - "markdown": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object)\n - [https://docs.python.org/3/library/urllib.request.html#urllib.request.Request](https://docs.python.org/3/library/urllib.request.html#urllib.request.Request)\n", - "text": "Detected a 'urllib.request.Request()' object using an insecure transport protocol, 'http://'. This connection will not be encrypted. Use 'https://' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object", - "id": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object", - "name": "python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.urllib.insecure-request-object.insecure-request-object" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.pg.pg-empty-password.pg-empty-password", - "id": "go.secrets.pg.pg-empty-password.pg-empty-password", - "name": "go.secrets.pg.pg-empty-password.pg-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.pg.pg-empty-password.pg-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false", - "id": "python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false", - "name": "python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.web.fastapi-cookie-httponly-false.fastapi-cookie-httponly-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration does not leverage the in-built public key pinning mechanisms. The application should consider leverage ATS public key pinning to ensure that the application only communicates to serves with an allow-listed certificate (and public key). By default the device will allow connections if the default trust store (CA store) posesses the right certificates. The number of accepted Certificate Authorities by default is hundreds. Using public key pinning vastly reduces the attack surface." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning", - "id": "swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning", - "name": "swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-296: Improper Following of a Certificate's Chain of Trust", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-pinning.ATS-consider-pinning" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`." - }, - "help": { - "markdown": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate)\n - [https://www.php.net/manual/en/function.openssl-decrypt.php](https://www.php.net/manual/en/function.openssl-decrypt.php)\n", - "text": "The function `openssl_decrypt` returns either a string of the decrypted data on success or `false` on failure. If the failure case is not handled, this could lead to undefined behavior in your application. Please handle the case where `openssl_decrypt` returns `false`." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate", - "id": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate", - "name": "php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-252: Unchecked Return Value", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.audit.openssl-decrypt-validate.openssl-decrypt-validate" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader)\n - [https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html](https://websec.io/2012/08/27/Preventing-XXE-in-PHP.html)\n - [https://www.php.net/libxml_disable_entity_loader](https://www.php.net/libxml_disable_entity_loader)\n - [https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php](https://www.php.net/manual/en/function.libxml-set-external-entity-loader.php)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader", - "id": "php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader", - "name": "php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.xml-external-entities-unsafe-entity-loader.xml-external-entities-unsafe-entity-loader" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability." - }, - "help": { - "markdown": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string)\n - [https://golang.org/pkg/html/template/#HTML](https://golang.org/pkg/html/template/#HTML)\n", - "text": "Found a formatted template string passed to 'template.HTML()'. 'template.HTML()' does not escape contents. Be absolutely sure there is no user-controlled data in this template. If user data can reach this template, you may have a XSS vulnerability." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.formatted-template-string.formatted-template-string", - "id": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", - "name": "go.lang.security.audit.net.formatted-template-string.formatted-template-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.formatted-template-string.formatted-template-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array", - "id": "python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array", - "name": "python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.os.tainted-os-command-stdlib-secure-if-array.tainted-os-command-stdlib-secure-if-array" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks easypost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks easypost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.easypost-api-token.easypost-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks easypost-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.easypost-api-token.easypost-api-token", - "id": "generic.secrets.gitleaks.easypost-api-token.easypost-api-token", - "name": "generic.secrets.gitleaks.easypost-api-token.easypost-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.easypost-api-token.easypost-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks through parameter entities by configuring $FACTORY with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities", - "id": "java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities", - "name": "java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.xxe.xmlreader-xxe-parameter-entities.xmlreader-xxe-parameter-entities" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.mysql.mysql-empty-password.mysql-empty-password", - "id": "go.secrets.mysql.mysql-empty-password.mysql-empty-password", - "name": "go.secrets.mysql.mysql-empty-password.mysql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.mysql.mysql-empty-password.mysql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption." - }, - "help": { - "markdown": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete)\n - [https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory](https://wiki.sei.cmu.edu/confluence/display/c/MEM30-C.+Do+not+access+freed+memory)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime](https://wiki.sei.cmu.edu/confluence/display/cplusplus/EXP54-CPP.+Do+not+access+an+object+outside+of+its+lifetime)\n", - "text": "This expression points to memory that has been freed. This can lead to a segmentation fault or memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete", - "id": "cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete", - "name": "cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-416: Use After Free", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.use-after-free.local-variable-new-delete.local-variable-new-delete" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks prefect-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks prefect-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.prefect-api-token.prefect-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks prefect-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.prefect-api-token.prefect-api-token", - "id": "generic.secrets.gitleaks.prefect-api-token.prefect-api-token", - "name": "generic.secrets.gitleaks.prefect-api-token.prefect-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.prefect-api-token.prefect-api-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "help": { - "markdown": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors)\n - [https://flask.palletsprojects.com/en/3.0.x/debugging/](https://flask.palletsprojects.com/en/3.0.x/debugging/)\n", - "text": "The application is running debug code or has debug mode enabled. This may expose sensitive information, like stack traces and environment variables, to attackers. It may also modify application behavior, potentially enabling attackers to bypass restrictions. To remediate this finding, ensure that the application's debug code and debug mode are disabled or removed from the production environment." - }, - "helpUri": "https://semgrep.dev/r/python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors", - "id": "python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors", - "name": "python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.debug.debug-flask-passthrough-errors.debug-flask-passthrough-errors" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "help": { - "markdown": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n - [https://dispatchhttp.org/Dispatch.html](https://dispatchhttp.org/Dispatch.html)\n", - "text": "A parameter being passed directly into `url` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf", - "id": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf", - "name": "scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.lang.security.audit.dispatch-ssrf.dispatch-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues." - }, - "help": { - "markdown": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session)\n - [https://en.wikipedia.org/wiki/Session_poisoning](https://en.wikipedia.org/wiki/Session_poisoning)\n", - "text": "Session key based on user input risks session poisoning. The user can determine the key used for the session, and thus write any session variable. Session variables are typically trusted to be set only by the application, and manipulating the session can result in access control issues." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.injection.tainted-session.tainted-session", - "id": "php.lang.security.injection.tainted-session.tainted-session", - "name": "php.lang.security.injection.tainted-session.tainted-session", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.injection.tainted-session.tainted-session" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX" - }, - "help": { - "markdown": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n", - "text": "Functions reliant on pickle can result in arbitrary code execution. Consider loading from `state_dict`, using fickling, or switching to a safer serialization method like ONNX" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.pickles-in-pytorch.pickles-in-pytorch", - "id": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch", - "name": "trailofbits.python.pickles-in-pytorch.pickles-in-pytorch", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.pickles-in-pytorch.pickles-in-pytorch" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()." - }, - "help": { - "markdown": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2)\n", - "text": "multiprocessing.Process.kill() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use terminate()." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-multiprocess2", - "id": "python.lang.compatibility.python37.python37-compatibility-multiprocess2", - "name": "python.lang.compatibility.python37.python37-compatibility-multiprocess2", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-multiprocess2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements (java.sql.PreparedStatement) instead. You can obtain a PreparedStatement using 'connection.prepareStatement'." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli", - "id": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli", - "name": "java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.sqli.jdbc-sqli.jdbc-sqli" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks fastly-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks fastly-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.fastly-api-token.fastly-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks fastly-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.fastly-api-token.fastly-api-token", - "id": "generic.secrets.gitleaks.fastly-api-token.fastly-api-token", - "name": "generic.secrets.gitleaks.fastly-api-token.fastly-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.fastly-api-token.fastly-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy." - }, - "help": { - "markdown": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/ssrf.md)\n", - "text": "The protocol scheme for this proxy is dynamically determined. This can be dangerous if the scheme can be injected by an attacker because it may forcibly alter the connection scheme. Consider hardcoding a scheme for this proxy." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", - "id": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", - "name": "generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-16: CWE CATEGORY: Configuration", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.dynamic-proxy-scheme.dynamic-proxy-scheme" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data." - }, - "help": { - "markdown": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Detected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. You can use the OWASP ESAPI encoder if you must render user data." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.injection.tainted-html-string.tainted-html-string", - "id": "java.spring.security.injection.tainted-html-string.tainted-html-string", - "name": "java.spring.security.injection.tainted-html-string.tainted-html-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.injection.tainted-html-string.tainted-html-string" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks pypi-upload-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks pypi-upload-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks pypi-upload-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token", - "id": "generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token", - "name": "generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.pypi-upload-token.pypi-upload-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli)\n - [https://www.npmjs.com/package/pg](https://www.npmjs.com/package/pg)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.pg.express-pg-sqli.express-pg-sqli", - "id": "javascript.express.pg.express-pg-sqli.express-pg-sqli", - "name": "javascript.express.pg.express-pg-sqli.express-pg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.pg.express-pg-sqli.express-pg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy." - }, - "help": { - "markdown": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate)\n - [https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345](https://forum.balancer.fi/t/reentrancy-vulnerability-scope-expanded/4345)\n", - "text": "$VAR.getRate() call on a Balancer pool is not protected from the read-only reentrancy." - }, - "helpUri": "https://semgrep.dev/r/solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate", - "id": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate", - "name": "solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-841: Improper Enforcement of Behavioral Workflow", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.balancer-readonly-reentrancy-getrate.balancer-readonly-reentrancy-getrate" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality." - }, - "help": { - "markdown": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n", - "text": "Pod may use the node network namespace. This gives the pod access to the loopback device, services listening on localhost, and could be used to snoop on network activity of other pods on the same node. Remove the 'hostNetwork' key to disable this functionality." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod", - "id": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod", - "name": "yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-406: Insufficient Control of Network Message Volume (Network Amplification)", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.hostnetwork-pod.hostnetwork-pod" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." - }, - "help": { - "markdown": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling)\n - [https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c](https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c)\n", - "text": "Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls, and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", - "id": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", - "name": "generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.possible-h2c-smuggling.possible-nginx-h2c-smuggling" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret", - "id": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret", - "name": "javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.express-jwt-hardcoded-secret.express-jwt-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal." - }, - "help": { - "markdown": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine)\n - [https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/](https://www.praetorian.com/blog/pathcombine-security-issues-in-aspnet-applications/)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks](https://docs.microsoft.com/en-us/dotnet/api/system.io.path.combine?view=net-6.0#remarks)\n", - "text": "String argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", - "id": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", - "name": "csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.filesystem.unsafe-path-combine.unsafe-path-combine" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data" - }, - "help": { - "markdown": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid)\n - [https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data](https://docs.djangoproject.com/en/4.2/ref/forms/api/#accessing-clean-data)\n", - "text": "Use $FORM.cleaned_data[] instead of request.POST[] after form.is_valid() has been executed to only access sanitized data" - }, - "helpUri": "https://semgrep.dev/r/python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid", - "id": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid", - "name": "python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-20: Improper Input Validation", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.django-using-request-post-after-is-valid.django-using-request-post-after-is-valid" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi", - "id": "python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi", - "name": "python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.file.tainted-path-traversal-toml-fastapi.tainted-path-traversal-toml-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS." - }, - "help": { - "markdown": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n", - "text": "RegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp", - "id": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp", - "name": "javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk." - }, - "help": { - "markdown": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled)\n - [https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-features.html#production-ready-endpoints-exposing-endpoints)\n - [https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785](https://medium.com/walmartglobaltech/perils-of-spring-boot-actuators-misconfiguration-185c43a0f785)\n - [https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators](https://blog.maass.xyz/spring-actuator-security-part-1-stealing-secrets-using-spring-actuators)\n", - "text": "Spring Boot Actuator is fully enabled. This exposes sensitive endpoints such as /actuator/env, /actuator/logfile, /actuator/heapdump and others. Unless you have Spring Security enabled or another means to protect these endpoints, this functionality is available without authentication, causing a significant security risk." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled", - "id": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled", - "name": "java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.audit.spring-actuator-fully-enabled.spring-actuator-fully-enabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access." - }, - "help": { - "markdown": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln)\n - [https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb](https://github.com/presidentbeef/brakeman/blob/main/lib/brakeman/checks/check_without_protection.rb)\n - [https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/](https://www.acunetix.com/vulnerabilities/web/rails-mass-assignment/)\n", - "text": "Checks for calls to without_protection during mass assignment (which allows record creation from hash values). This can lead to users bypassing permissions protections. For Rails 4 and higher, mass protection is on by default. Fix: Don't use :without_protection => true. Instead, configure attr_accessible to control attribute access." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln", - "id": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln", - "name": "ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", - "LOW CONFIDENCE", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.unprotected-mass-assign.mass-assignment-vuln" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Square OAuth Secret detected" - }, - "help": { - "markdown": "Square OAuth Secret detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret)\n - [https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py](https://github.com/Yelp/detect-secrets/blob/master/tests/plugins/square_oauth_test.py)\n", - "text": "Square OAuth Secret detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret", - "id": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret", - "name": "generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-square-oauth-secret.detected-square-oauth-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks cloudflare-global-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key", - "id": "generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key", - "name": "generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.cloudflare-global-api-key.cloudflare-global-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "help": { - "markdown": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS Workspace user volume is unencrypted. The AWS KMS encryption key protects user volume. To create your own, create a aws_kms_key resource or use the ARN string of a key in your account." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted", - "id": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted", - "name": "terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-workspaces-user-volume-unencrypted.aws-workspaces-user-volume-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/827.html](https://cwe.mitre.org/data/definitions/827.html)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a Billion Laughs Attack. It is our recommendation to secure this parser against XXE attacks by configuring the SAXBuilder parser with `parser.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks. `parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")`, enabling both of `parser.setFeature(\"http://xml.org/sax/features/external-general-entities\", false)` and `parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`, and enabling both of `parser.setExpandEntities(false)` and parser.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)` It is also possible to use one of the constructor parameters that will result in a more secure parser by default: `new SAXBuilder(XMLReaders.DTDVALIDATING)` or `new SAXBuilder(XMLReaders.XSDVALIDATING)`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet", - "id": "java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet", - "name": "java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.xxe.tainted-saxbuilder-xxe-servlet.tainted-saxbuilder-xxe-servlet" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret", - "id": "python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret", - "name": "python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.webrepl.python-webrepl-hardcoded-secret.python-webrepl-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks twilio-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks twilio-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.twilio-api-key.twilio-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks twilio-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.twilio-api-key.twilio-api-key", - "id": "generic.secrets.gitleaks.twilio-api-key.twilio-api-key", - "name": "generic.secrets.gitleaks.twilio-api-key.twilio-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.twilio-api-key.twilio-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `ruamel.yaml` library is a YAML parser that is as powerful as `pickle`, using it to parse untrusted data can lead to object deserialization vulnerabilities. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader and so this parser is secure by default. If the usage of an unsafe loader is intentional, then make sure you load data only from trusted sources. If it was not intentional, don't explicitly specify `typ='unsafe'`, to use a safe loader. Before version 0.15.0, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask", - "id": "python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask", - "name": "python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-ruamel-flask.tainted-ruamel-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep)\n - [https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html](https://castor-data-binding.github.io/castor/reference-guide/reference/xml/xml-framework.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the Castor XML Framework unless you explicitly define permissions for types that are allowed to be deserialized by `Castor`." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "id": "java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "name": "java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.castor-deserialization-deepsemgrep.castor-deserialization-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input. For more information, see: [Go XSS prevention](https://semgrep.dev/docs/cheat-sheets/go-xss/)." - }, - "helpUri": "https://semgrep.dev/r/go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint", - "id": "go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint", - "name": "go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gin.xss.gin-formatted-template-string-taint.formatted-template-string-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'" - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli)\n - [https://github.com/MagicStack/asyncpg](https://github.com/MagicStack/asyncpg)\n - [https://magicstack.github.io/asyncpg/current/](https://magicstack.github.io/asyncpg/current/)\n", - "text": "Detected string concatenation with a non-literal variable in a asyncpg Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can create parameterized queries like so: 'conn.fetch(\"SELECT $1 FROM table\", value)'. You can also create prepared statements with 'Connection.prepare': 'stmt = conn.prepare(\"SELECT $1 FROM table\"); await stmt.fetch(user_value)'" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli", - "id": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli", - "name": "python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.sqli.asyncpg-sqli.asyncpg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader." - }, - "help": { - "markdown": "Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper)\n", - "text": "Found usage of 'importlib.abc.ResourceReader'. This module is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use another loader." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-textiowrapper", - "id": "python.lang.compatibility.python37.python37-compatibility-textiowrapper", - "name": "python.lang.compatibility.python37.python37-compatibility-textiowrapper", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-textiowrapper" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values." - }, - "help": { - "markdown": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket)\n - [https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)\n", - "text": "Detected public S3 bucket. This policy allows anyone to have some kind of access to the bucket. The exact level of access and types of actions allowed will depend on the configuration of bucket policy and ACLs. Please review the bucket configuration to make sure they are set with intended values." - }, - "helpUri": "https://semgrep.dev/r/json.aws.security.public-s3-bucket.public-s3-bucket", - "id": "json.aws.security.public-s3-bucket.public-s3-bucket", - "name": "json.aws.security.public-s3-bucket.public-s3-bucket", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-264: CWE CATEGORY: Permissions, Privileges, and Access Controls", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: json.aws.security.public-s3-bucket.public-s3-bucket" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable" - }, - "help": { - "markdown": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG)\n - [https://bento.dev/checks/flask/avoid-hardcoded-config/](https://bento.dev/checks/flask/avoid-hardcoded-config/)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#builtin-configuration-values)\n - [https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features](https://flask.palletsprojects.com/en/1.1.x/config/?highlight=configuration#environment-and-debug-features)\n", - "text": "Hardcoded variable `DEBUG` detected. Set this by using FLASK_DEBUG environment variable" - }, - "helpUri": "https://semgrep.dev/r/python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG", - "id": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG", - "name": "python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-489: Active Debug Code", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.security.audit.hardcoded-config.avoid_hardcoded_config_DEBUG" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "help": { - "markdown": "Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected non-static command inside Write. Audit the input to '$CW.Write'. If unverified user data can reach this call site, this is a code injection vulnerability. A malicious actor can inject a malicious script to execute arbitrary code." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.dangerous-command-write.dangerous-command-write", - "id": "go.lang.security.audit.dangerous-command-write.dangerous-command-write", - "name": "go.lang.security.audit.dangerous-command-write.dangerous-command-write", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.dangerous-command-write.dangerous-command-write" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli)\n - [https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries](https://github.com/jeremyevans/sequel#label-Arbitrary+SQL+queries)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `DB['select * from items where name = ?', name]`" - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.sequel-sqli.sequel-sqli", - "id": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli", - "name": "ruby.aws-lambda.security.sequel-sqli.sequel-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.sequel-sqli.sequel-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions." - }, - "help": { - "markdown": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs)\n - [https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/](https://cloudsplaining.readthedocs.io/en/latest/glossary/privilege-escalation/)\n", - "text": "Ensure that actions that can result in privilege escalation are not used. These actions could potentially result in an attacker gaining full administrator access of an AWS account. Try not to use these actions." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs", - "id": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs", - "name": "terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-priv-esc-funcs.no-iam-priv-esc-funcs" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks plaid-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks plaid-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks plaid-secret-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key", - "id": "generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key", - "name": "generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.plaid-secret-key.plaid-secret-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)." - }, - "help": { - "markdown": "The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication)\n", - "text": "The application's App Transport Security (ATS) configuration allows for insecure accessing of HTTP content in WebViews. This means that connections accessed in a WebView may be accessed via HTTP, potentially leaking that data to others on the local network, or to other network devices the network traffic traverses (proxies, firewalls, load balancers, etc)." - }, - "helpUri": "https://semgrep.dev/r/swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads", - "id": "swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads", - "name": "swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.insecure-communication.ats.ats-insecure-website-load.ATS-insecure-webview-loads" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD4 hash algorithm which is considered insecure. This algorithm\nhas many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.\n" - }, - "help": { - "markdown": "Detected MD4 hash algorithm which is considered insecure. This algorithm\nhas many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.bandit.B303-4)\n", - "text": "Detected MD4 hash algorithm which is considered insecure. This algorithm\nhas many known vulnerabilities and has been deprecated. Use SHA256 or SHA3 instead.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.bandit.B303-4", - "id": "gitlab.bandit.B303-4", - "name": "gitlab.bandit.B303-4", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327", - "OWASP-A3:2017-Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Use of a Broken or Risky Cryptographic Algorithm" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Ensure FSX Lustre file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk", - "id": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk", - "name": "terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-fsx-lustre-files-ystem.aws-fsx-lustre-filesystem-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'." - }, - "help": { - "markdown": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n", - "text": "Detected subprocess function '$LOOP.subprocess_exec' with argument tainted by `event` object. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec", - "id": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec", - "name": "python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.dangerous-asyncio-exec.dangerous-asyncio-exec" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "help": { - "markdown": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'." - }, - "helpUri": "https://semgrep.dev/r/javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", - "id": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", - "name": "javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.jsonwebtoken.security.jwt-none-alg.jwt-none-alg" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious." - }, - "help": { - "markdown": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n", - "text": "Set \"rejectUnauthorized\" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. \"rejectUnauthorized\" option must be alway set to True (default value). With self -signed certificate or custom CA, use \"ca\" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious." - }, - "helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation", - "id": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation", - "name": "javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-tls-disabled-cert-validation.sequelize-tls-disabled-cert-validation" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/returntocorp/java-xxe-research](https://github.com/returntocorp/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The current configuration allows for XXE attacks through parameter entities. It is our recommendation to secure this parser against XXE attacks by configuring $PARSER with `$PARSER.setFeature(http://apache.org/xml/features/disallow-doctype-decl, true)`. Alternatively, the following configurations also provide protection against XXE attacks with parameter entities. `$PARSER.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, \"\")` `$PARSER.setFeature(\"http://xml.org/sax/features/external-parameter-entities\", false)`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities", - "id": "kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities", - "name": "kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.xxe.saxbuilder-xxe-parameter-entities.saxbuilder-xxe-parameter-entities" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted." - }, - "help": { - "markdown": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request)\n - [https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html](https://commons.apache.org/proper/commons-net/javadocs/api-3.6/org/apache/commons/net/telnet/TelnetClient.html)\n", - "text": "Checks for attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request", - "id": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request", - "name": "problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.telnet-request.telnet-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli)\n - [https://pypi.org/project/pymssql/](https://pypi.org/project/pymssql/)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `cursor.execute('SELECT * FROM projects WHERE status = %s', 'active')`" - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.security.pymssql-sqli.pymssql-sqli", - "id": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli", - "name": "python.aws-lambda.security.pymssql-sqli.pymssql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.security.pymssql-sqli.pymssql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead." - }, - "help": { - "markdown": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n", - "text": "Detected a possible YAML deserialization vulnerability. `yaml.unsafe_load`, `yaml.Loader`, `yaml.CLoader`, and `yaml.UnsafeLoader` are all known to be unsafe methods of deserializing YAML. An attacker with control over the YAML input could create special YAML input that allows the attacker to run arbitrary Python code. This would allow the attacker to steal files, download and install malware, or otherwise take over the machine. Use `yaml.safe_load` or `yaml.SafeLoader` instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load", - "id": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load", - "name": "python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.deserialization.avoid-pyyaml-load.avoid-pyyaml-load" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "help": { - "markdown": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "User data flows into the host portion of this manually-constructed URL. This could allow an attacker to send data to their own server, potentially exposing sensitive data such as cookies or authorization information sent with this request. They could also probe internal servers or other resources that the server running this code can access. (This is called server-side request forgery, or SSRF.) Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts, or hardcode the correct host." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.tainted-url-host.tainted-url-host", - "id": "python.django.security.injection.tainted-url-host.tainted-url-host", - "name": "python.django.security.injection.tainted-url-host.tainted-url-host", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.tainted-url-host.tainted-url-host" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection", - "id": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection", - "name": "javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.playwright.security.audit.playwright-evaluate-arg-injection.playwright-evaluate-arg-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.axios.hardcoded-basic-token.hardcoded-basic-token", - "id": "javascript.axios.hardcoded-basic-token.hardcoded-basic-token", - "name": "javascript.axios.hardcoded-basic-token.hardcoded-basic-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.axios.hardcoded-basic-token.hardcoded-basic-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input." - }, - "help": { - "markdown": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn)\n - [http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html](http://sekrit.de/webdocs/c/beginners-guide-away-from-scanf.html)\n", - "text": "Avoid using 'scanf()'. This function, when used improperly, does not consider buffer boundaries and can lead to buffer overflows. Use 'fgets()' instead for reading input." - }, - "helpUri": "https://semgrep.dev/r/c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn", - "id": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn", - "name": "c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-676: Use of Potentially Dangerous Function", - "LOW CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: c.lang.security.insecure-use-scanf-fn.insecure-use-scanf-fn" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative." - }, - "help": { - "markdown": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use)\n - [https://www.php.net/manual/en/intro.ftp.php](https://www.php.net/manual/en/intro.ftp.php)\n - [https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php](https://github.com/FloeDesignTechnologies/phpcs-security-audit/blob/master/Security/Sniffs/BadFunctions/FringeFunctionsSniff.php)\n", - "text": "FTP allows for unencrypted file transfers. Consider using an encrypted alternative." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.ftp-use.ftp-use", - "id": "php.lang.security.ftp-use.ftp-use", - "name": "php.lang.security.ftp-use.ftp-use", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.ftp-use.ftp-use" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks gocardless-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks gocardless-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks gocardless-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token", - "id": "generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token", - "name": "generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.gocardless-api-token.gocardless-api-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg", - "id": "java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg", - "name": "java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.command-injection.tainted-system-command-msg.tainted-system-command-msg" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks facebook-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks facebook-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.facebook-secret.facebook-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks facebook-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.facebook-secret.facebook-secret", - "id": "generic.secrets.gitleaks.facebook-secret.facebook-secret", - "name": "generic.secrets.gitleaks.facebook-secret.facebook-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.facebook-secret.facebook-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks hubspot-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks hubspot-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks hubspot-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key", - "id": "generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key", - "name": "generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.hubspot-api-key.hubspot-api-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment." - }, - "help": { - "markdown": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n - [https://eprint.iacr.org/2016/759.pdf](https://eprint.iacr.org/2016/759.pdf)\n - [https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf](https://www.cs.tau.ac.il/~tromer/papers/cache-joc-20090619.pdf)\n - [https://datatracker.ietf.org/doc/html/rfc9106#section-4](https://datatracker.ietf.org/doc/html/rfc9106#section-4)\n", - "text": "Prefer Argon2id where possible. Per RFC9016, section 4 IETF recommends selecting Argon2id unless you can guarantee an adversary has no direct access to the computing environment." - }, - "helpUri": "https://semgrep.dev/r/javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config", - "id": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config", - "name": "javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-916: Use of Password Hash With Insufficient Computational Effort", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.argon2.security.unsafe-argon2-config.unsafe-argon2-config" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability." - }, - "help": { - "markdown": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization)\n - [https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution](https://mbraceproject.github.io/FsPickler/tutorial.html#Disabling-Subtype-Resolution)\n", - "text": "The FsPickler is dangerous and is not recommended for data processing. Default configuration tend to insecure deserialization vulnerability." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", - "id": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", - "name": "csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fs-pickler.insecure-fspickler-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'." - }, - "help": { - "markdown": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection)\n - [https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md](https://github.com/yandex/gixy/blob/master/docs/en/plugins/httpsplitting.md)\n - [https://owasp.org/www-community/attacks/HTTP_Response_Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n", - "text": "The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\\s]+'." - }, - "helpUri": "https://semgrep.dev/r/generic.nginx.security.header-injection.header-injection", - "id": "generic.nginx.security.header-injection.header-injection", - "name": "generic.nginx.security.header-injection.header-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.nginx.security.header-injection.header-injection" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. If this wasn't intentional, it's recommended to set the Secure flag to true so that all session cookies will be by default sent over HTTPS. It is also possible to use the flask-talisman extension to enforce a secure configuration." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false", - "id": "python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false", - "name": "python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-app-config-secure-false.flask-cookie-app-config-secure-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library." - }, - "help": { - "markdown": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Data from request is passed to os.path.join() and to open(). This is a path traversal vulnerability, which can lead to sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or Path library." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join", - "id": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join", - "name": "python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-join.path-traversal-join" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`)." - }, - "help": { - "markdown": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag)\n - [https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A](https://adamj.eu/tech/2020/02/18/safely-including-data-for-javascript-in-a-django-template/?utm_campaign=Django%2BNewsletter&utm_medium=rss&utm_source=Django_Newsletter_12A)\n - [https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough](https://www.veracode.com/blog/secure-development/nodejs-template-engines-why-default-encoders-are-not-enough)\n - [https://github.com/ESAPI/owasp-esapi-js](https://github.com/ESAPI/owasp-esapi-js)\n", - "text": "Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`)." - }, - "helpUri": "https://semgrep.dev/r/generic.html-templates.security.var-in-script-tag.var-in-script-tag", - "id": "generic.html-templates.security.var-in-script-tag.var-in-script-tag", - "name": "generic.html-templates.security.var-in-script-tag.var-in-script-tag", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.html-templates.security.var-in-script-tag.var-in-script-tag" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module](https://docs.python.org/3/library/subprocess.html#using-the-subprocess-module)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. Untrusted input in a command can lead to command injection, allowing attackers to execute arbitrary commands and gain control of the system. To prevent this: 1. Avoid direct command execution: Don't run OS commands with user input directly. 2. Validate and sanitize input: Ensure input is safe by removing or escaping dangerous characters. 3. (preferred) Use safe methods: Use `subprocess.run` without `shell=True` to safely execute commands, as it doesn't call a system shell by default. If `shell=True` is necessary, properly quote and escape all input to prevent shell injection. This is a secure by default approach." - }, - "helpUri": "https://semgrep.dev/r/python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default", - "id": "python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default", - "name": "python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.os.tainted-os-command-stdlib-flask-secure-default.tainted-os-command-stdlib-flask-secure-default" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options." - }, - "help": { - "markdown": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "The application is using variables or data stores that are defined or modified by untrusted input. To prevent this vulnerability perform strict input validation of the data against an allowlist of approved options." - }, - "helpUri": "https://semgrep.dev/r/python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask", - "id": "python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask", - "name": "python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-454: External Initialization of Trusted Variables or Data Stores", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.os.tainted-dotenv-variable-flask.tainted-dotenv-variable-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3", - "id": "python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3", - "name": "python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-urllib3.tainted-flask-http-request-urllib3" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering." - }, - "help": { - "markdown": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure)\n - [https://cwe.mitre.org/data/definitions/209.html](https://cwe.mitre.org/data/definitions/209.html)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design/](https://owasp.org/Top10/A04_2021-Insecure_Design/)\n", - "text": "Stacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering." - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", - "id": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", - "name": "csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-209: Generation of Error Message Containing Sensitive Information", - "HIGH CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.stacktrace-disclosure.stacktrace-disclosure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection)\n - [https://www.php.net/manual/en/ref.exec.php](https://www.php.net/manual/en/ref.exec.php)\n - [https://www.php.net/manual/en/ref.filesystem.php](https://www.php.net/manual/en/ref.filesystem.php)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the user input, and use safe methods for executing the commands. In PHP, it is possible to use `escapeshellcmd(...)` and `escapeshellarg(...)` to correctly sanitize input when used respectively as system commands or command arguments." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-command-injection.laravel-command-injection", - "id": "php.laravel.security.laravel-command-injection.laravel-command-injection", - "name": "php.laravel.security.laravel-command-injection.laravel-command-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-command-injection.laravel-command-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2)\n - [https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py](https://github.com/vingd/libxml2-python/blob/libxml2-python-2.9.1/libxml2.py)\n - [https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/Python-bindings)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "helpUri": "https://semgrep.dev/r/python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2", - "id": "python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2", - "name": "python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.xml.tainted-flask-xml-libxml2.tainted-flask-xml-libxml2" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties." - }, - "help": { - "markdown": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection)\n - [https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md](https://github.com/nodesecurity/eslint-plugin-security/blob/3c7522ca1be800353513282867a1034c795d9eb4/docs/the-dangers-of-square-bracket-notation.md)\n", - "text": "Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties." - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.remote-property-injection.remote-property-injection", - "id": "javascript.express.security.audit.remote-property-injection.remote-property-injection", - "name": "javascript.express.security.audit.remote-property-injection.remote-property-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "LOW CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.remote-property-injection.remote-property-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information." - }, - "help": { - "markdown": "The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password)\n - [https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation](https://docs.djangoproject.com/en/3.0/topics/auth/passwords/#module-django.contrib.auth.password_validation)\n", - "text": "The password on '$MODEL' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.unvalidated-password.unvalidated-password", - "id": "python.django.security.audit.unvalidated-password.unvalidated-password", - "name": "python.django.security.audit.unvalidated-password.unvalidated-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-521: Weak Password Requirements", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.unvalidated-password.unvalidated-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this." - }, - "help": { - "markdown": "Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled)\n - [https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/](https://www.projectatomic.io/blog/2016/03/dwalsh_selinux_containers/)\n - [https://docs.docker.com/engine/reference/run/#security-configuration](https://docs.docker.com/engine/reference/run/#security-configuration)\n", - "text": "Service '$SERVICE' is explicitly disabling SELinux separation. This runs the service as an unconfined type. Remove 'label:disable' to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled", - "id": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled", - "name": "yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.selinux-separation-disabled.selinux-separation-disabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors." - }, - "help": { - "markdown": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html)\n - [https://www.npmjs.com/package/react-markdown#security](https://www.npmjs.com/package/react-markdown#security)\n", - "text": "Overwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", - "id": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", - "name": "typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.security.react-markdown-insecure-html.react-markdown-insecure-html" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "id": "javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "name": "javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.hardcoded.headers.hardcoded-github-token.hardcoded-github-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations." - }, - "help": { - "markdown": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval)\n - [https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen](https://docs.python.org/3/library/logging.config.html?highlight=security#logging.config.listen)\n", - "text": "Because portions of the logging configuration are passed through eval(), use of this function may open its users to a security risk. While the function only binds to a socket on localhost, and so does not accept connections from remote machines, there are scenarios where untrusted code could be run under the account of the process which calls listen(). To avoid this happening, use the `verify()` argument to `listen()` to prevent unrecognized configurations." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.logging.listeneval.listen-eval", - "id": "python.lang.security.audit.logging.listeneval.listen-eval", - "name": "python.lang.security.audit.logging.listeneval.listen-eval", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.logging.listeneval.listen-eval" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "help": { - "markdown": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret)\n - [https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/](https://semgrep.dev/blog/2020/hardcoded-secrets-unverified-tokens-and-other-common-jwt-mistakes/)\n", - "text": "Hardcoded JWT secret or private key is used. This is a Insufficiently Protected Credentials weakness: https://cwe.mitre.org/data/definitions/522.html Consider using an appropriate security mechanism to protect the credentials (e.g. keeping secrets in environment variables)" - }, - "helpUri": "https://semgrep.dev/r/python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret", - "id": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret", - "name": "python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-522: Insufficiently Protected Credentials", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.jwt.security.jwt-hardcode.jwt-python-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead." - }, - "help": { - "markdown": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc)\n - [https://pypi.org/project/defusedxml/](https://pypi.org/project/defusedxml/)\n - [https://docs.python.org/3/library/xml.html#xml-vulnerabilities](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)\n", - "text": "Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc", - "id": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc", - "name": "python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Do not use `math/rand`. Use `crypto/rand` instead." - }, - "help": { - "markdown": "Do not use `math/rand`. Use `crypto/rand` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#secure-random-number-generation)\n", - "text": "Do not use `math/rand`. Use `crypto/rand` instead." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.crypto.math_random.math-random-used", - "id": "go.lang.security.audit.crypto.math_random.math-random-used", - "name": "go.lang.security.audit.crypto.math_random.math-random-used", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.crypto.math_random.math-random-used" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block" - }, - "help": { - "markdown": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#http2_enabled)\n", - "text": "Use the latest version of HTTP to ensure you are benefiting from security fixes. Add `http2_enabled = true` to your appservice resource block" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2", - "id": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2", - "name": "terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", - "MEDIUM CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.appservice.appservice-enable-http2.appservice-enable-http2" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration." - }, - "help": { - "markdown": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `HttpOnly` flag is either missing or disabled. The `HttpOnly` cookie flag instructs the browser to forbid client-side JavaScript to read the cookie. If JavaScript interaction is required, you can ignore this finding. However, set the `HttpOnly` flag to `true` in all other cases. If this wasn't intentional, it's recommended to set the HttpOnly flag to true so the cookie will not be accessible through client-side scripts. This approach ensures session cookies are secure by default. It is also possible to use the flask-talisman extension to enforce a secure configuration." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false", - "id": "python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false", - "name": "python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-app-config-httponly-false.flask-cookie-app-config-httponly-false" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html](https://pandas.pydata.org/docs/reference/api/pandas.read_pickle.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_pickle()` function uses `pickle` for object deserialization and should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi", - "id": "python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi", - "name": "python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-pandas-pickle-fastapi.tainted-pandas-pickle-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "help": { - "markdown": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n", - "text": "The regular expression identified appears vulnerable to Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible, re-write the regex so as not to leverage backtracking or use a library that offers default protection against ReDoS." - }, - "helpUri": "https://semgrep.dev/r/python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask", - "id": "python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask", - "name": "python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.regex.tainted-regex-stdlib-flask.tainted-regex-stdlib-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process." - }, - "help": { - "markdown": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection)\n - [https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)\n", - "text": "User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet.security.razor-template-injection.razor-template-injection", - "id": "csharp.dotnet.security.razor-template-injection.razor-template-injection", - "name": "csharp.dotnet.security.razor-template-injection.razor-template-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet.security.razor-template-injection.razor-template-injection" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself." - }, - "help": { - "markdown": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting)\n - [https://www.owasp.org/index.php/HTTP_Response_Splitting](https://www.owasp.org/index.php/HTTP_Response_Splitting)\n", - "text": "Older Java application servers are vulnerable to HTTP response splitting, which may occur if an HTTP request can be injected with CRLF characters. This finding is reported for completeness; it is recommended to ensure your environment is not affected by testing this yourself." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.http-response-splitting.http-response-splitting", - "id": "java.lang.security.audit.http-response-splitting.http-response-splitting", - "name": "java.lang.security.audit.http-response-splitting.http-response-splitting", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.http-response-splitting.http-response-splitting" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. " - }, - "help": { - "markdown": "Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n - [https://www.regular-expressions.info/catastrophic.html](https://www.regular-expressions.info/catastrophic.html)\n", - "text": "Detected `$REQ` argument enters calls to `RegExp`. This could lead to a Regular Expression Denial of Service (ReDoS) through catastrophic backtracking. If the input is attacker controllable, this vulnerability can lead to systems being non-responsive or may crash due to ReDoS. Where possible avoid calls to `RegExp` with user input, if required ensure user input is escaped or validated. " - }, - "helpUri": "https://semgrep.dev/r/javascript.express.regexp-redos.regexp-redos", - "id": "javascript.express.regexp-redos.regexp-redos", - "name": "javascript.express.regexp-redos.regexp-redos", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.regexp-redos.regexp-redos" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." - }, - "help": { - "markdown": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape)\n - [https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates](https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/preventing_xss/preventing_xss_in_django_templates.html#html-escaping-translations-in-django-templates)\n - [https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code](https://docs.djangoproject.com/en/3.1/topics/i18n/translation/#internationalization-in-template-code)\n", - "text": "Translated strings will not be escaped when rendered in a template. This leads to a vulnerability where translators could include malicious script tags in their translations. Consider using `force_escape` to explicitly escape a translated text." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", - "id": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", - "name": "python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.audit.xss.template-blocktranslate-no-escape.template-blocktranslate-no-escape" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead." - }, - "help": { - "markdown": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion)\n - [https://cwe.mitre.org/data/definitions/704.html](https://cwe.mitre.org/data/definitions/704.html)\n", - "text": "'Integer.toHexString()' strips leading zeroes from each byte if read byte-by-byte. This mistake weakens the hash value computed since it introduces more collisions. Use 'String.format(\"%02X\", ...)' instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion", - "id": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion", - "name": "java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-704: Incorrect Type Conversion or Cast", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.bad-hexa-conversion.bad-hexa-conversion" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token", - "id": "python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token", - "name": "python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.hardcoded.headers.hardcoded-basic-token.hardcoded-basic-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM." - }, - "help": { - "markdown": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4)\n - [https://cwe.mitre.org/data/definitions/326.html](https://cwe.mitre.org/data/definitions/326.html)\n - [https://www.pycryptodome.org/src/cipher/cipher](https://www.pycryptodome.org/src/cipher/cipher)\n", - "text": "Detected ARC4 cipher algorithm which is considered insecure. This algorithm is not cryptographically secure and can be reversed easily. Use secure stream ciphers such as ChaCha20, XChaCha20 and Salsa20, or a block cipher such as AES with a block size of 128 bits. When using a block cipher, use a modern mode of operation that also provides authentication, such as GCM." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4", - "id": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4", - "name": "python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-cipher-algorithm-rc4.insecure-cipher-algorithm-rc4" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat", - "id": "java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat", - "name": "java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.ssrf.httpclient-taint-concat.httpclient-taint-concat" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. To prevent this vulnerability, validate and sanitize any input that is used to create references to file paths. Also, enforce strict file access controls. For example, choose privileges allowing public-facing applications to access only the required files." - }, - "helpUri": "https://semgrep.dev/r/python.lang.file.tainted-shelve.tainted-shelve", - "id": "python.lang.file.tainted-shelve.tainted-shelve", - "name": "python.lang.file.tainted-shelve.tainted-shelve", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.file.tainted-shelve.tainted-shelve" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask", - "id": "python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask", - "name": "python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.db.sqlalchemy-connection-flask.sqlalchemy-connection-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.xpath.tainted-xpath.tainted-xpath", - "id": "java.micronaut.xpath.tainted-xpath.tainted-xpath", - "name": "java.micronaut.xpath.tainted-xpath.tainted-xpath", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.xpath.tainted-xpath.tainted-xpath" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption." - }, - "help": { - "markdown": "`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator](https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator)\n", - "text": "`strlen(...)` returns the number of characters in a string, excluding the NUL terminator. If a string is later copied into this allocated buffer, it will trigger memory corruption." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.alloc-strlen.alloc-strlen", - "id": "cpp.lang.security.strings.alloc-strlen.alloc-strlen", - "name": "cpp.lang.security.strings.alloc-strlen.alloc-strlen", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-131: Incorrect Calculation of Buffer Size", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.alloc-strlen.alloc-strlen" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure" - }, - "help": { - "markdown": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8)\n", - "text": "The LosFormatter type is dangerous and is not recommended for data processing. Applications should stop using LosFormatter as soon as possible, even if they believe the data they're processing to be trustworthy. LosFormatter is insecure and can't be made secure" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", - "id": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", - "name": "csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "MEDIUM CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.los-formatter.insecure-losformatter-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi", - "id": "python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi", - "name": "python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.deserialization.tainted-pandas-hdf-fastapi.tainted-pandas-hdf-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Unencrypted request over HTTP detected." - }, - "help": { - "markdown": "Unencrypted request over HTTP detected.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request)\n - [https://www.npmjs.com/package/axios](https://www.npmjs.com/package/axios)\n", - "text": "Unencrypted request over HTTP detected." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.security.react-insecure-request.react-insecure-request", - "id": "typescript.react.security.react-insecure-request.react-insecure-request", - "name": "typescript.react.security.react-insecure-request.react-insecure-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.security.react-insecure-request.react-insecure-request" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks yandex-aws-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks yandex-aws-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks yandex-aws-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token", - "id": "generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token", - "name": "generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.yandex-aws-access-token.yandex-aws-access-token" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege." - }, - "help": { - "markdown": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin)\n - [https://cwe.mitre.org/data/definitions/732.html](https://cwe.mitre.org/data/definitions/732.html)\n", - "text": "Detected admin access granted in your policy. This means anyone with this policy can perform administrative actions. Instead, limit actions and resources to what you need according to least privilege." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin", - "id": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin", - "name": "terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-iam-admin-policy-ssoadmin.aws-iam-admin-policy-ssoadmin" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation](https://github.com/yaml/pyyaml/wiki/PyYAML-yaml.load(input)-Deprecation)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. PyYAML's `yaml` module is as powerful as `pickle` and so may call auny Python function. It is recommended to secure your application by using `yaml.SafeLoader` or `yaml.CSafeLoader`." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-pyyaml.tainted-pyyaml", - "id": "python.lang.deserialization.tainted-pyyaml.tainted-pyyaml", - "name": "python.lang.deserialization.tainted-pyyaml.tainted-pyyaml", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-pyyaml.tainted-pyyaml" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks." - }, - "help": { - "markdown": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Insecure HostnameVerifier implementation detected. This will accept any SSL certificate with any hostname, which creates the possibility for man-in-the-middle attacks." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier", - "id": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier", - "name": "java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.insecure-hostname-verifier.insecure-hostname-verifier" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source." - }, - "help": { - "markdown": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions)\n - [https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/](https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/)\n", - "text": "The AWS configuration aggregator does not aggregate all AWS Config region. This may result in unmonitored configuration in regions that are thought to be unused. Configure the aggregator with all_regions for the source." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", - "id": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", - "name": "terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-778: Insufficient Logging", - "HIGH CONFIDENCE", - "OWASP-A09:2021 - Security Logging and Monitoring Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-config-aggregator-not-all-regions.aws-config-aggregator-not-all-regions" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"" - }, - "help": { - "markdown": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls)\n - [https://node-postgres.com/features/ssl](https://node-postgres.com/features/ssl)\n - [https://nodejs.org/api/tls.html#tls_class_tls_tlssocket](https://nodejs.org/api/tls.html#tls_class_tls_tlssocket)\n - [https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options](https://nodejs.org/api/tls.html#tls_tls_createsecurecontext_options)\n - [https://nodejs.org/api/tls.html#tls_tls_default_min_version](https://nodejs.org/api/tls.html#tls_tls_default_min_version)\n", - "text": "If TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set \"ssl: true\" or define settings \"ssl: {...}\"" - }, - "helpUri": "https://semgrep.dev/r/javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls", - "id": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls", - "name": "javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sequelize.security.audit.sequelize-enforce-tls.sequelize-enforce-tls" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret", - "id": "javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret", - "name": "javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.pg.node-pg-pool-hardcoded-secret.node-pg-pool-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi)\n - [https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems](https://docs.pyfilesystem.org/en/latest/guide.html#opening-filesystems)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi", - "id": "python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi", - "name": "python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.file.tainted-path-traversal-fs-fastapi.tainted-path-traversal-fs-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information." - }, - "help": { - "markdown": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string)\n - [https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html](https://nedbatchelder.com/blog/201206/eval_really_is_dangerous.html)\n", - "text": "Found user data in a call to 'eval'. This is extremely dangerous because it can enable an attacker to execute remote code. See https://owasp.org/www-community/attacks/Code_Injection for more information." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.code.user-eval-format-string.user-eval-format-string", - "id": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string", - "name": "python.django.security.injection.code.user-eval-format-string.user-eval-format-string", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.code.user-eval-format-string.user-eval-format-string" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. The best defense against XXE is to have an XML parser that supports disabling DTDs. Limiting the use of external entities from the start can prevent the parser from being used to process untrusted XML files. Reducing dependencies on external resources is also a good practice for performance reasons. It is difficult to guarantee that even a trusted XML file on your server or during transmission has not been tampered with by a malicious third-party." - }, - "helpUri": "https://semgrep.dev/r/go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint", - "id": "go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint", - "name": "go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.gorilla.xxe.gorilla-libxml2-xxe-taint.libxml2-xxe-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention." - }, - "help": { - "markdown": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n", - "text": "XMLDecoder should not be used to parse untrusted data. Deserializing user input can lead to arbitrary code execution. Use an alternative and explicitly disable external entities. See https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html for alternatives and vulnerability prevention." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xml-decoder.xml-decoder", - "id": "java.lang.security.audit.xml-decoder.xml-decoder", - "name": "java.lang.security.audit.xml-decoder.xml-decoder", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "LOW CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xml-decoder.xml-decoder" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly." - }, - "help": { - "markdown": "The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "The use of the insecure DES/3DES encryption algorithm(s) were detected. DES is deprecated and considered insecure. The application should leverage more suitable algorithms such as AES in GCM mode, or ChaChaPoly." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des", - "id": "swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des", - "name": "swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-algorithm-des.insecure-crypto-algorithm-des" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hardcoded secret is identified." - }, - "help": { - "markdown": "A hardcoded secret is identified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_secret)\n", - "text": "A hardcoded secret is identified." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_secret", - "id": "mobsf.mobsfscan.android.secrets.hardcoded_secret", - "name": "mobsf.mobsfscan.android.secrets.hardcoded_secret", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-798", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.secrets.hardcoded_secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html](https://pandas.pydata.org/docs/reference/api/pandas.read_hdf.html)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://redfoxsec.com/blog/insecure-deserialization-in-python/](https://redfoxsec.com/blog/insecure-deserialization-in-python/)\n - [https://www.exploit-db.com/exploits/49585](https://www.exploit-db.com/exploits/49585)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `pandas.read_hdf()` function uses `pickle` when the `fixed` format is used during serializing. This function should not be used with untrusted data." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-pandas-hdf-aws-lambda.tainted-pandas-hdf-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks huggingface-organization-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks huggingface-organization-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks huggingface-organization-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token", - "id": "generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token", - "name": "generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.huggingface-organization-api-token.huggingface-organization-api-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping." - }, - "help": { - "markdown": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected)\n - [https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping](https://docs.makotemplates.org/en/latest/syntax.html#expression-escaping)\n - [https://jinja.palletsprojects.com/en/2.11.x/intro/#](https://jinja.palletsprojects.com/en/2.11.x/intro/#)\n", - "text": "Mako templates do not provide a global HTML escaping mechanism. This means you must escape all sensitive data in your templates using '| u' for URL escaping or '| h' for HTML escaping. If you are using Mako to serve web content, consider using a system such as Jinja2 which enables global escaping." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.mako-templates-detected.mako-templates-detected", - "id": "python.lang.security.audit.mako-templates-detected.mako-templates-detected", - "name": "python.lang.security.audit.mako-templates-detected.mako-templates-detected", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.mako-templates-detected.mako-templates-detected" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index." - }, - "help": { - "markdown": "The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos)\n - [https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow](https://wiki.sei.cmu.edu/confluence/display/cplusplus/CTR55-CPP.+Do+not+use+an+additive+operator+on+an+iterator+if+the+result+would+overflow)\n", - "text": "The return value of `$VAR.$NPOS_CALL(...)` has been modified so it can never equal `std::string::npos`. This could lead to an `std::out_of_range` exception being thrown or trigger an out-of-bounds read if the position is used as an array index." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.std-string-npos.std-string-npos", - "id": "cpp.lang.security.strings.std-string-npos.std-string-npos", - "name": "cpp.lang.security.strings.std-string-npos.std-string-npos", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.std-string-npos.std-string-npos" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'." - }, - "help": { - "markdown": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.nan-injection.nan-injection)\n - [https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868](https://discuss.python.org/t/nan-breaks-min-max-and-sorting-functions-a-solution/2868)\n - [https://blog.bitdiscovery.com/2021/12/python-nan-injection/](https://blog.bitdiscovery.com/2021/12/python-nan-injection/)\n", - "text": "Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.nan-injection.nan-injection", - "id": "python.django.security.nan-injection.nan-injection", - "name": "python.django.security.nan-injection.nan-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-704: Incorrect Type Conversion or Cast", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.nan-injection.nan-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'" - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli)\n - [https://www.psycopg.org/docs/sql.html](https://www.psycopg.org/docs/sql.html)\n", - "text": "Detected string concatenation with a non-literal variable in a psycopg2 Python SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use prepared statements by creating a 'sql.SQL' string. You can also use the pyformat binding style to create parameterized queries. For example: 'cur.execute(SELECT * FROM table WHERE name=%s, user_input)'" - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli", - "id": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli", - "name": "python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.sqli.psycopg-sqli.psycopg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse." - }, - "help": { - "markdown": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse)\n - [https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss](https://django-book.readthedocs.io/en/latest/chapter20.html#cross-site-scripting-xss)\n", - "text": "Found user-controlled request data being passed into a file open, which is them passed as an argument into the FileResponse. This is dangerous because an attacker could specify an arbitrary file to read, which could result in leaking important data. Be sure to validate or sanitize the user-inputted filename in the request data before using it in FileResponse." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.request-data-fileresponse.request-data-fileresponse", - "id": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse", - "name": "python.django.security.injection.request-data-fileresponse.request-data-fileresponse", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.request-data-fileresponse.request-data-fileresponse" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information." - }, - "help": { - "markdown": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected)\n - [https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt](https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)\n", - "text": "Detected use of the wildcard character in a system call that spawns a shell. This subjects the wildcard to normal shell expansion, which can have unintended consequences if there exist any non-standard file names. Consider a file named '-e sh script.sh' -- this will execute a script when 'rsync' is called. See https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt for more information." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.system-wildcard-detected.system-wildcard-detected", - "id": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected", - "name": "python.lang.security.audit.system-wildcard-detected.system-wildcard-detected", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-155: Improper Neutralization of Wildcards or Matching Symbols", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.system-wildcard-detected.system-wildcard-detected" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret", - "id": "python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret", - "name": "python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.mariadb.python-mariadb-hardcoded-secret.python-mariadb-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement." - }, - "help": { - "markdown": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://web.dev/articles/samesite-cookies-explained](https://web.dev/articles/samesite-cookies-explained)\n", - "text": "Detected a cookie options with the `SameSite` flag set to \"None\". This is a potential security risk that arises from the way web browsers manage cookies. In a typical web application, cookies are used to store and transmit session-related data between a client and a server. To enhance security, cookies can be marked with the \"SameSite\" attribute, which restricts their usage based on the origin of the page that set them. This attribute can have three values: \"Strict,\" \"Lax,\" or \"None\". Make sure the `SameSite` attribute of the important cookies (e.g., session cookie) is set to a reasonable value. When `SameSite` is set to \"Strict\", no 3rd party cookie will be sent with outgoing requests, this is the most secure and private setting but harder to deploy with good usability. Setting it to \"Lax\" is the minimum requirement." - }, - "helpUri": "https://semgrep.dev/r/java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none", - "id": "java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none", - "name": "java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.micronaut.audit.cookies.cookie-samesite-none.cookie-samesite-none" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "help": { - "markdown": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4)\n - [https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms](https://www.pycryptodome.org/src/hash/hash#modern-hash-algorithms)\n - [https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html](https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html)\n - [https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability](https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/sha-1-collision-signals-the-end-of-the-algorithm-s-viability)\n - [http://2012.sharcs.org/slides/stevens.pdf](http://2012.sharcs.org/slides/stevens.pdf)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n", - "text": "Detected MD4 hash algorithm which is considered insecure. MD4 is not collision resistant and is therefore not suitable as a cryptographic signature. Use a modern hash algorithm from the SHA-2, SHA-3, or BLAKE2 family instead." - }, - "helpUri": "https://semgrep.dev/r/python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4", - "id": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4", - "name": "python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pycryptodome.security.insecure-hash-algorithm-md4.insecure-hash-algorithm-md4" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The file is World Readable. Any App can read from the file." - }, - "help": { - "markdown": "The file is World Readable. Any App can read from the file.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_readable)\n", - "text": "The file is World Readable. Any App can read from the file." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.word_readable_writable.world_readable", - "id": "mobsf.mobsfscan.android.word_readable_writable.world_readable", - "name": "mobsf.mobsfscan.android.word_readable_writable.world_readable", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-276", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.word_readable_writable.world_readable" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode." - }, - "help": { - "markdown": "The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback)\n - [https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication](https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06f-testing-local-authentication)\n", - "text": "The application was observed to store keychain items that leverage user authentication but allow the passcode fallback. Biometric modalities are considered more secure than 4 or 6 digit pincodes on iOS, and should be preferred over the passcode." - }, - "helpUri": "https://semgrep.dev/r/swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback", - "id": "swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback", - "name": "swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-272: Least Privilege Violation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.biometrics-and-auth.pass-fallback.keychain-passcode-fallback" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint)\n - [https://docs.rs/reqwest/latest/reqwest/](https://docs.rs/reqwest/latest/reqwest/)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/rust.rocket.ssrf.reqwest-taint.reqwest-taint", - "id": "rust.rocket.ssrf.reqwest-taint.reqwest-taint", - "name": "rust.rocket.ssrf.reqwest-taint.reqwest-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "HIGH CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.rocket.ssrf.reqwest-taint.reqwest-taint" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl", - "id": "python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl", - "name": "python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-pycurl.tainted-fastapi-http-request-pycurl" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) We do not recommend deserializing untrusted data with the `ObjectInputStream`. If you must, you can try overriding the `ObjectInputStream#resolveClass()` method or using a safe replacement for the generic `readObject()` method." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring", - "id": "java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring", - "name": "java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.objectinputstream-deserialization-spring.objectinputstream-deserialization-spring" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS." - }, - "help": { - "markdown": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "The AWS EBS is unencrypted. The AWS EBS encryption protects data in the EBS." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted", - "id": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted", - "name": "terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ebs-unencrypted.aws-ebs-unencrypted" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this." - }, - "help": { - "markdown": "Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges)\n - [https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/](https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n", - "text": "Service '$SERVICE' allows for privilege escalation via setuid or setgid binaries. Add 'no-new-privileges:true' in 'security_opt' to prevent this." - }, - "helpUri": "https://semgrep.dev/r/yaml.docker-compose.security.no-new-privileges.no-new-privileges", - "id": "yaml.docker-compose.security.no-new-privileges.no-new-privileges", - "name": "yaml.docker-compose.security.no-new-privileges.no-new-privileges", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "LOW CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.docker-compose.security.no-new-privileges.no-new-privileges" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped." - }, - "help": { - "markdown": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n", - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter", - "id": "cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter", - "name": "cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.ldap.ldap-injection-filter.ldap-injection-filter" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. To build SQL queries safely in PHP, it is possible to adopt prepared statements by using `PDO` with bind variables using `bindParam()`." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection", - "id": "php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection", - "name": "php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-native-sql-injection.laravel-native-sql-injection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf" - }, - "help": { - "markdown": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full)\n - [https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0](https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.typefilterlevel?view=net-6.0)\n - [https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html](https://www.synacktiv.com/en/publications/izi-izi-pwn2own-ics-miami.html)\n", - "text": "Using a .NET remoting service can lead to RCE, even if you try to configure TypeFilterLevel. Recommended to switch from .NET Remoting to WCF https://docs.microsoft.com/en-us/dotnet/framework/wcf/migrating-from-net-remoting-to-wcf" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full", - "id": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full", - "name": "csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.insecure-typefilterlevel-full.insecure-typefilterlevel-full" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources." - }, - "help": { - "markdown": "Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/resource-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMPermissionsManagement.py)\n", - "text": "Ensure IAM policies don't allow resource exposure. These actions can expose AWS resources to the public. For example `ecr:SetRepositoryPolicy` could let an attacker retrieve container images. Instead, use another action that doesn't expose AWS resources." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure", - "id": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure", - "name": "terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-resource-exposure.no-iam-resource-exposure" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application." - }, - "help": { - "markdown": "Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n", - "text": "Path traversal may allow malicious actors to access file content not intended to be exposed to them. For example a user may be able to access sensitive secrets stored within app files (e.g. UserDefaults/Plists/.etc.). Alternatively, users with access to a victim's phone may be able to obtain senstivie data persisted by the application." - }, - "helpUri": "https://semgrep.dev/r/swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal", - "id": "swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal", - "name": "swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-35: Path Traversal", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.pathtraversal.filemanager-pathtraversal.swift-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url)\n - [https://docs.rs/sqlx/latest/sqlx/](https://docs.rs/sqlx/latest/sqlx/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.sqlx.pg-connection-url.pg-connection-url", - "id": "rust.secrets.sqlx.pg-connection-url.pg-connection-url", - "name": "rust.secrets.sqlx.pg-connection-url.pg-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.sqlx.pg-connection-url.pg-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2." - }, - "help": { - "markdown": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy)\n - [https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account#min_tls_version)\n - [https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version](https://docs.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version)\n", - "text": "Azure Storage currently supports three versions of the TLS protocol: 1.0, 1.1, and 1.2. Azure Storage uses TLS 1.2 on public HTTPS endpoints, but TLS 1.0 and TLS 1.1 are still supported for backward compatibility. This check will warn if the minimum TLS is not set to TLS1_2." - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy", - "id": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy", - "name": "terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.storage.storage-use-secure-tls-policy.storage-use-secure-tls-policy" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure EBS Volume is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk", - "id": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk", - "name": "terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ebs-volume-encrypted-with-cmk.aws-ebs-volume-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Function sweepToken is allowed to be called by anyone" - }, - "help": { - "markdown": "Function sweepToken is allowed to be called by anyone\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted)\n - [https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2](https://medium.com/chainsecurity/trueusd-compound-vulnerability-bc5b696d29e2)\n - [https://chainsecurity.com/security-audit/compound-ctoken/](https://chainsecurity.com/security-audit/compound-ctoken/)\n - [https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/](https://blog.openzeppelin.com/compound-comprehensive-protocol-audit/)\n - [https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f](https://etherscan.io/address/0xa035b9e130f2b1aedc733eefb1c67ba4c503491f)\n", - "text": "Function sweepToken is allowed to be called by anyone" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted", - "id": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted", - "name": "solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.compound-sweeptoken-not-restricted.compound-sweeptoken-not-restricted" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "help": { - "markdown": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "XPath queries are constructed dynamically on user-controlled input. This could lead to XPath injection if variables passed into the evaluate or compile commands are not properly sanitized. Xpath injection could lead to unauthorized access to sensitive information in XML documents. Thoroughly sanitize user input or use parameterized XPath queries if you can." - }, - "helpUri": "https://semgrep.dev/r/java.spring.xpath.tainted-xpath.tainted-xpath", - "id": "java.spring.xpath.tainted-xpath.tainted-xpath", - "name": "java.spring.xpath.tainted-xpath.tainted-xpath", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.xpath.tainted-xpath.tainted-xpath" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi)\n - [https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text](https://docs.sqlalchemy.org/en/20/core/sqlelement.html#sqlalchemy.sql.expression.text)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Use the SQLAlchemy ORM provided functions to build SQL queries instead to avoid SQL injection." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi", - "id": "python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi", - "name": "python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.db.sqlalchemy-fastapi.sqlalchemy-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "You should probably use Filename.get_temp_dirname()." - }, - "help": { - "markdown": "You should probably use Filename.get_temp_dirname().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string)\n", - "text": "You should probably use Filename.get_temp_dirname()." - }, - "helpUri": "https://semgrep.dev/r/ocaml.lang.portability.slash-tmp.not-portable-tmp-string", - "id": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string", - "name": "ocaml.lang.portability.slash-tmp.not-portable-tmp-string", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: ocaml.lang.portability.slash-tmp.not-portable-tmp-string" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection." - }, - "help": { - "markdown": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation)\n - [https://www.oracle.com/java/technologies/javase/tlsreadme.html](https://www.oracle.com/java/technologies/javase/tlsreadme.html)\n", - "text": "Checks for cases where java applications are allowing unsafe renegotiation. This leaves the application vulnerable to a man-in-the-middle attack where chosen plain text is injected as prefix to a TLS connection." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation", - "id": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation", - "name": "problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.java-stdlib.tls-renegotiation.tls-renegotiation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret", - "id": "csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret", - "name": "csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.jwt-dotnet.jwt-dotnet-hardcoded-secret.jwt-dotnet-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." - }, - "help": { - "markdown": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection)\n - [https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security](https://blog.gopheracademy.com/advent-2017/go-grpc-beyond-basics/#:~:text=disables%20transport%20security)\n", - "text": "Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine." - }, - "helpUri": "https://semgrep.dev/r/javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", - "id": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", - "name": "javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.grpc.security.grpc-nodejs-insecure-connection.grpc-nodejs-insecure-connection" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Found a Pyramid cookie using an unsafe value for the samesite option. Pyramid cookies should be handled securely by setting samesite='Lax' in response.set_cookie(...). If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default", - "id": "python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default", - "name": "python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1275: Sensitive Cookie with Improper SameSite Attribute", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.set-cookie-samesite-unsafe-default.pyramid-set-cookie-samesite-unsafe-default" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks coinbase-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks coinbase-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks coinbase-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token", - "id": "generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token", - "name": "generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.coinbase-access-token.coinbase-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure EFS filesystem is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk", - "id": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk", - "name": "terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-efs-filesystem-encrypted-with-cmk.aws-efs-filesystem-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker" - }, - "help": { - "markdown": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal)\n - [https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall](https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall)\n", - "text": "Possible path traversal through `tarfile.open($PATH).extractall()` if the source tar is controlled by an attacker" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal", - "id": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal", - "name": "trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.python.tarfile-extractall-traversal.tarfile-extractall-traversal" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API." - }, - "help": { - "markdown": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method)\n - [https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl](https://docs.angularjs.org/api/ng/service/$sce#trustAsUrl)\n - [https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf](https://owasp.org/www-chapter-london/assets/slides/OWASPLondon20170727_AngularJS.pdf)\n", - "text": "The use of $translateProvider.translations method can be dangerous if user input is provided to this API." - }, - "helpUri": "https://semgrep.dev/r/javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method", - "id": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method", - "name": "javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.angular.security.detect-third-party-angular-translate.detect-angular-translateprovider-translations-method" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password)\n - [https://docs.rs/postgres/latest/postgres/](https://docs.rs/postgres/latest/postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.postgres.hardcoded-password.hardcoded-password", - "id": "rust.secrets.postgres.hardcoded-password.hardcoded-password", - "name": "rust.secrets.postgres.hardcoded-password.hardcoded-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.postgres.hardcoded-password.hardcoded-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`." - }, - "help": { - "markdown": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password)\n - [https://tools.ietf.org/html/rfc6151](https://tools.ietf.org/html/rfc6151)\n - [https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision](https://crypto.stackexchange.com/questions/44151/how-does-the-flame-malware-take-advantage-of-md5-collision)\n - [https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html](https://pycryptodome.readthedocs.io/en/latest/src/hash/sha3_256.html)\n - [https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords)\n - [https://github.com/returntocorp/semgrep-rules/issues/1609](https://github.com/returntocorp/semgrep-rules/issues/1609)\n - [https://docs.python.org/3/library/hashlib.html#hashlib.scrypt](https://docs.python.org/3/library/hashlib.html#hashlib.scrypt)\n", - "text": "It looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as scrypt. You can use `hashlib.scrypt`." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.md5-used-as-password.md5-used-as-password", - "id": "python.lang.security.audit.md5-used-as-password.md5-used-as-password", - "name": "python.lang.security.audit.md5-used-as-password.md5-used-as-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.md5-used-as-password.md5-used-as-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML." - }, - "help": { - "markdown": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property)\n - [https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html](https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html)\n", - "text": "Detection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML." - }, - "helpUri": "https://semgrep.dev/r/typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property", - "id": "typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property", - "name": "typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.react.security.audit.react-unsanitized-property.react-unsanitized-property" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response." - }, - "help": { - "markdown": "Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure)\n - [https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/](https://cloudsplaining.readthedocs.io/en/latest/glossary/credentials-exposure/)\n - [https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py](https://github.com/bridgecrewio/checkov/blob/ca830e14745c2c8e1b941985f305abe985d7f1f9/checkov/terraform/checks/data/aws/IAMCredentialsExposure.py)\n", - "text": "Ensure IAM policies don't allow credentials exposure. Credentials exposure actions return credentials as part of the API response, and can possibly lead to leaking important credentials. Instead, use another action that doesn't return sensitive data as part of the API response." - }, - "helpUri": "https://semgrep.dev/r/terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure", - "id": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure", - "name": "terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.lang.security.iam.no-iam-creds-exposure.no-iam-creds-exposure" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string." - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring)\n - [https://cwe.mitre.org/data/definitions/134.html](https://cwe.mitre.org/data/definitions/134.html)\n", - "text": "Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string." - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring", - "id": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring", - "name": "javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-134: Use of Externally-Controlled Format String", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks sendgrid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks sendgrid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks sendgrid-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token", - "id": "generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token", - "name": "generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.sendgrid-api-token.sendgrid-api-token" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks twitter-access-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks twitter-access-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks twitter-access-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret", - "id": "generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret", - "name": "generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.twitter-access-secret.twitter-access-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead." - }, - "help": { - "markdown": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context", - "id": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context", - "name": "python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.insecure-transport.requests.request-session-http-in-with-context.request-session-http-in-with-context" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`" - }, - "help": { - "markdown": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n", - "text": "Detected SQL statement that is tainted by `event` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])`" - }, - "helpUri": "https://semgrep.dev/r/ruby.aws-lambda.security.pg-sqli.pg-sqli", - "id": "ruby.aws-lambda.security.pg-sqli.pg-sqli", - "name": "ruby.aws-lambda.security.pg-sqli.pg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.aws-lambda.security.pg-sqli.pg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Consuming CDNs without including a SubResource Integrity (SRI) can expose your application and its users to compromised code. SRIs allow you to consume specific versions of content where if even a single byte is compromised, the resource will not be loaded. Add an integrity attribute to your ` is not properly encoded." - }, - "help": { - "markdown": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Unencoded JSON in HTML context is vulnerable to cross-site scripting, because `` is not properly encoded." - }, - "helpUri": "https://semgrep.dev/r/csharp.razor.security.html-raw-json.html-raw-json", - "id": "csharp.razor.security.html-raw-json.html-raw-json", - "name": "csharp.razor.security.html-raw-json.html-raw-json", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.razor.security.html-raw-json.html-raw-json" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data." - }, - "help": { - "markdown": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request)\n - [https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection](https://sensei.securecodewarrior.com/recipes/scw%3Ajava%3ALDAP-injection)\n", - "text": "Detected input from a HTTPServletRequest going into an LDAP query. This could lead to LDAP injection if the input is not properly sanitized, which could result in attackers modifying objects in the LDAP tree structure. Ensure data passed to an LDAP query is not controllable or properly sanitize the data." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", - "id": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", - "name": "java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.tainted-ldapi-from-http-request.tainted-ldapi-from-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure FSX ONTAP file system is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk", - "id": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk", - "name": "terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-fsx-ontapfs-encrypted-with-cmk.aws-fsx-ontapfs-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password", - "id": "python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password", - "name": "python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pymssql.python-pymssql-empty-password.python-pymssql-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hardcoded username in plain text is identified." - }, - "help": { - "markdown": "A hardcoded username in plain text is identified.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_username)\n", - "text": "A hardcoded username in plain text is identified." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.android.secrets.hardcoded_username", - "id": "mobsf.mobsfscan.android.secrets.hardcoded_username", - "name": "mobsf.mobsfscan.android.secrets.hardcoded_username", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-798", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.android.secrets.hardcoded_username" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming." - }, - "help": { - "markdown": "'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "'syscall' is essentially unsafe and unportable. The DL (https://apidock.com/ruby/Fiddle) library is preferred for safer and a bit more portable programming." - }, - "helpUri": "https://semgrep.dev/r/ruby.lang.security.dangerous-syscall.dangerous-syscall", - "id": "ruby.lang.security.dangerous-syscall.dangerous-syscall", - "name": "ruby.lang.security.dangerous-syscall.dangerous-syscall", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.lang.security.dangerous-syscall.dangerous-syscall" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key", - "id": "javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key", - "name": "javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.crypto.symmetric-hardcoded-key.symmetric-hardcoded-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter." - }, - "help": { - "markdown": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter." - }, - "helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled", - "id": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled", - "name": "typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-xss-disabled.nestjs-header-xss-disabled" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. Validate the user input, perform contextual output encoding, or sanitize the input. If you have to use dangerouslySetInnerHTML, consider using a sanitization library such as DOMPurify to sanitize the HTML within." - }, - "helpUri": "https://semgrep.dev/r/typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs", - "id": "typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs", - "name": "typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nextjs.react-nextjs-router-refs.react-nextjs-router-refs" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets)\n - [https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html)\n - [https://owasp.org/www-community/attacks/SQL_Injection](https://owasp.org/www-community/attacks/SQL_Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid if possible to use it to construct the NoSQL statement." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.nosql-injection-servlets.nosql-injection-servlets", - "id": "java.servlets.security.nosql-injection-servlets.nosql-injection-servlets", - "name": "java.servlets.security.nosql-injection-servlets.nosql-injection-servlets", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.nosql-injection-servlets.nosql-injection-servlets" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read." - }, - "help": { - "markdown": "A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions](https://wiki.sei.cmu.edu/confluence/display/c/STR38-C.+Do+not+confuse+narrow+and+wide+character+strings+and+functions)\n", - "text": "A byte-string (narrow string) is used in an API that expects a wide-string. This can trigger an out-of-bounds read." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch", - "id": "cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch", - "name": "cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.narrow-to-wide-string-mismatch.narrow-to-wide-string-mismatch" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "help": { - "markdown": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure EMR is encrypted at rest using KMS CMKs. CMKs gives you control over the encryption key in terms of access and rotation." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", - "id": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", - "name": "terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-320: CWE CATEGORY: Key Management Errors", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-emr-encrypted-with-cmk.aws-emr-encrypted-with-cmk" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks finnhub-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks finnhub-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks finnhub-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token", - "id": "generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token", - "name": "generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.finnhub-access-token.finnhub-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe" - }, - "help": { - "markdown": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization)\n - [https://github.com/mgholam/fastJSON#security-warning-update](https://github.com/mgholam/fastJSON#security-warning-update)\n", - "text": "$type extension has the potential to be unsafe, so use it with common sense and known json sources and not public facing ones to be safe" - }, - "helpUri": "https://semgrep.dev/r/csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization", - "id": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization", - "name": "csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.lang.security.insecure-deserialization.fast-json.insecure-fastjson-deserialization" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input." - }, - "help": { - "markdown": "Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal)\n - [https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af](https://medium.com/@emmapinheiro42/php-include-ignore-4a3ba81371af)\n - [https://www.acunetix.com/websitesecurity/php-security-2/](https://www.acunetix.com/websitesecurity/php-security-2/)\n", - "text": "Detected user input going into a php include or require command, which can lead to path traversal and sensitive data being exposed. These commands can also lead to code execution. Instead, allowlist files that the user can access or rigorously validate user input." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.tainted-path-traversal.tainted-path-traversal", - "id": "php.lang.security.tainted-path-traversal.tainted-path-traversal", - "name": "php.lang.security.tainted-path-traversal.tainted-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-23: Relative Path Traversal", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.tainted-path-traversal.tainted-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions." - }, - "help": { - "markdown": "Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2)\n", - "text": "Found 'importlib.resources', which is a module only available on Python 3.7+. This does not work in lower versions, and therefore is not backwards compatible. Use importlib_resources instead for older Python versions." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-importlib2", - "id": "python.lang.compatibility.python37.python37-compatibility-importlib2", - "name": "python.lang.compatibility.python37.python37-compatibility-importlib2", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-importlib2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");" - }, - "help": { - "markdown": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html#custom-algorithms)\n", - "text": "Cryptographic algorithms are notoriously difficult to get right. By implementing a custom message digest, you risk introducing security issues into your program. Use one of the many sound message digests already available to you: MessageDigest sha256Digest = MessageDigest.getInstance(\"SHA256\");" - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests", - "id": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests", - "name": "java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.ssl.avoid-implementing-custom-digests.avoid-implementing-custom-digests" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code." - }, - "help": { - "markdown": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args)\n - [https://bugs.python.org/issue43472](https://bugs.python.org/issue43472)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Found user controlled content in `run_string`. This is dangerous because it allows a malicious actor to run arbitrary Python code." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args", - "id": "python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args", - "name": "python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-subinterpreters-run-string-tainted-env-args.dangerous-subinterpreters-run-string-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here." - }, - "help": { - "markdown": "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe)\n - [https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown](https://github.com/presidentbeef/brakeman/blob/main/docs/warning_types/cross_site_scripting/index.markdown)\n - [https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/](https://www.netsparker.com/blog/web-security/preventing-xss-ruby-on-rails-web-applications/)\n", - "text": "'html_safe()' does not make the supplied string safe. 'html_safe()' bypasses HTML escaping. If external data can reach here, this exposes your application to cross-site scripting (XSS) attacks. Ensure no external data reaches here." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe", - "id": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe", - "name": "ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.xss.avoid-html-safe.avoid-html-safe" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "help": { - "markdown": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request)\n - [https://godoc.org/github.com/levigross/grequests#DoRegularRequest](https://godoc.org/github.com/levigross/grequests#DoRegularRequest)\n - [https://github.com/levigross/grequests](https://github.com/levigross/grequests)\n", - "text": "Checks for requests to http (unencrypted) sites using grequests, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request", - "id": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request", - "name": "problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.grequests-http-request.grequests-http-request" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template." - }, - "help": { - "markdown": "Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js)\n - [https://golang.org/pkg/html/template/#JS](https://golang.org/pkg/html/template/#JS)\n", - "text": "Found a formatted template string passed to 'template.JS()'. 'template.JS()' does not escape contents. Be absolutely sure there is no user-controlled data in this template." - }, - "helpUri": "https://semgrep.dev/r/go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js", - "id": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js", - "name": "go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.lang.security.audit.net.unescaped-data-in-js.unescaped-data-in-js" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read." - }, - "help": { - "markdown": "The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string](https://wiki.sei.cmu.edu/confluence/display/c/STR32-C.+Do+not+pass+a+non-null-terminated+character+sequence+to+a+library+function+that+expects+a+string)\n", - "text": "The string returned from `std::string_view.data()` is not guaranteed to be NULL terminated. This expression expects a NULL terminated string and will trigger an out-of-bounds read." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator", - "id": "cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator", - "name": "cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-125: Out-of-bounds Read", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.strings.string-view-data-null-terminator.string-view-data-null-terminator" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. " - }, - "help": { - "markdown": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html)\n", - "text": "The following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse. " - }, - "helpUri": "https://semgrep.dev/r/javascript.express.security.audit.express-ssrf.express-ssrf", - "id": "javascript.express.security.audit.express-ssrf.express-ssrf", - "name": "javascript.express.security.audit.express-ssrf.express-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.express.security.audit.express-ssrf.express-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library." - }, - "help": { - "markdown": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n", - "text": "Found request data in a call to 'open'. Ensure the request data is validated or sanitized, otherwise it could result in path traversal attacks and therefore sensitive data being leaked. To mitigate, consider using os.path.abspath or os.path.realpath or the pathlib library." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open", - "id": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open", - "name": "python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.path-traversal.path-traversal-open.path-traversal-open" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "setMultipleAllowances() is missing onlyOwner modifier" - }, - "help": { - "markdown": "setMultipleAllowances() is missing onlyOwner modifier\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control)\n - [https://twitter.com/danielvf/status/1494317265835147272](https://twitter.com/danielvf/status/1494317265835147272)\n - [https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8](https://etherscan.io/address/0x876b9ebd725d1fa0b879fcee12560a6453b51dc8)\n - [https://play.secdim.com/game/dapp/challenge/rigoownsol](https://play.secdim.com/game/dapp/challenge/rigoownsol)\n", - "text": "setMultipleAllowances() is missing onlyOwner modifier" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control", - "id": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control", - "name": "solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.rigoblock-missing-access-control.rigoblock-missing-access-control" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "help": { - "markdown": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request)\n - [https://godoc.org/github.com/dghubble/sling#Sling.Add](https://godoc.org/github.com/dghubble/sling#Sling.Add)\n - [https://github.com/dghubble/sling](https://github.com/dghubble/sling)\n", - "text": "Checks for requests to http (unencrypted) sites using gorequest, a popular HTTP client library. This is dangerous because it could result in plaintext PII being passed around the network." - }, - "helpUri": "https://semgrep.dev/r/problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request", - "id": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request", - "name": "problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-319: Cleartext Transmission of Sensitive Information", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: problem-based-packs.insecure-transport.go-stdlib.sling-http-request.sling-http-request" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask)\n - [https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://flask.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In Flask apps, consider using the Werkzeug util `werkzeug.utils.secure_filename()` to sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask", - "id": "python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask", - "name": "python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.file.tainted-path-traversal-aiofile-flask.tainted-path-traversal-aiofile-flask" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected possible formatted SQL query. Use parameterized queries instead." - }, - "help": { - "markdown": "Detected possible formatted SQL query. Use parameterized queries instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query)\n - [https://stackoverflow.com/questions/775296/mysql-parameterized-queries](https://stackoverflow.com/questions/775296/mysql-parameterized-queries)\n", - "text": "Detected possible formatted SQL query. Use parameterized queries instead." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.formatted-sql-query.formatted-sql-query", - "id": "python.lang.security.audit.formatted-sql-query.formatted-sql-query", - "name": "python.lang.security.audit.formatted-sql-query.formatted-sql-query", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.formatted-sql-query.formatted-sql-query" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`." - }, - "help": { - "markdown": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "EC2 instances should not have a public IP address attached in order to block public access to the instances. To fix this, set your `associate_public_ip_address` to `\"false\"`." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip", - "id": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip", - "name": "terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-284: Improper Access Control", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-ec2-has-public-ip.aws-ec2-has-public-ip" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." - }, - "help": { - "markdown": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Cryptographic_Storage_Cheat_Sheet.html)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html)\n", - "text": "Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Instead, use PBKDF2 for password hashing or SHA256 or SHA512 for other hash function applications." - }, - "helpUri": "https://semgrep.dev/r/clojure.lang.security.use-of-sha1.use-of-sha1", - "id": "clojure.lang.security.use-of-sha1.use-of-sha1", - "name": "clojure.lang.security.use-of-sha1.use-of-sha1", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "CWE-328: Use of Weak Hash", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: clojure.lang.security.use-of-sha1.use-of-sha1" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design." - }, - "help": { - "markdown": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec)\n - [https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec](https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec)\n", - "text": "Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design." - }, - "helpUri": "https://semgrep.dev/r/terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec", - "id": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec", - "name": "terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS." - }, - "help": { - "markdown": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message)\n - [https://www.damonkohler.com/2008/12/email-injection.html](https://www.damonkohler.com/2008/12/email-injection.html)\n", - "text": "Found request data in 'send_mail(...)' that uses 'html_message'. This is dangerous because HTML emails are susceptible to XSS. An attacker could inject data into this HTML email, causing XSS." - }, - "helpUri": "https://semgrep.dev/r/python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message", - "id": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message", - "name": "python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.django.security.injection.email.xss-send-mail-html-message.xss-send-mail-html-message" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Facebook OAuth detected" - }, - "help": { - "markdown": "Facebook OAuth detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Facebook OAuth detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth", - "id": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth", - "name": "generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-facebook-oauth.detected-facebook-oauth" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. " - }, - "help": { - "markdown": "Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. \n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n - [https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption](https://crypto.stackexchange.com/questions/20941/why-shouldnt-i-use-ecb-encryption)\n - [https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0](https://medium.com/asecuritysite-when-bob-met-alice/surely-no-one-uses-ecb-mode-in-aes-332ed90f29d0)\n", - "text": "Symmetric cryptographic operations were identified that use Electronic Code Book (ECB) mode. ECB mode is considered insecure as identical plaintext blocks encrypt to identical ciphertexts revealing patterns in the data. Use stronger, better alternatives such as AES-GCM or ChaChaPoly. " - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode", - "id": "swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode", - "name": "swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.insecure-crypto-ecb-mode.insecure-crypto-ecb-mode" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "help": { - "markdown": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html](https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html)\n", - "text": "Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", - "id": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", - "name": "java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." - }, - "help": { - "markdown": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal)\n - [https://www.owasp.org/index.php/Path_Traversal](https://www.owasp.org/index.php/Path_Traversal)\n", - "text": "Detected a potential path traversal. A malicious actor could control the location of this file, to include going backwards in the directory with '../'. To address this, ensure that user-controlled variables in file paths are sanitized. You may also consider using a utility method such as org.apache.commons.io.FilenameUtils.getName(...) to only retrieve the file name from the path." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", - "id": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", - "name": "java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.httpservlet-path-traversal.httpservlet-path-traversal" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://docs.python.org/3/library/json.html](https://docs.python.org/3/library/json.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. To prevent this vulnerability, leverage data formats such as JSON or XML as safer alternatives. If you need to deserialize user input in a specific format, consider digitally signing the data before serialization to prevent tampering. For more information, see: [Deserialization prevention](https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html) Even for a data-only serialization format such as JSON, a malicious string may cause the decoder to consume considerable CPU and memory resources. Limiting the size of data to be parsed is recommended." - }, - "helpUri": "https://semgrep.dev/r/python.flask.deserialization.tainted-json-flask.tainted-json-flask", - "id": "python.flask.deserialization.tainted-json-flask.tainted-json-flask", - "name": "python.flask.deserialization.tainted-json-flask.tainted-json-flask", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.deserialization.tainted-json-flask.tainted-json-flask" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "abi.encodePacked hash collision with variable length arguments in $F()" - }, - "help": { - "markdown": "abi.encodePacked hash collision with variable length arguments in $F()\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision)\n - [https://swcregistry.io/docs/SWC-133](https://swcregistry.io/docs/SWC-133)\n", - "text": "abi.encodePacked hash collision with variable length arguments in $F()" - }, - "helpUri": "https://semgrep.dev/r/solidity.security.encode-packed-collision.encode-packed-collision", - "id": "solidity.security.encode-packed-collision.encode-packed-collision", - "name": "solidity.security.encode-packed-collision.encode-packed-collision", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-20: Improper Input Validation", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: solidity.security.encode-packed-collision.encode-packed-collision" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks frameio-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks frameio-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.frameio-api-token.frameio-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks frameio-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.frameio-api-token.frameio-api-token", - "id": "generic.secrets.gitleaks.frameio-api-token.frameio-api-token", - "name": "generic.secrets.gitleaks.frameio-api-token.frameio-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.frameio-api-token.frameio-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument." - }, - "help": { - "markdown": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor)\n - [https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability](https://securitylab.github.com/research/swagger-yaml-parser-vulnerability/#snakeyaml-deserialization-vulnerability)\n", - "text": "Used SnakeYAML org.yaml.snakeyaml.Yaml() constructor with no arguments, which is vulnerable to deserialization attacks. Use the one-argument Yaml(...) constructor instead, with SafeConstructor or a custom Constructor as the argument." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor", - "id": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor", - "name": "java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "LOW CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.use-snakeyaml-constructor.use-snakeyaml-constructor" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "SonarQube Docs API Key detected" - }, - "help": { - "markdown": "SonarQube Docs API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "SonarQube Docs API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key", - "id": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key", - "name": "generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "help": { - "markdown": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring)\n - [https://blog.sonarsource.com/secure-xml-processor/](https://blog.sonarsource.com/secure-xml-processor/)\n - [https://blog.sonarsource.com/understanding-xxe-vulnerabilities/](https://blog.sonarsource.com/understanding-xxe-vulnerabilities/)\n - [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)\n - [https://cwe.mitre.org/data/definitions/611.html](https://cwe.mitre.org/data/definitions/611.html)\n - [https://cwe.mitre.org/data/definitions/776.html](https://cwe.mitre.org/data/definitions/776.html)\n - [https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E](https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-D97A1F1D-8DDF-4D19-A7E5-99099F27346E)\n - [https://github.com/semgrep/java-xxe-research](https://github.com/semgrep/java-xxe-research)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755](https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-2755)\n", - "text": "The application is using an XML parser that has not been safely configured. This might lead to XML External Entity (XXE) vulnerabilities when parsing user-controlled input. An attacker can include document type definitions (DTDs) or XIncludes which can interact with internal or external hosts. XXE can lead to other vulnerabilities, such as Local File Inclusion (LFI), Remote Code Execution (RCE), and Server-side request forgery (SSRF), depending on the application configuration. An attacker can also use DTDs to expand recursively, leading to a Denial-of-Service (DoS) attack, also known as a `Billion Laughs Attack`. It is our recommendation to secure this parser against XXE attacks by configuring the parser with `factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)`. Alternatively, enabling both of the following configurations also provides protection against XXE attacks. `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD,\"\")` and `factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, \"\")`. For more information, see: [Java XXE prevention](https://semgrep.dev/docs/cheat-sheets/java-xxe/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring", - "id": "java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring", - "name": "java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.xxe.tainted-schemafactory-xxe-spring.tainted-schemafactory-xxe-spring" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "help": { - "markdown": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-2)\n", - "text": "Cryptographic keys should not be kept in the source code. The source code can be widely shared\nin an enterprise environment, and is certainly shared in open source. To be managed safely,\npasswords and secret keys should be stored in separate configuration files or keystores.\n" - }, - "helpUri": "https://semgrep.dev/r/gitlab.find_sec_bugs.HARD_CODE_KEY-2", - "id": "gitlab.find_sec_bugs.HARD_CODE_KEY-2", - "name": "gitlab.find_sec_bugs.HARD_CODE_KEY-2", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-321: Use of Hard-coded Cryptographic Key", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: gitlab.find_sec_bugs.HARD_CODE_KEY-2" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Ensure MySQL is using the latest version of TLS encryption" - }, - "help": { - "markdown": "Ensure MySQL is using the latest version of TLS encryption\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Ensure MySQL is using the latest version of TLS encryption" - }, - "helpUri": "https://semgrep.dev/r/terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version", - "id": "terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version", - "name": "terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: terraform.azure.security.azure-mysql-mintls-version.azure-mysql-mintls-version" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks duffel-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks duffel-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.duffel-api-token.duffel-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks duffel-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.duffel-api-token.duffel-api-token", - "id": "generic.secrets.gitleaks.duffel-api-token.duffel-api-token", - "name": "generic.secrets.gitleaks.duffel-api-token.duffel-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.duffel-api-token.duffel-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain." - }, - "help": { - "markdown": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.lang.security.redirect-to-request-uri.redirect-to-request-uri)\n - [https://www.php.net/manual/en/reserved.variables.server.php](https://www.php.net/manual/en/reserved.variables.server.php)\n - [https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html](https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control.html)\n", - "text": "Redirecting to the current request URL may redirect to another domain, if the current path starts with two slashes. E.g. in https://www.example.com//attacker.com, the value of REQUEST_URI is //attacker.com, and redirecting to it will redirect to that domain." - }, - "helpUri": "https://semgrep.dev/r/php.lang.security.redirect-to-request-uri.redirect-to-request-uri", - "id": "php.lang.security.redirect-to-request-uri.redirect-to-request-uri", - "name": "php.lang.security.redirect-to-request-uri.redirect-to-request-uri", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.lang.security.redirect-to-request-uri.redirect-to-request-uri" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible." - }, - "help": { - "markdown": "Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention)\n - [https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html](https://developer.apple.com/library/archive/documentation/Security/Conceptual/SecureCodingGuide/Articles/ValidatingInput.html)\n - [https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/](https://mas.owasp.org/MASVS/controls/MASVS-CODE-4/)\n - [https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing)\n", - "text": "Usage of Apple's native XML Parser was observed where the parser is explicitly instructed to resolve external entities. This can lead to XXE attacks if untrusted input is parsed. Consider disabling this functionality where feasible." - }, - "helpUri": "https://semgrep.dev/r/swift.lang.xml.should-resolve-xxe.swift-xxe-prevention", - "id": "swift.lang.xml.should-resolve-xxe.swift-xxe-prevention", - "name": "swift.lang.xml.should-resolve-xxe.swift-xxe-prevention", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.lang.xml.should-resolve-xxe.swift-xxe-prevention" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url", - "id": "rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url", - "name": "rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.secrets.tokio-postgres.hardcoded-connection-url.hardcoded-connection-url" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"." - }, - "help": { - "markdown": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\".\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled)\n - [https://semgrep.dev/blog/2022/xml-security-in-java](https://semgrep.dev/blog/2022/xml-security-in-java)\n - [https://semgrep.dev/docs/cheat-sheets/java-xxe/](https://semgrep.dev/docs/cheat-sheets/java-xxe/)\n - [https://blog.sonarsource.com/secure-xml-processor](https://blog.sonarsource.com/secure-xml-processor)\n - [https://xerces.apache.org/xerces2-j/features.html](https://xerces.apache.org/xerces2-j/features.html)\n", - "text": "DOCTYPE declarations are enabled for this TransformerFactory. This is vulnerable to XML external entity attacks. Disable this by setting the attributes \"accessExternalDTD\" and \"accessExternalStylesheet\" to \"\"." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", - "id": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", - "name": "java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "HIGH CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.xxe.transformerfactory-dtds-not-disabled.transformerfactory-dtds-not-disabled" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks linkedin-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks linkedin-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks linkedin-client-secret was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret", - "id": "generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret", - "name": "generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.linkedin-client-secret.linkedin-client-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "help": { - "markdown": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected MD5 hash algorithm which is considered insecure. MD5 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.use-of-md5.use-of-md5", - "id": "kotlin.lang.security.use-of-md5.use-of-md5", - "name": "kotlin.lang.security.use-of-md5.use-of-md5", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-328: Use of Weak Hash", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.use-of-md5.use-of-md5" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks sumologic-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks sumologic-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks sumologic-access-id was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id", - "id": "generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id", - "name": "generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.sumologic-access-id.sumologic-access-id" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret", - "id": "swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret", - "name": "swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.cryptoswift.chacha20-hardcoded-secret.chacha20-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "help": { - "markdown": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "NullCipher was detected. This will not encrypt anything; the cipher text will be the same as the plain text. Use a valid, secure cipher: Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.no-null-cipher.no-null-cipher", - "id": "kotlin.lang.security.no-null-cipher.no-null-cipher", - "name": "kotlin.lang.security.no-null-cipher.no-null-cipher", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-327: Use of a Broken or Risky Cryptographic Algorithm", - "MEDIUM CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.no-null-cipher.no-null-cipher" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client." - }, - "help": { - "markdown": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Detected DynamoDB query params that are tainted by `$EVENT` object. This could lead to NoSQL injection if the variable is user-controlled and not properly sanitized. Explicitly assign query params instead of passing data from `$EVENT` directly to DynamoDB client." - }, - "helpUri": "https://semgrep.dev/r/javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object", - "id": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object", - "name": "javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.aws-lambda.security.dynamodb-request-object.dynamodb-request-object" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input)\n - [https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html](https://docs.oracle.com/javase/8/docs/api/java/lang/Runtime.html)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands. For more information, see: [Java command injection prevention](https://semgrep.dev/docs/cheat-sheets/java-command-injection/)" - }, - "helpUri": "https://semgrep.dev/r/java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input", - "id": "java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input", - "name": "java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.simple-command-injection-direct-input.simple-command-injection-direct-input" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking." - }, - "help": { - "markdown": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos)\n - [https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS)\n", - "text": "Found a potentially user-controllable argument in the construction of a regular expressions. This may result in excessive resource consumption when applied to certain inputs, or when the user is allowed to control the match target. Avoid allowing users to specify regular expressions processed by the server. If you must support user-controllable input in a regular expression, use an allow-list to restrict the expressions users may supply to limit catastrophic backtracking." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.brakeman.check-regex-dos.check-regex-dos", - "id": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos", - "name": "ruby.rails.security.brakeman.check-regex-dos.check-regex-dos", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1333: Inefficient Regular Expression Complexity", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.brakeman.check-regex-dos.check-regex-dos" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks." - }, - "help": { - "markdown": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)\n - [https://kubernetes.io/docs/tasks/configure-pod-container/security-context/](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/)\n - [https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-add-no-new-privileges-flag)\n", - "text": "In Kubernetes, each pod runs in its own isolated environment with its own set of security policies. However, certain container images may contain `setuid` or `setgid` binaries that could allow an attacker to perform privilege escalation and gain access to sensitive resources. To mitigate this risk, it's recommended to add a `securityContext` to the container in the pod, with the parameter `allowPrivilegeEscalation` set to `false`. This will prevent the container from running any privileged processes and limit the impact of any potential attacks. In the container `$CONTAINER` this parameter is set to `true` which makes this container much more vulnerable to privelege escalation attacks." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true", - "id": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true", - "name": "yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-732: Incorrect Permission Assignment for Critical Resource", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.allow-privilege-escalation-true.allow-privilege-escalation-true" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://pg.uptrace.dev/queries/](https://pg.uptrace.dev/queries/)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions. When building SQL queries in Go, it is possible to adopt prepared statements by using the `Prepare` and `PrepareContext` calls with parameterized queries. For more information, see: [Prepared statements in Go](https://go.dev/doc/database/prepared-statements)." - }, - "helpUri": "https://semgrep.dev/r/go.net.sql.pg-sqli-taint.pg-sqli-taint", - "id": "go.net.sql.pg-sqli-taint.pg-sqli-taint", - "name": "go.net.sql.pg-sqli-taint.pg-sqli-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.net.sql.pg-sqli-taint.pg-sqli-taint" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks dropbox-short-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks dropbox-short-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks dropbox-short-lived-api-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token", - "id": "generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token", - "name": "generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.dropbox-short-lived-api-token.dropbox-short-lived-api-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead." - }, - "help": { - "markdown": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "Detected use of the functions `Math.random()` or `java.util.Random()`. These are both not cryptographically strong random number generators (RNGs). If you are using these RNGs to create passwords or secret tokens, use `java.security.SecureRandom` instead." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.crypto.weak-random.weak-random", - "id": "java.lang.security.audit.crypto.weak-random.weak-random", - "name": "java.lang.security.audit.crypto.weak-random.weak-random", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-330: Use of Insufficiently Random Values", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.crypto.weak-random.weak-random" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint", - "id": "csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint", - "name": "csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.sqli.systemdata-taint.systemdata-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations." - }, - "help": { - "markdown": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout)\n - [https://securitylab.github.com/research/github-actions-preventing-pwn-requests/](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)\n - [https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md](https://github.com/justinsteven/advisories/blob/master/2021_github_actions_checkspelling_token_leak_via_advice_symlink.md)\n - [https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability](https://www.legitsecurity.com/blog/github-privilege-escalation-vulnerability)\n", - "text": "This GitHub Actions workflow file uses `workflow_run` and checks out code from the incoming pull request. When using `workflow_run`, the Action runs in the context of the target repository, which includes access to all repository secrets. Normally, this is safe because the Action only runs code from the target repository, not the incoming PR. However, by checking out the incoming PR code, you're now using the incoming code for the rest of the action. You may be inadvertently executing arbitrary code from the incoming PR with access to repository secrets, which would let an attacker steal repository secrets. This normally happens by running build scripts (e.g., `npm build` and `make`) or dependency installation scripts (e.g., `python setup.py install`). Audit your workflow file to make sure no code from the incoming PR is executed. Please see https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ for additional mitigations." - }, - "helpUri": "https://semgrep.dev/r/yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout", - "id": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout", - "name": "yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-913: Improper Control of Dynamically-Managed Code Resources", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.github-actions.security.workflow-run-target-code-checkout.workflow-run-target-code-checkout" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl", - "id": "python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl", - "name": "python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-pycurl.tainted-flask-http-request-pycurl" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp", - "id": "python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp", - "name": "python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.net.tainted-flask-http-request-aiohttp.tainted-flask-http-request-aiohttp" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks kraken-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks kraken-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.kraken-access-token.kraken-access-token)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks kraken-access-token was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.kraken-access-token.kraken-access-token", - "id": "generic.secrets.gitleaks.kraken-access-token.kraken-access-token", - "name": "generic.secrets.gitleaks.kraken-access-token.kraken-access-token", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.kraken-access-token.kraken-access-token" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client." - }, - "help": { - "markdown": "A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key)\n - [https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements](https://mobile-security.gitbook.io/masvs/security-requirements/0x08-v3-cryptography_verification_requirements)\n", - "text": "A hard-coded cryptographic key was detected. An attacker that obtains this key via reverse engineering or access to source code will be able to re-use this key to encrypt, decrypt, and/or sign data at will. Cryptographic keys should be unique, and randomly generated per user, per client." - }, - "helpUri": "https://semgrep.dev/r/swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key", - "id": "swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key", - "name": "swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-321: Use of Hard-coded Cryptographic Key", - "HIGH CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.commoncrypto.hardcoded-symmetric-key.hardcoded-symmetric-key" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret", - "id": "javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret", - "name": "javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.mysql.node-mysql-hardcoded-secret.node-mysql-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.'" - }, - "help": { - "markdown": "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.'\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.lang.security.temp-dir.temp-dir)\n - [https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html](https://doc.rust-lang.org/stable/std/env/fn.temp_dir.html)\n", - "text": "temp_dir should not be used for security operations. From the docs: 'The temporary directory may be shared among users, or between processes with different privileges; thus, the creation of any files or directories in the temporary directory must use a secure method to create a uniquely named file. Creating a file or directory with a fixed or predictable name may result in “insecure temporary file” security vulnerabilities.'" - }, - "helpUri": "https://semgrep.dev/r/rust.lang.security.temp-dir.temp-dir", - "id": "rust.lang.security.temp-dir.temp-dir", - "name": "rust.lang.security.temp-dir.temp-dir", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-807: Reliance on Untrusted Inputs in a Security Decision", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.lang.security.temp-dir.temp-dir" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Stripe API Key detected" - }, - "help": { - "markdown": "Stripe API Key detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "Stripe API Key detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key", - "id": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key", - "name": "generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-stripe-api-key.detected-stripe-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko", - "id": "python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko", - "name": "python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-paramiko.tainted-fastapi-http-request-paramiko" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')." - }, - "help": { - "markdown": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST').\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping)\n - [https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING](https://find-sec-bugs.github.io/bugs.htm#SPRING_CSRF_UNRESTRICTED_REQUEST_MAPPING)\n", - "text": "Detected a method annotated with 'RequestMapping' that does not specify the HTTP method. CSRF protections are not enabled for GET, HEAD, TRACE, or OPTIONS, and by default all HTTP methods are allowed when the HTTP method is not explicitly specified. This means that a method that performs state changes could be vulnerable to CSRF attacks. To mitigate, add the 'method' field and specify the HTTP method (such as 'RequestMethod.POST')." - }, - "helpUri": "https://semgrep.dev/r/java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping", - "id": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping", - "name": "java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.spring.security.unrestricted-request-mapping.unrestricted-request-mapping" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality." - }, - "help": { - "markdown": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod)\n - [https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#host-namespaces)\n", - "text": "Pod is sharing the host process ID namespace. When paired with ptrace this can be used to escalate privileges outside of the container. Remove the 'hostPID' key to disable this functionality." - }, - "helpUri": "https://semgrep.dev/r/yaml.kubernetes.security.hostpid-pod.hostpid-pod", - "id": "yaml.kubernetes.security.hostpid-pod.hostpid-pod", - "name": "yaml.kubernetes.security.hostpid-pod.hostpid-pod", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-269: Improper Privilege Management", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: yaml.kubernetes.security.hostpid-pod.hostpid-pod" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret", - "id": "python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret", - "name": "python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.psycopg2.python-psycopg2-hardcoded-secret.python-psycopg2-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda)\n - [https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/](https://blog.trailofbits.com/2021/03/15/never-a-dill-moment-exploiting-machine-learning-pickle-files/)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/;](https://davidhamann.de/2020/04/05/exploiting-python-pickle/;)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f)](https://pytorch.org/docs/stable/_modules/torch/distributed/distributed_c10d.html#broadcast_object_list:~:text=.BytesIO()-,_pickler,-(f))\n - [https://pytorch.org/docs/stable/generated/torch.load.html](https://pytorch.org/docs/stable/generated/torch.load.html)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. A number of functions and packages in the `torch` module rely on the `pickle` module and should not be used to unpackage data from untrusted sources." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-torch-pickle-aws-lambda.tainted-torch-pickle-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`." - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli)\n - [https://www.rubydoc.info/gems/pg/PG/Connection](https://www.rubydoc.info/gems/pg/PG/Connection)\n", - "text": "Detected string concatenation with a non-literal variable in a pg Ruby SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized queries like so: `conn.exec_params('SELECT $1 AS a, $2 AS b, $3 AS c', [1, 2, nil])` And you can use prepared statements with `exec_prepared`." - }, - "helpUri": "https://semgrep.dev/r/ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli", - "id": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli", - "name": "ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: ruby.rails.security.audit.sqli.ruby-pg-sqli.ruby-pg-sqli" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli", - "id": "kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli", - "name": "kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.spring.spring-data-mongo-nosqli.spring-data-mongo-nosqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2." - }, - "help": { - "markdown": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n", - "text": "DefaultHttpClient is deprecated. Further, it does not support connections using TLS1.2, which makes using DefaultHttpClient a security hazard. Use SystemDefaultHttpClient instead, which supports TLS1.2." - }, - "helpUri": "https://semgrep.dev/r/kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "id": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "name": "kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-326: Inadequate Encryption Strength", - "LOW CONFIDENCE", - "OWASP-A02:2021 - Cryptographic Failures", - "OWASP-A03:2017 - Sensitive Data Exposure", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: kotlin.lang.security.defaulthttpclient-is-deprecated.defaulthttpclient-is-deprecated" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "help": { - "markdown": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "A expression is built with a dynamic value. The source of the value(s) should be verified to avoid that unfiltered values fall into this risky code evaluation." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell", - "id": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell", - "name": "java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.dangerous-groovy-shell.dangerous-groovy-shell" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill)\n - [https://davidhamann.de/2020/04/05/exploiting-python-pickle/](https://davidhamann.de/2020/04/05/exploiting-python-pickle/)\n - [https://dill.readthedocs.io/en/latest/index.html](https://dill.readthedocs.io/en/latest/index.html)\n - [https://docs.python.org/3/library/pickle.html](https://docs.python.org/3/library/pickle.html)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://pypi.org/project/dill/](https://pypi.org/project/dill/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. The `dill` module allows arbitrary user defined classes and functions to be serialized. We do not recommend using it for unpickling data from untrusted sources. For deserializing data from untrusted sources we recommend using YAML or JSON libraries with built-in protections." - }, - "helpUri": "https://semgrep.dev/r/python.lang.deserialization.tainted-dill.tainted-dill", - "id": "python.lang.deserialization.tainted-dill.tainted-dill", - "name": "python.lang.deserialization.tainted-dill.tainted-dill", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.deserialization.tainted-dill.tainted-dill" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary." - }, - "help": { - "markdown": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf)\n - [https://www.cvedetails.com/cve/CVE-2020-28168/](https://www.cvedetails.com/cve/CVE-2020-28168/)\n - [https://owasp.org/www-community/attacks/Server_Side_Request_Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery)\n", - "text": "User-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary." - }, - "helpUri": "https://semgrep.dev/r/javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf", - "id": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf", - "name": "javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.apollo.security.apollo-axios-ssrf.apollo-axios-ssrf" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'." - }, - "help": { - "markdown": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args)\n - [https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec](https://docs.python.org/3/library/asyncio-eventloop.html#asyncio.loop.subprocess_exec)\n - [https://docs.python.org/3/library/shlex.html](https://docs.python.org/3/library/shlex.html)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n", - "text": "Detected subprocess function '$LOOP.subprocess_exec' with user controlled data. You may consider using 'shlex.escape()'." - }, - "helpUri": "https://semgrep.dev/r/python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args", - "id": "python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args", - "name": "python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "MEDIUM CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.security.audit.dangerous-asyncio-exec-tainted-env-args.dangerous-asyncio-exec-tainted-env-args" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret", - "id": "javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret", - "name": "javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.mongodb.node-mongodb-hardcoded-secret.node-mongodb-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile" - }, - "help": { - "markdown": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash)\n - [https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile](https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile)\n", - "text": "Found an initialization of the Intercom Messenger that identifies a User, but does not specify a `user_hash`. This configuration allows users to impersonate one another. See the Intercom Identity Verification docs for more context https://www.intercom.com/help/en/articles/183-set-up-identity-verification-for-web-and-mobile" - }, - "helpUri": "https://semgrep.dev/r/javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash", - "id": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash", - "name": "javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.intercom.security.audit.intercom-settings-user-identifier-without-user-hash.intercom-settings-user-identifier-without-user-hash" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class." - }, - "help": { - "markdown": "The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted)\n - [https://laravel.com/docs/9.x/responses#cookies-and-encryption](https://laravel.com/docs/9.x/responses#cookies-and-encryption)\n - [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management](https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Laravel_Cheat_Sheet.md#cookie-security-and-session-management)\n", - "text": "The application appears to have disabled the cookie encryption middleware which can lead to a Cross-site request forgery (CSRF) vulnerability. If the application uses cookie-based authentication, an attacker can trick users into sending authenticated HTTP requests without their knowledge from any arbitrary domain they visit. You can prevent this vulnerability by encrypting cookies if you use them to handle sessions or storing sensitive data. To enable the cookie encryption middleware add `\\$APP\\Http\\Middleware\\EncryptCookies` to the middleware group in your `$APP\\Http\\Kernel` class." - }, - "helpUri": "https://semgrep.dev/r/php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted", - "id": "php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted", - "name": "php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-352: Cross-Site Request Forgery (CSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: php.laravel.security.laravel-cookie-not-encrypted.laravel-cookie-not-encrypted" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "help": { - "markdown": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "Untrusted input might be used to build an HTTP request, which can lead to a Server-side request forgery (SSRF) vulnerability. SSRF allows an attacker to send crafted requests from the server side to other internal or external systems. SSRF can lead to unauthorized access to sensitive data and, in some cases, allow the attacker to control applications or systems that trust the vulnerable service. To prevent this vulnerability, avoid allowing user input to craft the base request. Instead, treat it as part of the path or query parameter and encode it appropriately. When user input is necessary to prepare the HTTP request, perform strict input validation. Additionally, whenever possible, use allowlists to only interact with expected, trusted domains." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp", - "id": "python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp", - "name": "python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "MEDIUM CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.net.tainted-fastapi-http-request-aiohttp.tainted-fastapi-http-request-aiohttp" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters." - }, - "help": { - "markdown": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters)\n - [https://trojansource.codes/](https://trojansource.codes/)\n", - "text": "This code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters." - }, - "helpUri": "https://semgrep.dev/r/generic.unicode.security.bidi.contains-bidirectional-characters", - "id": "generic.unicode.security.bidi.contains-bidirectional-characters", - "name": "generic.unicode.security.bidi.contains-bidirectional-characters", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.unicode.security.bidi.contains-bidirectional-characters" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "help": { - "markdown": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "The application uses an empty credential. This can lead to unauthorized access by either an internal or external malicious actor. It is recommended to rotate the secret and retrieve them from a secure secret vault or Hardware Security Module (HSM), alternatively environment variables can be used if allowed by your company policy." - }, - "helpUri": "https://semgrep.dev/r/go.secrets.pgx.pgx-empty-password.pgx-empty-password", - "id": "go.secrets.pgx.pgx-empty-password.pgx-empty-password", - "name": "go.secrets.pgx.pgx-empty-password.pgx-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A02:2017 - Broken Authentication", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: go.secrets.pgx.pgx-empty-password.pgx-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`." - }, - "help": { - "markdown": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role)\n - [https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/](https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/)\n", - "text": "Detected wildcard access granted to sts:AssumeRole. This means anyone with your AWS account ID and the name of the role can assume the role. Instead, limit to a specific identity in your account, like this: `arn:aws:iam:::root`." - }, - "helpUri": "https://semgrep.dev/r/json.aws.security.wildcard-assume-role.wildcard-assume-role", - "id": "json.aws.security.wildcard-assume-role.wildcard-assume-role", - "name": "json.aws.security.wildcard-assume-role.wildcard-assume-role", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-250: Execution with Unnecessary Privileges", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "OWASP-A06:2017 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: json.aws.security.wildcard-assume-role.wildcard-assume-role" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations" - }, - "help": { - "markdown": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return)\n - [https://pkg.go.dev/sync#Mutex](https://pkg.go.dev/sync#Mutex)\n - [https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/](https://blog.trailofbits.com/2020/06/09/how-to-check-if-a-mutex-is-locked-in-go/)\n", - "text": "Missing mutex unlock (`$T` variable) before returning from a function. This could result in panics resulting from double lock operations" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.missing-unlock-before-return.missing-unlock-before-return", - "id": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return", - "name": "trailofbits.go.missing-unlock-before-return.missing-unlock-before-return", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-667: Improper Locking", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.missing-unlock-before-return.missing-unlock-before-return" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Make sure that unverified user data can not reach `sandbox`." - }, - "help": { - "markdown": "Make sure that unverified user data can not reach `sandbox`.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Make sure that unverified user data can not reach `sandbox`." - }, - "helpUri": "https://semgrep.dev/r/javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection", - "id": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection", - "name": "javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-94: Improper Control of Generation of Code ('Code Injection')", - "LOW CONFIDENCE", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.sandbox.security.audit.sandbox-code-injection.sandbox-code-injection" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "help": { - "markdown": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Detected a cookie where the `Secure` flag is either missing or disabled. The `Secure` cookie flag instructs the browser to forbid sending the cookie over an insecure HTTP request. Set the `Secure` flag to `true` so the cookie will only be sent over HTTPS. If this wasn't intentional, it's recommended to set the Secure flag to true so the cookie will always be sent over HTTPS. A secure default approach would consist of creating a custom response class, overriding the `set_cookie` method to set this flag to `True` by default, setting the `response_class` attribute of your Flask app to use the custom response class, setting the flag to False on a case-by-case basis only when necessary." - }, - "helpUri": "https://semgrep.dev/r/python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false", - "id": "python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false", - "name": "python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute", - "HIGH CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.flask.web.flask-cookie-secure-false.flask-cookie-secure-false" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities" - }, - "help": { - "markdown": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection)\n - [https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29](https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29)\n", - "text": "If unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities" - }, - "helpUri": "https://semgrep.dev/r/javascript.phantom.security.audit.phantom-injection.phantom-injection", - "id": "javascript.phantom.security.audit.phantom-injection.phantom-injection", - "name": "javascript.phantom.security.audit.phantom-injection.phantom-injection", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-918: Server-Side Request Forgery (SSRF)", - "LOW CONFIDENCE", - "OWASP-A10:2021 - Server-Side Request Forgery (SSRF)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.phantom.security.audit.phantom-injection.phantom-injection" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a NoSQL injection vulnerability. An attacker can execute malicious NoSQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. Make sure all user input is validated and sanitized, and avoid using tainted user input to construct NoSQL statements if possible. Ideally, avoid raw queries and instead use parameterized queries." - }, - "helpUri": "https://semgrep.dev/r/csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc", - "id": "csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc", - "name": "csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-943: Improper Neutralization of Special Elements in Data Query Logic", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: csharp.dotnet-core.nosqli.mongodb-taint-grpc.mongodb-taint-grpc" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "help": { - "markdown": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi)\n - [https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/](https://fastapi.palletsprojects.com/en/2.3.x/patterns/fileuploads/)\n - [https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths](https://fastapi.tiangolo.com/tutorial/path-params/#path-parameters-containing-paths)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n - [https://owasp.org/www-community/attacks/Path_Traversal](https://owasp.org/www-community/attacks/Path_Traversal)\n - [https://portswigger.net/web-security/file-path-traversal](https://portswigger.net/web-security/file-path-traversal)\n - [https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename](https://werkzeug.palletsprojects.com/en/3.0.x/utils/#werkzeug.utils.secure_filename)\n", - "text": "The application builds a file path from potentially untrusted data, which can lead to a path traversal vulnerability. An attacker can manipulate the path which the application uses to access files. If the application does not validate user input and sanitize file paths, sensitive files such as configuration or user data can be accessed, potentially creating or overwriting files. In FastAPI apps, consider using the Starlette `:path` annotation in the route declaration to automatically sanitize paths and filenames." - }, - "helpUri": "https://semgrep.dev/r/python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi", - "id": "python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi", - "name": "python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", - "HIGH CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "OWASP-A05:2017 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.fastapi.file.tainted-shelve-fastapi.tainted-shelve-fastapi" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "help": { - "markdown": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n", - "text": "Found a Pyramid Authentication Ticket cookie without the httponly option correctly set. Pyramid cookies should be handled securely by setting httponly=True. If this parameter is not properly set, your cookies are not properly protected and are at risk of being stolen by an attacker." - }, - "helpUri": "https://semgrep.dev/r/python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default", - "id": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default", - "name": "python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag", - "MEDIUM CONFIDENCE", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.pyramid.audit.authtkt-cookie-httponly-unsafe-default.pyramid-authtkt-cookie-httponly-unsafe-default" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead." - }, - "help": { - "markdown": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal)\n - [https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values](https://scala-slick.org/doc/3.3.3/sql.html#splicing-literal-values)\n", - "text": "Detected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Avoid using `#$variable` and use `$variable` in `sql\"...\"` strings instead." - }, - "helpUri": "https://semgrep.dev/r/scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal", - "id": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal", - "name": "scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: scala.slick.security.scala-slick-sql-non-literal.scala-slick-sql-non-literal" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "linux shadow file detected" - }, - "help": { - "markdown": "linux shadow file detected\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "linux shadow file detected" - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.security.detected-etc-shadow.detected-etc-shadow", - "id": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow", - "name": "generic.secrets.security.detected-etc-shadow.detected-etc-shadow", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.security.detected-etc-shadow.detected-etc-shadow" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped." - }, - "help": { - "markdown": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n", - "text": "Untrusted input might be used to build an LDAP query, which can allow attackers to run arbitrary LDAP queries. If an LDAP query must contain untrusted input then it must be escaped." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn", - "id": "cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn", - "name": "cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.ldap.ldap-injection-dn.ldap-injection-dn" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks gcp-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks gcp-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.gcp-api-key.gcp-api-key)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks gcp-api-key was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.gcp-api-key.gcp-api-key", - "id": "generic.secrets.gitleaks.gcp-api-key.gcp-api-key", - "name": "generic.secrets.gitleaks.gcp-api-key.gcp-api-key", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.gcp-api-key.gcp-api-key" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "help": { - "markdown": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda)\n - [https://cwe.mitre.org/data/definitions/502.html](https://cwe.mitre.org/data/definitions/502.html)\n - [https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html](https://knowledge-base.secureflag.com/vulnerabilities/unsafe_deserialization/unsafe_deserialization_python.html)\n - [https://nvd.nist.gov/vuln/detail/CVE-2017-18342](https://nvd.nist.gov/vuln/detail/CVE-2017-18342)\n - [https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)\n - [https://portswigger.net/web-security/deserialization](https://portswigger.net/web-security/deserialization)\n - [https://yaml.readthedocs.io/en/latest/api/](https://yaml.readthedocs.io/en/latest/api/)\n", - "text": "The application may convert user-controlled data into an object, which can lead to an insecure deserialization vulnerability. An attacker can create a malicious serialized object, pass it to the application, and take advantage of the deserialization process to perform Denial-of-service (DoS), Remote code execution (RCE), or bypass access control measures. Starting from `ruamel.yaml` version 0.15.0 the default loader (`typ='rt'`) is a direct derivative of the safe loader. Before this version, use the optional argument `Loader` with value `SafeLoader` or `CSafeLoader`, or use the `safe_load` function." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda", - "id": "python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda", - "name": "python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-502: Deserialization of Untrusted Data", - "HIGH CONFIDENCE", - "OWASP-A08:2017 - Insecure Deserialization", - "OWASP-A08:2021 - Software and Data Integrity Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.deserialization.tainted-ruamel-aws-lambda.tainted-ruamel-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret", - "id": "swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret", - "name": "swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.cryptoswift.rabbit-hardcoded-secret.rabbit-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions." - }, - "help": { - "markdown": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any)\n - [https://owasp.org/Top10/A04_2021-Insecure_Design](https://owasp.org/Top10/A04_2021-Insecure_Design)\n", - "text": "Access-Control-Allow-Origin response header is set to \"*\". This will disable CORS Same Origin Policy restrictions." - }, - "helpUri": "https://semgrep.dev/r/typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any", - "id": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any", - "name": "typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-183: Permissive List of Allowed Inputs", - "LOW CONFIDENCE", - "OWASP-A04:2021 - Insecure Design", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: typescript.nestjs.security.audit.nestjs-header-cors-any.nestjs-header-cors-any" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password", - "id": "java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password", - "name": "java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jedis.secrets.jedis-jedisclientconfig-hardcoded-password.jedis-jedisclientconfig-hardcoded-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "help": { - "markdown": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint)\n - [https://docs.rs/tokio-postgres/latest/tokio_postgres/](https://docs.rs/tokio-postgres/latest/tokio_postgres/)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input might be used to build a database query, which can lead to a SQL injection vulnerability. An attacker can execute malicious SQL statements and gain unauthorized access to sensitive data, modify, delete data, or execute arbitrary system commands. To prevent this vulnerability, use prepared statements that do not concatenate user-controllable strings and use parameterized queries where SQL commands and user data are strictly separated. Also, consider using an object-relational (ORM) framework to operate with safer abstractions." - }, - "helpUri": "https://semgrep.dev/r/rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint", - "id": "rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint", - "name": "rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: rust.hyper.sql.tokio-postgres-taint.tokio-postgres-taint" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need." - }, - "help": { - "markdown": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission)\n - [https://owasp.org/Top10/A01_2021-Broken_Access_Control](https://owasp.org/Top10/A01_2021-Broken_Access_Control)\n", - "text": "Detected file permissions that are overly permissive (read, write, and execute). It is generally a bad practices to set overly permissive file permission such as read+write+exec for all users. If the file affected is a configuration, a binary, a script or sensitive data, it can lead to privilege escalation or information leakage. Instead, follow the principle of least privilege and give users only the permissions they need." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission", - "id": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission", - "name": "java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-276: Incorrect Default Permissions", - "LOW CONFIDENCE", - "OWASP-A01:2021 - Broken Access Control", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.audit.overly-permissive-file-permission.overly-permissive-file-permission" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "A gitleaks github-oauth was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "A gitleaks github-oauth was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/generic.secrets.gitleaks.github-oauth.github-oauth)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A gitleaks github-oauth was detected which attempts to identify hard-coded credentials. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/generic.secrets.gitleaks.github-oauth.github-oauth", - "id": "generic.secrets.gitleaks.github-oauth.github-oauth", - "name": "generic.secrets.gitleaks.github-oauth.github-oauth", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "LOW CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: generic.secrets.gitleaks.github-oauth.github-oauth" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion." - }, - "help": { - "markdown": "The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities)\n - [https://owasp.org/Top10/A05_2021-Security_Misconfiguration](https://owasp.org/Top10/A05_2021-Security_Misconfiguration)\n - [https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems](https://wiki.sei.cmu.edu/confluence/display/c/STR02-C.+Sanitize+data+passed+to+complex+subsystems)\n", - "text": "The libxml2 parser is configured to process entities. Without other options such as processing DTDs or accessing remote entities from the network, it should not pose a risk except for memory exhaustion." - }, - "helpUri": "https://semgrep.dev/r/cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities", - "id": "cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities", - "name": "cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-611: Improper Restriction of XML External Entity Reference", - "MEDIUM CONFIDENCE", - "OWASP-A04:2017 - XML External Entities (XXE)", - "OWASP-A05:2021 - Security Misconfiguration", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.libxml2.security.libxml2-expand-local-entities.libxml2-expand-local-entities" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code" - }, - "help": { - "markdown": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map)\n - [https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/](https://blog.trailofbits.com/2019/11/07/attacking-go-vr-ttps/)\n", - "text": "Iteration over a possibly empty map `$C`. This is likely a bug or redundant code" - }, - "helpUri": "https://semgrep.dev/r/trailofbits.go.iterate-over-empty-map.iterate-over-empty-map", - "id": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map", - "name": "trailofbits.go.iterate-over-empty-map.iterate-over-empty-map", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-665: Improper Initialization", - "MEDIUM CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: trailofbits.go.iterate-over-empty-map.iterate-over-empty-map" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments." - }, - "help": { - "markdown": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation)\n - [https://owasp.org/Top10/A02_2021-Cryptographic_Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures)\n - [https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures](https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures)\n", - "text": "TLS ceritificate validation is disabled. This could lead to a potential man-in-the-middle attack. This may be used for testing purposes but it is not considered safe in production deployments." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation", - "id": "cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation", - "name": "cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "MEDIUM CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.crypto.certificate.curl-disabled-cert-validation.curl-disabled-cert-validation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account." - }, - "help": { - "markdown": "The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards)\n - [https://developer.apple.com/documentation/uikit/uipasteboard?language=swift](https://developer.apple.com/documentation/uikit/uipasteboard?language=swift)\n - [https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/](https://mas.owasp.org/MASTG/tests/ios/MASVS-PLATFORM/MASTG-TEST-0073/)\n", - "text": "The application was found to use named persistent pasteboards, which Apple strongly discourages and were deprecated in iOS 10. The application should use shared containers to pass data to trusted applications deployed under the same developer account." - }, - "helpUri": "https://semgrep.dev/r/swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards", - "id": "swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards", - "name": "swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-477: Use of Obsolete Function", - "HIGH CONFIDENCE", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.lang.clipboard.named-pasteboard.swift-named-persistent-pasteboards" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "help": { - "markdown": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate the user input, perform contextual output encoding or sanitize the input." - }, - "helpUri": "https://semgrep.dev/r/java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep", - "id": "java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep", - "name": "java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", - "HIGH CONFIDENCE", - "OWASP-A03:2021 - Injection", - "OWASP-A07:2017 - Cross-Site Scripting (XSS)", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.servlets.security.servletresponse-writer-xss-deepsemgrep.servletresponse-writer-xss-deepsemgrep" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()." - }, - "help": { - "markdown": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread().\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1)\n", - "text": "os.preadv() is only available on Python 3.7+ and is therefore not backwards compatible. Instead, use a combination of os.readv() and os.pread()." - }, - "helpUri": "https://semgrep.dev/r/python.lang.compatibility.python37.python37-compatibility-os1", - "id": "python.lang.compatibility.python37.python37-compatibility-os1", - "name": "python.lang.compatibility.python37.python37-compatibility-os1", - "properties": { - "precision": "very-high", - "tags": [] - }, - "shortDescription": { - "text": "Semgrep Finding: python.lang.compatibility.python37.python37-compatibility-os1" - } - }, - { - "defaultConfiguration": { - "level": "note" - }, - "fullDescription": { - "text": "Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family." - }, - "help": { - "markdown": "Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n", - "text": "Don't call `system`. It's a high-level wrapper that allows for stacking multiple commands. Always prefer a more restrictive API such as calling `execve` from the `exec` family." - }, - "helpUri": "https://semgrep.dev/r/cpp.lang.security.system-command.dont-call-system.dont-call-system", - "id": "cpp.lang.security.system-command.dont-call-system.dont-call-system", - "name": "cpp.lang.security.system-command.dont-call-system.dont-call-system", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: cpp.lang.security.system-command.dont-call-system.dont-call-system" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`" - }, - "help": { - "markdown": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli)\n - [https://www.npmjs.com/package/mssql](https://www.npmjs.com/package/mssql)\n", - "text": "Detected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`" - }, - "helpUri": "https://semgrep.dev/r/javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli", - "id": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli", - "name": "javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", - "LOW CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: javascript.lang.security.audit.sqli.node-mssql-sqli.node-mssql-sqli" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret", - "id": "java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret", - "name": "java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.jedis.secrets.jedissentinelpool-constructor-hardcoded-secret.jedissentinelpool-constructor-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation." - }, - "help": { - "markdown": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation)\n - [https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib](https://stackoverflow.com/questions/41740361/is-it-safe-to-disable-ssl-certificate-verification-in-pythonss-requests-lib)\n", - "text": "Certificate verification has been explicitly disabled. This permits insecure connections to insecure servers. Re-enable certification validation." - }, - "helpUri": "https://semgrep.dev/r/python.requests.security.disabled-cert-validation.disabled-cert-validation", - "id": "python.requests.security.disabled-cert-validation.disabled-cert-validation", - "name": "python.requests.security.disabled-cert-validation.disabled-cert-validation", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-295: Improper Certificate Validation", - "LOW CONFIDENCE", - "OWASP-A03:2017 - Sensitive Data Exposure", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.requests.security.disabled-cert-validation.disabled-cert-validation" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "help": { - "markdown": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "The application creates a database connection with an empty password. This can lead to unauthorized access by either an internal or external malicious actor. To prevent this vulnerability, enforce authentication when connecting to a database by using environment variables to securely provide credentials or retrieving them from a secure vault or HSM (Hardware Security Module)." - }, - "helpUri": "https://semgrep.dev/r/python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password", - "id": "python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password", - "name": "python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-287: Improper Authentication", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.cassandra.python-cassandra-empty-password.python-cassandra-empty-password" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data." - }, - "help": { - "markdown": "Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_debugging.webview_debugging)\n", - "text": "Remote WebView debugging is enabled. This allows an attacker with debugging access to interact with the webview and steal or corrupt data." - }, - "helpUri": "https://semgrep.dev/r/mobsf.mobsfscan.webview.webview_debugging.webview_debugging", - "id": "mobsf.mobsfscan.webview.webview_debugging.webview_debugging", - "name": "mobsf.mobsfscan.webview.webview_debugging.webview_debugging", - "properties": { - "precision": "very-high", - "tags": [ - "cwe-489", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: mobsf.mobsfscan.webview.webview_debugging.webview_debugging" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret", - "id": "swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret", - "name": "swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: swift.cryptoswift.aes-hardcoded-secret.aes-hardcoded-secret" - } - }, - { - "defaultConfiguration": { - "level": "error" - }, - "fullDescription": { - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "help": { - "markdown": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands.\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda)\n - [https://docs.python.org/3/library/os.html](https://docs.python.org/3/library/os.html)\n - [https://docs.python.org/3/library/subprocess.html#subprocess.Popen](https://docs.python.org/3/library/subprocess.html#subprocess.Popen)\n - [https://owasp.org/Top10/A03_2021-Injection](https://owasp.org/Top10/A03_2021-Injection)\n - [https://semgrep.dev/docs/cheat-sheets/python-command-injection/](https://semgrep.dev/docs/cheat-sheets/python-command-injection/)\n - [https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html](https://stackless.readthedocs.io/en/v2.7.16-slp/library/commands.html)\n", - "text": "Untrusted input might be injected into a command executed by the application, which can lead to a command injection vulnerability. An attacker can execute arbitrary commands, potentially gaining complete control of the system. To prevent this vulnerability, avoid executing OS commands with user input. If this is unavoidable, validate and sanitize the input, and use safe methods for executing the commands." - }, - "helpUri": "https://semgrep.dev/r/python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda", - "id": "python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda", - "name": "python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", - "HIGH CONFIDENCE", - "OWASP-A01:2017 - Injection", - "OWASP-A03:2021 - Injection", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: python.aws-lambda.os.tainted-os-command-stdlib-aws-lambda.tainted-os-command-stdlib-aws-lambda" - } - }, - { - "defaultConfiguration": { - "level": "warning" - }, - "fullDescription": { - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "help": { - "markdown": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM).\n\nReferences:\n - [Semgrep Rule](https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header)\n - [https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html)\n", - "text": "A secret is hard-coded in the application. Secrets stored in source code, such as credentials, identifiers, and other types of sensitive data, can be leaked and used by internal or external malicious actors. Use environment variables to securely provide credentials and other secrets or retrieve them from a secure vault or Hardware Security Module (HSM)." - }, - "helpUri": "https://semgrep.dev/r/java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header", - "id": "java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header", - "name": "java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header", - "properties": { - "precision": "very-high", - "tags": [ - "CWE-798: Use of Hard-coded Credentials", - "HIGH CONFIDENCE", - "OWASP-A07:2021 - Identification and Authentication Failures", - "security" - ] - }, - "shortDescription": { - "text": "Semgrep Finding: java.lang.security.net.http.httprequest-hardcoded-secret-in-request-header.httprequest-hardcoded-secret-in-request-header" - } - } - ], - "semanticVersion": "1.74.0" - } - } - } - ], - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json" -} diff --git a/uv.lock b/uv.lock new file mode 100644 index 0000000..b227184 --- /dev/null +++ b/uv.lock @@ -0,0 +1,588 @@ +version = 1 +requires-python = ">=3.11" + +[[package]] +name = "boolean-py" +version = "4.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/a2/d9/b6e56a303d221fc0bdff2c775e4eef7fedd58194aa5a96fa89fb71634cc9/boolean.py-4.0.tar.gz", hash = "sha256:17b9a181630e43dde1851d42bef546d616d5d9b4480357514597e78b203d06e4", size = 34504 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/3f/02/6389ef0529af6da0b913374dedb9bbde8eabfe45767ceec38cc37801b0bd/boolean.py-4.0-py3-none-any.whl", hash = "sha256:2876f2051d7d6394a531d82dc6eb407faa0b01a0a0b3083817ccd7323b8d96bd", size = 25909 }, +] + +[[package]] +name = "cachecontrol" +version = "0.14.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "msgpack" }, + { name = "requests" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/d2/23/db12e0b6b241e33f77f7cce01a06b4cc6f8071728656cc0ea262d2a14dad/cachecontrol-0.14.1.tar.gz", hash = "sha256:06ef916a1e4eb7dba9948cdfc9c76e749db2e02104a9a1277e8b642591a0f717", size = 28928 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/f1/aa/481eb52af52aae093c61c181f2308779973ffd6f0f5f6c0881b2138f3087/cachecontrol-0.14.1-py3-none-any.whl", hash = "sha256:65e3abd62b06382ce3894df60dde9e0deb92aeb734724f68fa4f3b91e97206b9", size = 22085 }, +] + +[package.optional-dependencies] +filecache = [ + { name = "filelock" }, +] + +[[package]] +name = "certifi" +version = "2024.8.30" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/b0/ee/9b19140fe824b367c04c5e1b369942dd754c4c5462d5674002f75c4dedc1/certifi-2024.8.30.tar.gz", hash = "sha256:bec941d2aa8195e248a60b31ff9f0558284cf01a52591ceda73ea9afffd69fd9", size = 168507 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/12/90/3c9ff0512038035f59d279fddeb79f5f1eccd8859f06d6163c58798b9487/certifi-2024.8.30-py3-none-any.whl", hash = "sha256:922820b53db7a7257ffbda3f597266d435245903d80737e34f8a45ff3e3230d8", size = 167321 }, +] + +[[package]] +name = "charset-normalizer" +version = "3.4.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f2/4f/e1808dc01273379acc506d18f1504eb2d299bd4131743b9fc54d7be4df1e/charset_normalizer-3.4.0.tar.gz", hash = "sha256:223217c3d4f82c3ac5e29032b3f1c2eb0fb591b72161f86d93f5719079dae93e", size = 106620 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/9c/61/73589dcc7a719582bf56aae309b6103d2762b526bffe189d635a7fcfd998/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:0d99dd8ff461990f12d6e42c7347fd9ab2532fb70e9621ba520f9e8637161d7c", size = 193339 }, + { url = "https://files.pythonhosted.org/packages/77/d5/8c982d58144de49f59571f940e329ad6e8615e1e82ef84584c5eeb5e1d72/charset_normalizer-3.4.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:c57516e58fd17d03ebe67e181a4e4e2ccab1168f8c2976c6a334d4f819fe5944", size = 124366 }, + { url = "https://files.pythonhosted.org/packages/bf/19/411a64f01ee971bed3231111b69eb56f9331a769072de479eae7de52296d/charset_normalizer-3.4.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:6dba5d19c4dfab08e58d5b36304b3f92f3bd5d42c1a3fa37b5ba5cdf6dfcbcee", size = 118874 }, + { url = "https://files.pythonhosted.org/packages/4c/92/97509850f0d00e9f14a46bc751daabd0ad7765cff29cdfb66c68b6dad57f/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:bf4475b82be41b07cc5e5ff94810e6a01f276e37c2d55571e3fe175e467a1a1c", size = 138243 }, + { url = "https://files.pythonhosted.org/packages/e2/29/d227805bff72ed6d6cb1ce08eec707f7cfbd9868044893617eb331f16295/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ce031db0408e487fd2775d745ce30a7cd2923667cf3b69d48d219f1d8f5ddeb6", size = 148676 }, + { url = "https://files.pythonhosted.org/packages/13/bc/87c2c9f2c144bedfa62f894c3007cd4530ba4b5351acb10dc786428a50f0/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:8ff4e7cdfdb1ab5698e675ca622e72d58a6fa2a8aa58195de0c0061288e6e3ea", size = 141289 }, + { url = "https://files.pythonhosted.org/packages/eb/5b/6f10bad0f6461fa272bfbbdf5d0023b5fb9bc6217c92bf068fa5a99820f5/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3710a9751938947e6327ea9f3ea6332a09bf0ba0c09cae9cb1f250bd1f1549bc", size = 142585 }, + { url = "https://files.pythonhosted.org/packages/3b/a0/a68980ab8a1f45a36d9745d35049c1af57d27255eff8c907e3add84cf68f/charset_normalizer-3.4.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:82357d85de703176b5587dbe6ade8ff67f9f69a41c0733cf2425378b49954de5", size = 144408 }, + { url = "https://files.pythonhosted.org/packages/d7/a1/493919799446464ed0299c8eef3c3fad0daf1c3cd48bff9263c731b0d9e2/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:47334db71978b23ebcf3c0f9f5ee98b8d65992b65c9c4f2d34c2eaf5bcaf0594", size = 139076 }, + { url = "https://files.pythonhosted.org/packages/fb/9d/9c13753a5a6e0db4a0a6edb1cef7aee39859177b64e1a1e748a6e3ba62c2/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:8ce7fd6767a1cc5a92a639b391891bf1c268b03ec7e021c7d6d902285259685c", size = 146874 }, + { url = "https://files.pythonhosted.org/packages/75/d2/0ab54463d3410709c09266dfb416d032a08f97fd7d60e94b8c6ef54ae14b/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_ppc64le.whl", hash = "sha256:f1a2f519ae173b5b6a2c9d5fa3116ce16e48b3462c8b96dfdded11055e3d6365", size = 150871 }, + { url = "https://files.pythonhosted.org/packages/8d/c9/27e41d481557be53d51e60750b85aa40eaf52b841946b3cdeff363105737/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_s390x.whl", hash = "sha256:63bc5c4ae26e4bc6be6469943b8253c0fd4e4186c43ad46e713ea61a0ba49129", size = 148546 }, + { url = "https://files.pythonhosted.org/packages/ee/44/4f62042ca8cdc0cabf87c0fc00ae27cd8b53ab68be3605ba6d071f742ad3/charset_normalizer-3.4.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:bcb4f8ea87d03bc51ad04add8ceaf9b0f085ac045ab4d74e73bbc2dc033f0236", size = 143048 }, + { url = "https://files.pythonhosted.org/packages/01/f8/38842422988b795220eb8038745d27a675ce066e2ada79516c118f291f07/charset_normalizer-3.4.0-cp311-cp311-win32.whl", hash = "sha256:9ae4ef0b3f6b41bad6366fb0ea4fc1d7ed051528e113a60fa2a65a9abb5b1d99", size = 94389 }, + { url = "https://files.pythonhosted.org/packages/0b/6e/b13bd47fa9023b3699e94abf565b5a2f0b0be6e9ddac9812182596ee62e4/charset_normalizer-3.4.0-cp311-cp311-win_amd64.whl", hash = "sha256:cee4373f4d3ad28f1ab6290684d8e2ebdb9e7a1b74fdc39e4c211995f77bec27", size = 101752 }, + { url = "https://files.pythonhosted.org/packages/d3/0b/4b7a70987abf9b8196845806198975b6aab4ce016632f817ad758a5aa056/charset_normalizer-3.4.0-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:0713f3adb9d03d49d365b70b84775d0a0d18e4ab08d12bc46baa6132ba78aaf6", size = 194445 }, + { url = "https://files.pythonhosted.org/packages/50/89/354cc56cf4dd2449715bc9a0f54f3aef3dc700d2d62d1fa5bbea53b13426/charset_normalizer-3.4.0-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:de7376c29d95d6719048c194a9cf1a1b0393fbe8488a22008610b0361d834ecf", size = 125275 }, + { url = "https://files.pythonhosted.org/packages/fa/44/b730e2a2580110ced837ac083d8ad222343c96bb6b66e9e4e706e4d0b6df/charset_normalizer-3.4.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:4a51b48f42d9358460b78725283f04bddaf44a9358197b889657deba38f329db", size = 119020 }, + { url = "https://files.pythonhosted.org/packages/9d/e4/9263b8240ed9472a2ae7ddc3e516e71ef46617fe40eaa51221ccd4ad9a27/charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:b295729485b06c1a0683af02a9e42d2caa9db04a373dc38a6a58cdd1e8abddf1", size = 139128 }, + { url = "https://files.pythonhosted.org/packages/6b/e3/9f73e779315a54334240353eaea75854a9a690f3f580e4bd85d977cb2204/charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:ee803480535c44e7f5ad00788526da7d85525cfefaf8acf8ab9a310000be4b03", size = 149277 }, + { url = "https://files.pythonhosted.org/packages/1a/cf/f1f50c2f295312edb8a548d3fa56a5c923b146cd3f24114d5adb7e7be558/charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:3d59d125ffbd6d552765510e3f31ed75ebac2c7470c7274195b9161a32350284", size = 142174 }, + { url = "https://files.pythonhosted.org/packages/16/92/92a76dc2ff3a12e69ba94e7e05168d37d0345fa08c87e1fe24d0c2a42223/charset_normalizer-3.4.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:8cda06946eac330cbe6598f77bb54e690b4ca93f593dee1568ad22b04f347c15", size = 143838 }, + { url = "https://files.pythonhosted.org/packages/a4/01/2117ff2b1dfc61695daf2babe4a874bca328489afa85952440b59819e9d7/charset_normalizer-3.4.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:07afec21bbbbf8a5cc3651aa96b980afe2526e7f048fdfb7f1014d84acc8b6d8", size = 146149 }, + { url = "https://files.pythonhosted.org/packages/f6/9b/93a332b8d25b347f6839ca0a61b7f0287b0930216994e8bf67a75d050255/charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:6b40e8d38afe634559e398cc32b1472f376a4099c75fe6299ae607e404c033b2", size = 140043 }, + { url = "https://files.pythonhosted.org/packages/ab/f6/7ac4a01adcdecbc7a7587767c776d53d369b8b971382b91211489535acf0/charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:b8dcd239c743aa2f9c22ce674a145e0a25cb1566c495928440a181ca1ccf6719", size = 148229 }, + { url = "https://files.pythonhosted.org/packages/9d/be/5708ad18161dee7dc6a0f7e6cf3a88ea6279c3e8484844c0590e50e803ef/charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_ppc64le.whl", hash = "sha256:84450ba661fb96e9fd67629b93d2941c871ca86fc38d835d19d4225ff946a631", size = 151556 }, + { url = "https://files.pythonhosted.org/packages/5a/bb/3d8bc22bacb9eb89785e83e6723f9888265f3a0de3b9ce724d66bd49884e/charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_s390x.whl", hash = "sha256:44aeb140295a2f0659e113b31cfe92c9061622cadbc9e2a2f7b8ef6b1e29ef4b", size = 149772 }, + { url = "https://files.pythonhosted.org/packages/f7/fa/d3fc622de05a86f30beea5fc4e9ac46aead4731e73fd9055496732bcc0a4/charset_normalizer-3.4.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:1db4e7fefefd0f548d73e2e2e041f9df5c59e178b4c72fbac4cc6f535cfb1565", size = 144800 }, + { url = "https://files.pythonhosted.org/packages/9a/65/bdb9bc496d7d190d725e96816e20e2ae3a6fa42a5cac99c3c3d6ff884118/charset_normalizer-3.4.0-cp312-cp312-win32.whl", hash = "sha256:5726cf76c982532c1863fb64d8c6dd0e4c90b6ece9feb06c9f202417a31f7dd7", size = 94836 }, + { url = "https://files.pythonhosted.org/packages/3e/67/7b72b69d25b89c0b3cea583ee372c43aa24df15f0e0f8d3982c57804984b/charset_normalizer-3.4.0-cp312-cp312-win_amd64.whl", hash = "sha256:b197e7094f232959f8f20541ead1d9862ac5ebea1d58e9849c1bf979255dfac9", size = 102187 }, + { url = "https://files.pythonhosted.org/packages/f3/89/68a4c86f1a0002810a27f12e9a7b22feb198c59b2f05231349fbce5c06f4/charset_normalizer-3.4.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:dd4eda173a9fcccb5f2e2bd2a9f423d180194b1bf17cf59e3269899235b2a114", size = 194617 }, + { url = "https://files.pythonhosted.org/packages/4f/cd/8947fe425e2ab0aa57aceb7807af13a0e4162cd21eee42ef5b053447edf5/charset_normalizer-3.4.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:e9e3c4c9e1ed40ea53acf11e2a386383c3304212c965773704e4603d589343ed", size = 125310 }, + { url = "https://files.pythonhosted.org/packages/5b/f0/b5263e8668a4ee9becc2b451ed909e9c27058337fda5b8c49588183c267a/charset_normalizer-3.4.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:92a7e36b000bf022ef3dbb9c46bfe2d52c047d5e3f3343f43204263c5addc250", size = 119126 }, + { url = "https://files.pythonhosted.org/packages/ff/6e/e445afe4f7fda27a533f3234b627b3e515a1b9429bc981c9a5e2aa5d97b6/charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:54b6a92d009cbe2fb11054ba694bc9e284dad30a26757b1e372a1fdddaf21920", size = 139342 }, + { url = "https://files.pythonhosted.org/packages/a1/b2/4af9993b532d93270538ad4926c8e37dc29f2111c36f9c629840c57cd9b3/charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:1ffd9493de4c922f2a38c2bf62b831dcec90ac673ed1ca182fe11b4d8e9f2a64", size = 149383 }, + { url = "https://files.pythonhosted.org/packages/fb/6f/4e78c3b97686b871db9be6f31d64e9264e889f8c9d7ab33c771f847f79b7/charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:35c404d74c2926d0287fbd63ed5d27eb911eb9e4a3bb2c6d294f3cfd4a9e0c23", size = 142214 }, + { url = "https://files.pythonhosted.org/packages/2b/c9/1c8fe3ce05d30c87eff498592c89015b19fade13df42850aafae09e94f35/charset_normalizer-3.4.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:4796efc4faf6b53a18e3d46343535caed491776a22af773f366534056c4e1fbc", size = 144104 }, + { url = "https://files.pythonhosted.org/packages/ee/68/efad5dcb306bf37db7db338338e7bb8ebd8cf38ee5bbd5ceaaaa46f257e6/charset_normalizer-3.4.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e7fdd52961feb4c96507aa649550ec2a0d527c086d284749b2f582f2d40a2e0d", size = 146255 }, + { url = "https://files.pythonhosted.org/packages/0c/75/1ed813c3ffd200b1f3e71121c95da3f79e6d2a96120163443b3ad1057505/charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:92db3c28b5b2a273346bebb24857fda45601aef6ae1c011c0a997106581e8a88", size = 140251 }, + { url = "https://files.pythonhosted.org/packages/7d/0d/6f32255c1979653b448d3c709583557a4d24ff97ac4f3a5be156b2e6a210/charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:ab973df98fc99ab39080bfb0eb3a925181454d7c3ac8a1e695fddfae696d9e90", size = 148474 }, + { url = "https://files.pythonhosted.org/packages/ac/a0/c1b5298de4670d997101fef95b97ac440e8c8d8b4efa5a4d1ef44af82f0d/charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_ppc64le.whl", hash = "sha256:4b67fdab07fdd3c10bb21edab3cbfe8cf5696f453afce75d815d9d7223fbe88b", size = 151849 }, + { url = "https://files.pythonhosted.org/packages/04/4f/b3961ba0c664989ba63e30595a3ed0875d6790ff26671e2aae2fdc28a399/charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_s390x.whl", hash = "sha256:aa41e526a5d4a9dfcfbab0716c7e8a1b215abd3f3df5a45cf18a12721d31cb5d", size = 149781 }, + { url = "https://files.pythonhosted.org/packages/d8/90/6af4cd042066a4adad58ae25648a12c09c879efa4849c705719ba1b23d8c/charset_normalizer-3.4.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:ffc519621dce0c767e96b9c53f09c5d215578e10b02c285809f76509a3931482", size = 144970 }, + { url = "https://files.pythonhosted.org/packages/cc/67/e5e7e0cbfefc4ca79025238b43cdf8a2037854195b37d6417f3d0895c4c2/charset_normalizer-3.4.0-cp313-cp313-win32.whl", hash = "sha256:f19c1585933c82098c2a520f8ec1227f20e339e33aca8fa6f956f6691b784e67", size = 94973 }, + { url = "https://files.pythonhosted.org/packages/65/97/fc9bbc54ee13d33dc54a7fcf17b26368b18505500fc01e228c27b5222d80/charset_normalizer-3.4.0-cp313-cp313-win_amd64.whl", hash = "sha256:707b82d19e65c9bd28b81dde95249b07bf9f5b90ebe1ef17d9b57473f8a64b7b", size = 102308 }, + { url = "https://files.pythonhosted.org/packages/bf/9b/08c0432272d77b04803958a4598a51e2a4b51c06640af8b8f0f908c18bf2/charset_normalizer-3.4.0-py3-none-any.whl", hash = "sha256:fe9f97feb71aa9896b81973a7bbada8c49501dc73e58a10fcef6663af95e5079", size = 49446 }, +] + +[[package]] +name = "colorama" +version = "0.4.6" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d8/53/6f443c9a4a8358a93a6792e2acffb9d9d5cb0a5cfd8802644b7b1c9a02e4/colorama-0.4.6.tar.gz", hash = "sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44", size = 27697 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/d1/d6/3965ed04c63042e047cb6a3e6ed1a63a35087b6a609aa3a15ed8ac56c221/colorama-0.4.6-py2.py3-none-any.whl", hash = "sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6", size = 25335 }, +] + +[[package]] +name = "coverage" +version = "7.6.9" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/5b/d2/c25011f4d036cf7e8acbbee07a8e09e9018390aee25ba085596c4b83d510/coverage-7.6.9.tar.gz", hash = "sha256:4a8d8977b0c6ef5aeadcb644da9e69ae0dcfe66ec7f368c89c72e058bd71164d", size = 801710 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b1/91/b3dc2f7f38b5cca1236ab6bbb03e84046dd887707b4ec1db2baa47493b3b/coverage-7.6.9-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:932fc826442132dde42ee52cf66d941f581c685a6313feebed358411238f60f9", size = 207133 }, + { url = "https://files.pythonhosted.org/packages/0d/2b/53fd6cb34d443429a92b3ec737f4953627e38b3bee2a67a3c03425ba8573/coverage-7.6.9-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:085161be5f3b30fd9b3e7b9a8c301f935c8313dcf928a07b116324abea2c1c2c", size = 207577 }, + { url = "https://files.pythonhosted.org/packages/74/f2/68edb1e6826f980a124f21ea5be0d324180bf11de6fd1defcf9604f76df0/coverage-7.6.9-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ccc660a77e1c2bf24ddbce969af9447a9474790160cfb23de6be4fa88e3951c7", size = 239524 }, + { url = "https://files.pythonhosted.org/packages/d3/83/8fec0ee68c2c4a5ab5f0f8527277f84ed6f2bd1310ae8a19d0c5532253ab/coverage-7.6.9-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c69e42c892c018cd3c8d90da61d845f50a8243062b19d228189b0224150018a9", size = 236925 }, + { url = "https://files.pythonhosted.org/packages/8b/20/8f50e7c7ad271144afbc2c1c6ec5541a8c81773f59352f8db544cad1a0ec/coverage-7.6.9-cp311-cp311-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0824a28ec542a0be22f60c6ac36d679e0e262e5353203bea81d44ee81fe9c6d4", size = 238792 }, + { url = "https://files.pythonhosted.org/packages/6f/62/4ac2e5ad9e7a5c9ec351f38947528e11541f1f00e8a0cdce56f1ba7ae301/coverage-7.6.9-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:4401ae5fc52ad8d26d2a5d8a7428b0f0c72431683f8e63e42e70606374c311a1", size = 237682 }, + { url = "https://files.pythonhosted.org/packages/58/2f/9d2203f012f3b0533c73336c74134b608742be1ce475a5c72012573cfbb4/coverage-7.6.9-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:98caba4476a6c8d59ec1eb00c7dd862ba9beca34085642d46ed503cc2d440d4b", size = 236310 }, + { url = "https://files.pythonhosted.org/packages/33/6d/31f6ab0b4f0f781636075f757eb02141ea1b34466d9d1526dbc586ed7078/coverage-7.6.9-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:ee5defd1733fd6ec08b168bd4f5387d5b322f45ca9e0e6c817ea6c4cd36313e3", size = 237096 }, + { url = "https://files.pythonhosted.org/packages/7d/fb/e14c38adebbda9ed8b5f7f8e03340ac05d68d27b24397f8d47478927a333/coverage-7.6.9-cp311-cp311-win32.whl", hash = "sha256:f2d1ec60d6d256bdf298cb86b78dd715980828f50c46701abc3b0a2b3f8a0dc0", size = 209682 }, + { url = "https://files.pythonhosted.org/packages/a4/11/a782af39b019066af83fdc0e8825faaccbe9d7b19a803ddb753114b429cc/coverage-7.6.9-cp311-cp311-win_amd64.whl", hash = "sha256:0d59fd927b1f04de57a2ba0137166d31c1a6dd9e764ad4af552912d70428c92b", size = 210542 }, + { url = "https://files.pythonhosted.org/packages/60/52/b16af8989a2daf0f80a88522bd8e8eed90b5fcbdecf02a6888f3e80f6ba7/coverage-7.6.9-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:99e266ae0b5d15f1ca8d278a668df6f51cc4b854513daab5cae695ed7b721cf8", size = 207325 }, + { url = "https://files.pythonhosted.org/packages/0f/79/6b7826fca8846c1216a113227b9f114ac3e6eacf168b4adcad0cb974aaca/coverage-7.6.9-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:9901d36492009a0a9b94b20e52ebfc8453bf49bb2b27bca2c9706f8b4f5a554a", size = 207563 }, + { url = "https://files.pythonhosted.org/packages/a7/07/0bc73da0ccaf45d0d64ef86d33b7d7fdeef84b4c44bf6b85fb12c215c5a6/coverage-7.6.9-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:abd3e72dd5b97e3af4246cdada7738ef0e608168de952b837b8dd7e90341f015", size = 240580 }, + { url = "https://files.pythonhosted.org/packages/71/8a/9761f409910961647d892454687cedbaccb99aae828f49486734a82ede6e/coverage-7.6.9-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:ff74026a461eb0660366fb01c650c1d00f833a086b336bdad7ab00cc952072b3", size = 237613 }, + { url = "https://files.pythonhosted.org/packages/8b/10/ee7d696a17ac94f32f2dbda1e17e730bf798ae9931aec1fc01c1944cd4de/coverage-7.6.9-cp312-cp312-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:65dad5a248823a4996724a88eb51d4b31587aa7aa428562dbe459c684e5787ae", size = 239684 }, + { url = "https://files.pythonhosted.org/packages/16/60/aa1066040d3c52fff051243c2d6ccda264da72dc6d199d047624d395b2b2/coverage-7.6.9-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:22be16571504c9ccea919fcedb459d5ab20d41172056206eb2994e2ff06118a4", size = 239112 }, + { url = "https://files.pythonhosted.org/packages/4e/e5/69f35344c6f932ba9028bf168d14a79fedb0dd4849b796d43c81ce75a3c9/coverage-7.6.9-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:0f957943bc718b87144ecaee70762bc2bc3f1a7a53c7b861103546d3a403f0a6", size = 237428 }, + { url = "https://files.pythonhosted.org/packages/32/20/adc895523c4a28f63441b8ac645abd74f9bdd499d2d175bef5b41fc7f92d/coverage-7.6.9-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:0ae1387db4aecb1f485fb70a6c0148c6cdaebb6038f1d40089b1fc84a5db556f", size = 239098 }, + { url = "https://files.pythonhosted.org/packages/a9/a6/e0e74230c9bb3549ec8ffc137cfd16ea5d56e993d6bffed2218bff6187e3/coverage-7.6.9-cp312-cp312-win32.whl", hash = "sha256:1a330812d9cc7ac2182586f6d41b4d0fadf9be9049f350e0efb275c8ee8eb692", size = 209940 }, + { url = "https://files.pythonhosted.org/packages/3e/18/cb5b88349d4aa2f41ec78d65f92ea32572b30b3f55bc2b70e87578b8f434/coverage-7.6.9-cp312-cp312-win_amd64.whl", hash = "sha256:b12c6b18269ca471eedd41c1b6a1065b2f7827508edb9a7ed5555e9a56dcfc97", size = 210726 }, + { url = "https://files.pythonhosted.org/packages/35/26/9abab6539d2191dbda2ce8c97b67d74cbfc966cc5b25abb880ffc7c459bc/coverage-7.6.9-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:899b8cd4781c400454f2f64f7776a5d87bbd7b3e7f7bda0cb18f857bb1334664", size = 207356 }, + { url = "https://files.pythonhosted.org/packages/44/da/d49f19402240c93453f606e660a6676a2a1fbbaa6870cc23207790aa9697/coverage-7.6.9-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:61f70dc68bd36810972e55bbbe83674ea073dd1dcc121040a08cdf3416c5349c", size = 207614 }, + { url = "https://files.pythonhosted.org/packages/da/e6/93bb9bf85497816082ec8da6124c25efa2052bd4c887dd3b317b91990c9e/coverage-7.6.9-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8a289d23d4c46f1a82d5db4abeb40b9b5be91731ee19a379d15790e53031c014", size = 240129 }, + { url = "https://files.pythonhosted.org/packages/df/65/6a824b9406fe066835c1274a9949e06f084d3e605eb1a602727a27ec2fe3/coverage-7.6.9-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:7e216d8044a356fc0337c7a2a0536d6de07888d7bcda76febcb8adc50bdbbd00", size = 237276 }, + { url = "https://files.pythonhosted.org/packages/9f/79/6c7a800913a9dd23ac8c8da133ebb556771a5a3d4df36b46767b1baffd35/coverage-7.6.9-cp313-cp313-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:3c026eb44f744acaa2bda7493dad903aa5bf5fc4f2554293a798d5606710055d", size = 239267 }, + { url = "https://files.pythonhosted.org/packages/57/e7/834d530293fdc8a63ba8ff70033d5182022e569eceb9aec7fc716b678a39/coverage-7.6.9-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:e77363e8425325384f9d49272c54045bbed2f478e9dd698dbc65dbc37860eb0a", size = 238887 }, + { url = "https://files.pythonhosted.org/packages/15/05/ec9d6080852984f7163c96984444e7cd98b338fd045b191064f943ee1c08/coverage-7.6.9-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:777abfab476cf83b5177b84d7486497e034eb9eaea0d746ce0c1268c71652077", size = 236970 }, + { url = "https://files.pythonhosted.org/packages/0a/d8/775937670b93156aec29f694ce37f56214ed7597e1a75b4083ee4c32121c/coverage-7.6.9-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:447af20e25fdbe16f26e84eb714ba21d98868705cb138252d28bc400381f6ffb", size = 238831 }, + { url = "https://files.pythonhosted.org/packages/f4/58/88551cb7fdd5ec98cb6044e8814e38583436b14040a5ece15349c44c8f7c/coverage-7.6.9-cp313-cp313-win32.whl", hash = "sha256:d872ec5aeb086cbea771c573600d47944eea2dcba8be5f3ee649bfe3cb8dc9ba", size = 210000 }, + { url = "https://files.pythonhosted.org/packages/b7/12/cfbf49b95120872785ff8d56ab1c7fe3970a65e35010c311d7dd35c5fd00/coverage-7.6.9-cp313-cp313-win_amd64.whl", hash = "sha256:fd1213c86e48dfdc5a0cc676551db467495a95a662d2396ecd58e719191446e1", size = 210753 }, + { url = "https://files.pythonhosted.org/packages/7c/68/c1cb31445599b04bde21cbbaa6d21b47c5823cdfef99eae470dfce49c35a/coverage-7.6.9-cp313-cp313t-macosx_10_13_x86_64.whl", hash = "sha256:ba9e7484d286cd5a43744e5f47b0b3fb457865baf07bafc6bee91896364e1419", size = 208091 }, + { url = "https://files.pythonhosted.org/packages/11/73/84b02c6b19c4a11eb2d5b5eabe926fb26c21c080e0852f5e5a4f01165f9e/coverage-7.6.9-cp313-cp313t-macosx_11_0_arm64.whl", hash = "sha256:e5ea1cf0872ee455c03e5674b5bca5e3e68e159379c1af0903e89f5eba9ccc3a", size = 208369 }, + { url = "https://files.pythonhosted.org/packages/de/e0/ae5d878b72ff26df2e994a5c5b1c1f6a7507d976b23beecb1ed4c85411ef/coverage-7.6.9-cp313-cp313t-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:2d10e07aa2b91835d6abec555ec8b2733347956991901eea6ffac295f83a30e4", size = 251089 }, + { url = "https://files.pythonhosted.org/packages/ab/9c/0aaac011aef95a93ef3cb2fba3fde30bc7e68a6635199ed469b1f5ea355a/coverage-7.6.9-cp313-cp313t-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:13a9e2d3ee855db3dd6ea1ba5203316a1b1fd8eaeffc37c5b54987e61e4194ae", size = 246806 }, + { url = "https://files.pythonhosted.org/packages/f8/19/4d5d3ae66938a7dcb2f58cef3fa5386f838f469575b0bb568c8cc9e3a33d/coverage-7.6.9-cp313-cp313t-manylinux_2_5_x86_64.manylinux1_x86_64.manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9c38bf15a40ccf5619fa2fe8f26106c7e8e080d7760aeccb3722664c8656b030", size = 249164 }, + { url = "https://files.pythonhosted.org/packages/b3/0b/4ee8a7821f682af9ad440ae3c1e379da89a998883271f088102d7ca2473d/coverage-7.6.9-cp313-cp313t-musllinux_1_2_aarch64.whl", hash = "sha256:d5275455b3e4627c8e7154feaf7ee0743c2e7af82f6e3b561967b1cca755a0be", size = 248642 }, + { url = "https://files.pythonhosted.org/packages/8a/12/36ff1d52be18a16b4700f561852e7afd8df56363a5edcfb04cf26a0e19e0/coverage-7.6.9-cp313-cp313t-musllinux_1_2_i686.whl", hash = "sha256:8f8770dfc6e2c6a2d4569f411015c8d751c980d17a14b0530da2d7f27ffdd88e", size = 246516 }, + { url = "https://files.pythonhosted.org/packages/43/d0/8e258f6c3a527c1655602f4f576215e055ac704de2d101710a71a2affac2/coverage-7.6.9-cp313-cp313t-musllinux_1_2_x86_64.whl", hash = "sha256:8d2dfa71665a29b153a9681edb1c8d9c1ea50dfc2375fb4dac99ea7e21a0bcd9", size = 247783 }, + { url = "https://files.pythonhosted.org/packages/a9/0d/1e4a48d289429d38aae3babdfcadbf35ca36bdcf3efc8f09b550a845bdb5/coverage-7.6.9-cp313-cp313t-win32.whl", hash = "sha256:5e6b86b5847a016d0fbd31ffe1001b63355ed309651851295315031ea7eb5a9b", size = 210646 }, + { url = "https://files.pythonhosted.org/packages/26/74/b0729f196f328ac55e42b1e22ec2f16d8bcafe4b8158a26ec9f1cdd1d93e/coverage-7.6.9-cp313-cp313t-win_amd64.whl", hash = "sha256:97ddc94d46088304772d21b060041c97fc16bdda13c6c7f9d8fcd8d5ae0d8611", size = 211815 }, +] + +[package.optional-dependencies] +toml = [ + { name = "tomli", marker = "python_full_version <= '3.11'" }, +] + +[[package]] +name = "coverage-badge" +version = "1.1.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "coverage" }, + { name = "setuptools" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/be/8f/e92b0a010c76b0da82709838b3f3ae9aec638d0c44dbfb1186a5751f5d2e/coverage_badge-1.1.2.tar.gz", hash = "sha256:fe7ed58a3b72dad85a553b64a99e963dea3847dcd0b8ddd2b38a00333618642c", size = 6335 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/90/3d/5642a1a06191b2e1e0f87a2e824e6d3eb7c32c589a68ed4d1dcbd3324d63/coverage_badge-1.1.2-py2.py3-none-any.whl", hash = "sha256:d8413ce51c91043a1692b943616b450868cbeeb0ea6a0c54a32f8318c9c96ff7", size = 6493 }, +] + +[[package]] +name = "cyclonedx-python-lib" +version = "7.6.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "license-expression" }, + { name = "packageurl-python" }, + { name = "py-serializable" }, + { name = "sortedcontainers" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/36/8f/a2de02ce7263312b51cb3946593b608ef996949295b69b31a9ed0e71ec92/cyclonedx_python_lib-7.6.2.tar.gz", hash = "sha256:31186c5725ac0cfcca433759a407b1424686cdc867b47cc86e6cf83691310903", size = 1124315 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/cf/27/9ec1959eb4c23bdbec690f17a64562e664746762c0b8becf3ec2e95579d7/cyclonedx_python_lib-7.6.2-py3-none-any.whl", hash = "sha256:c42fab352cc0f7418d1b30def6751d9067ebcf0e8e4be210fc14d6e742a9edcc", size = 361381 }, +] + +[[package]] +name = "defusedxml" +version = "0.7.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/0f/d5/c66da9b79e5bdb124974bfe172b4daf3c984ebd9c2a06e2b8a4dc7331c72/defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69", size = 75520 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/07/6c/aa3f2f849e01cb6a001cd8554a88d4c77c5c1a31c95bdf1cf9301e6d9ef4/defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61", size = 25604 }, +] + +[[package]] +name = "filelock" +version = "3.16.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/9d/db/3ef5bb276dae18d6ec2124224403d1d67bccdbefc17af4cc8f553e341ab1/filelock-3.16.1.tar.gz", hash = "sha256:c249fbfcd5db47e5e2d6d62198e565475ee65e4831e2561c8e313fa7eb961435", size = 18037 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b9/f8/feced7779d755758a52d1f6635d990b8d98dc0a29fa568bbe0625f18fdf3/filelock-3.16.1-py3-none-any.whl", hash = "sha256:2082e5703d51fbf98ea75855d9d5527e33d8ff23099bec374a134febee6946b0", size = 16163 }, +] + +[[package]] +name = "html5lib" +version = "1.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "six" }, + { name = "webencodings" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/ac/b6/b55c3f49042f1df3dcd422b7f224f939892ee94f22abcf503a9b7339eaf2/html5lib-1.1.tar.gz", hash = "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f", size = 272215 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/6c/dd/a834df6482147d48e225a49515aabc28974ad5a4ca3215c18a882565b028/html5lib-1.1-py2.py3-none-any.whl", hash = "sha256:0d78f8fde1c230e99fe37986a60526d7049ed4bf8a9fadbad5f00e22e58e041d", size = 112173 }, +] + +[[package]] +name = "idna" +version = "3.10" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f1/70/7703c29685631f5a7590aa73f1f1d3fa9a380e654b86af429e0934a32f7d/idna-3.10.tar.gz", hash = "sha256:12f65c9b470abda6dc35cf8e63cc574b1c52b11df2c86030af0ac09b01b13ea9", size = 190490 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/76/c6/c88e154df9c4e1a2a66ccf0005a88dfb2650c1dffb6f5ce603dfbd452ce3/idna-3.10-py3-none-any.whl", hash = "sha256:946d195a0d259cbba61165e88e65941f16e9b36ea6ddb97f00452bae8b1287d3", size = 70442 }, +] + +[[package]] +name = "iniconfig" +version = "2.0.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d7/4b/cbd8e699e64a6f16ca3a8220661b5f83792b3017d0f79807cb8708d33913/iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3", size = 4646 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ef/a6/62565a6e1cf69e10f5727360368e451d4b7f58beeac6173dc9db836a5b46/iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374", size = 5892 }, +] + +[[package]] +name = "license-expression" +version = "30.4.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "boolean-py" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/c7/97/df5570fe2f1046bb5f6eeed55815ef11e371e9310d53bd94ec8efe4173f4/license_expression-30.4.0.tar.gz", hash = "sha256:6464397f8ed4353cc778999caec43b099f8d8d5b335f282e26a9eb9435522f05", size = 176230 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/fc/f8/5699e6d6ea5156d53059ff07464b5d64389b084f67cb08ec97c711e587fc/license_expression-30.4.0-py3-none-any.whl", hash = "sha256:7c8f240c6e20d759cb8455e49cb44a923d9e25c436bf48d7e5b8eea660782c04", size = 110571 }, +] + +[[package]] +name = "markdown-it-py" +version = "3.0.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "mdurl" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/38/71/3b932df36c1a044d397a1f92d1cf91ee0a503d91e470cbd670aa66b07ed0/markdown-it-py-3.0.0.tar.gz", hash = "sha256:e3f60a94fa066dc52ec76661e37c851cb232d92f9886b15cb560aaada2df8feb", size = 74596 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/42/d7/1ec15b46af6af88f19b8e5ffea08fa375d433c998b8a7639e76935c14f1f/markdown_it_py-3.0.0-py3-none-any.whl", hash = "sha256:355216845c60bd96232cd8d8c40e8f9765cc86f46880e43a8fd22dc1a1a8cab1", size = 87528 }, +] + +[[package]] +name = "mdurl" +version = "0.1.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d6/54/cfe61301667036ec958cb99bd3efefba235e65cdeb9c84d24a8293ba1d90/mdurl-0.1.2.tar.gz", hash = "sha256:bb413d29f5eea38f31dd4754dd7377d4465116fb207585f97bf925588687c1ba", size = 8729 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b3/38/89ba8ad64ae25be8de66a6d463314cf1eb366222074cfda9ee839c56a4b4/mdurl-0.1.2-py3-none-any.whl", hash = "sha256:84008a41e51615a49fc9966191ff91509e3c40b939176e643fd50a5c2196b8f8", size = 9979 }, +] + +[[package]] +name = "msgpack" +version = "1.1.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/cb/d0/7555686ae7ff5731205df1012ede15dd9d927f6227ea151e901c7406af4f/msgpack-1.1.0.tar.gz", hash = "sha256:dd432ccc2c72b914e4cb77afce64aab761c1137cc698be3984eee260bcb2896e", size = 167260 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b7/5e/a4c7154ba65d93be91f2f1e55f90e76c5f91ccadc7efc4341e6f04c8647f/msgpack-1.1.0-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:3d364a55082fb2a7416f6c63ae383fbd903adb5a6cf78c5b96cc6316dc1cedc7", size = 150803 }, + { url = "https://files.pythonhosted.org/packages/60/c2/687684164698f1d51c41778c838d854965dd284a4b9d3a44beba9265c931/msgpack-1.1.0-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:79ec007767b9b56860e0372085f8504db5d06bd6a327a335449508bbee9648fa", size = 84343 }, + { url = "https://files.pythonhosted.org/packages/42/ae/d3adea9bb4a1342763556078b5765e666f8fdf242e00f3f6657380920972/msgpack-1.1.0-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:6ad622bf7756d5a497d5b6836e7fc3752e2dd6f4c648e24b1803f6048596f701", size = 81408 }, + { url = "https://files.pythonhosted.org/packages/dc/17/6313325a6ff40ce9c3207293aee3ba50104aed6c2c1559d20d09e5c1ff54/msgpack-1.1.0-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:8e59bca908d9ca0de3dc8684f21ebf9a690fe47b6be93236eb40b99af28b6ea6", size = 396096 }, + { url = "https://files.pythonhosted.org/packages/a8/a1/ad7b84b91ab5a324e707f4c9761633e357820b011a01e34ce658c1dda7cc/msgpack-1.1.0-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:5e1da8f11a3dd397f0a32c76165cf0c4eb95b31013a94f6ecc0b280c05c91b59", size = 403671 }, + { url = "https://files.pythonhosted.org/packages/bb/0b/fd5b7c0b308bbf1831df0ca04ec76fe2f5bf6319833646b0a4bd5e9dc76d/msgpack-1.1.0-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:452aff037287acb1d70a804ffd022b21fa2bb7c46bee884dbc864cc9024128a0", size = 387414 }, + { url = "https://files.pythonhosted.org/packages/f0/03/ff8233b7c6e9929a1f5da3c7860eccd847e2523ca2de0d8ef4878d354cfa/msgpack-1.1.0-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:8da4bf6d54ceed70e8861f833f83ce0814a2b72102e890cbdfe4b34764cdd66e", size = 383759 }, + { url = "https://files.pythonhosted.org/packages/1f/1b/eb82e1fed5a16dddd9bc75f0854b6e2fe86c0259c4353666d7fab37d39f4/msgpack-1.1.0-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:41c991beebf175faf352fb940bf2af9ad1fb77fd25f38d9142053914947cdbf6", size = 394405 }, + { url = "https://files.pythonhosted.org/packages/90/2e/962c6004e373d54ecf33d695fb1402f99b51832631e37c49273cc564ffc5/msgpack-1.1.0-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:a52a1f3a5af7ba1c9ace055b659189f6c669cf3657095b50f9602af3a3ba0fe5", size = 396041 }, + { url = "https://files.pythonhosted.org/packages/f8/20/6e03342f629474414860c48aeffcc2f7f50ddaf351d95f20c3f1c67399a8/msgpack-1.1.0-cp311-cp311-win32.whl", hash = "sha256:58638690ebd0a06427c5fe1a227bb6b8b9fdc2bd07701bec13c2335c82131a88", size = 68538 }, + { url = "https://files.pythonhosted.org/packages/aa/c4/5a582fc9a87991a3e6f6800e9bb2f3c82972912235eb9539954f3e9997c7/msgpack-1.1.0-cp311-cp311-win_amd64.whl", hash = "sha256:fd2906780f25c8ed5d7b323379f6138524ba793428db5d0e9d226d3fa6aa1788", size = 74871 }, + { url = "https://files.pythonhosted.org/packages/e1/d6/716b7ca1dbde63290d2973d22bbef1b5032ca634c3ff4384a958ec3f093a/msgpack-1.1.0-cp312-cp312-macosx_10_9_universal2.whl", hash = "sha256:d46cf9e3705ea9485687aa4001a76e44748b609d260af21c4ceea7f2212a501d", size = 152421 }, + { url = "https://files.pythonhosted.org/packages/70/da/5312b067f6773429cec2f8f08b021c06af416bba340c912c2ec778539ed6/msgpack-1.1.0-cp312-cp312-macosx_10_9_x86_64.whl", hash = "sha256:5dbad74103df937e1325cc4bfeaf57713be0b4f15e1c2da43ccdd836393e2ea2", size = 85277 }, + { url = "https://files.pythonhosted.org/packages/28/51/da7f3ae4462e8bb98af0d5bdf2707f1b8c65a0d4f496e46b6afb06cbc286/msgpack-1.1.0-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:58dfc47f8b102da61e8949708b3eafc3504509a5728f8b4ddef84bd9e16ad420", size = 82222 }, + { url = "https://files.pythonhosted.org/packages/33/af/dc95c4b2a49cff17ce47611ca9ba218198806cad7796c0b01d1e332c86bb/msgpack-1.1.0-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4676e5be1b472909b2ee6356ff425ebedf5142427842aa06b4dfd5117d1ca8a2", size = 392971 }, + { url = "https://files.pythonhosted.org/packages/f1/54/65af8de681fa8255402c80eda2a501ba467921d5a7a028c9c22a2c2eedb5/msgpack-1.1.0-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:17fb65dd0bec285907f68b15734a993ad3fc94332b5bb21b0435846228de1f39", size = 401403 }, + { url = "https://files.pythonhosted.org/packages/97/8c/e333690777bd33919ab7024269dc3c41c76ef5137b211d776fbb404bfead/msgpack-1.1.0-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:a51abd48c6d8ac89e0cfd4fe177c61481aca2d5e7ba42044fd218cfd8ea9899f", size = 385356 }, + { url = "https://files.pythonhosted.org/packages/57/52/406795ba478dc1c890559dd4e89280fa86506608a28ccf3a72fbf45df9f5/msgpack-1.1.0-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:2137773500afa5494a61b1208619e3871f75f27b03bcfca7b3a7023284140247", size = 383028 }, + { url = "https://files.pythonhosted.org/packages/e7/69/053b6549bf90a3acadcd8232eae03e2fefc87f066a5b9fbb37e2e608859f/msgpack-1.1.0-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:398b713459fea610861c8a7b62a6fec1882759f308ae0795b5413ff6a160cf3c", size = 391100 }, + { url = "https://files.pythonhosted.org/packages/23/f0/d4101d4da054f04274995ddc4086c2715d9b93111eb9ed49686c0f7ccc8a/msgpack-1.1.0-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:06f5fd2f6bb2a7914922d935d3b8bb4a7fff3a9a91cfce6d06c13bc42bec975b", size = 394254 }, + { url = "https://files.pythonhosted.org/packages/1c/12/cf07458f35d0d775ff3a2dc5559fa2e1fcd06c46f1ef510e594ebefdca01/msgpack-1.1.0-cp312-cp312-win32.whl", hash = "sha256:ad33e8400e4ec17ba782f7b9cf868977d867ed784a1f5f2ab46e7ba53b6e1e1b", size = 69085 }, + { url = "https://files.pythonhosted.org/packages/73/80/2708a4641f7d553a63bc934a3eb7214806b5b39d200133ca7f7afb0a53e8/msgpack-1.1.0-cp312-cp312-win_amd64.whl", hash = "sha256:115a7af8ee9e8cddc10f87636767857e7e3717b7a2e97379dc2054712693e90f", size = 75347 }, + { url = "https://files.pythonhosted.org/packages/c8/b0/380f5f639543a4ac413e969109978feb1f3c66e931068f91ab6ab0f8be00/msgpack-1.1.0-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:071603e2f0771c45ad9bc65719291c568d4edf120b44eb36324dcb02a13bfddf", size = 151142 }, + { url = "https://files.pythonhosted.org/packages/c8/ee/be57e9702400a6cb2606883d55b05784fada898dfc7fd12608ab1fdb054e/msgpack-1.1.0-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:0f92a83b84e7c0749e3f12821949d79485971f087604178026085f60ce109330", size = 84523 }, + { url = "https://files.pythonhosted.org/packages/7e/3a/2919f63acca3c119565449681ad08a2f84b2171ddfcff1dba6959db2cceb/msgpack-1.1.0-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:4a1964df7b81285d00a84da4e70cb1383f2e665e0f1f2a7027e683956d04b734", size = 81556 }, + { url = "https://files.pythonhosted.org/packages/7c/43/a11113d9e5c1498c145a8925768ea2d5fce7cbab15c99cda655aa09947ed/msgpack-1.1.0-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:59caf6a4ed0d164055ccff8fe31eddc0ebc07cf7326a2aaa0dbf7a4001cd823e", size = 392105 }, + { url = "https://files.pythonhosted.org/packages/2d/7b/2c1d74ca6c94f70a1add74a8393a0138172207dc5de6fc6269483519d048/msgpack-1.1.0-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:0907e1a7119b337971a689153665764adc34e89175f9a34793307d9def08e6ca", size = 399979 }, + { url = "https://files.pythonhosted.org/packages/82/8c/cf64ae518c7b8efc763ca1f1348a96f0e37150061e777a8ea5430b413a74/msgpack-1.1.0-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:65553c9b6da8166e819a6aa90ad15288599b340f91d18f60b2061f402b9a4915", size = 383816 }, + { url = "https://files.pythonhosted.org/packages/69/86/a847ef7a0f5ef3fa94ae20f52a4cacf596a4e4a010197fbcc27744eb9a83/msgpack-1.1.0-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:7a946a8992941fea80ed4beae6bff74ffd7ee129a90b4dd5cf9c476a30e9708d", size = 380973 }, + { url = "https://files.pythonhosted.org/packages/aa/90/c74cf6e1126faa93185d3b830ee97246ecc4fe12cf9d2d31318ee4246994/msgpack-1.1.0-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:4b51405e36e075193bc051315dbf29168d6141ae2500ba8cd80a522964e31434", size = 387435 }, + { url = "https://files.pythonhosted.org/packages/7a/40/631c238f1f338eb09f4acb0f34ab5862c4e9d7eda11c1b685471a4c5ea37/msgpack-1.1.0-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:b4c01941fd2ff87c2a934ee6055bda4ed353a7846b8d4f341c428109e9fcde8c", size = 399082 }, + { url = "https://files.pythonhosted.org/packages/e9/1b/fa8a952be252a1555ed39f97c06778e3aeb9123aa4cccc0fd2acd0b4e315/msgpack-1.1.0-cp313-cp313-win32.whl", hash = "sha256:7c9a35ce2c2573bada929e0b7b3576de647b0defbd25f5139dcdaba0ae35a4cc", size = 69037 }, + { url = "https://files.pythonhosted.org/packages/b6/bc/8bd826dd03e022153bfa1766dcdec4976d6c818865ed54223d71f07862b3/msgpack-1.1.0-cp313-cp313-win_amd64.whl", hash = "sha256:bce7d9e614a04d0883af0b3d4d501171fbfca038f12c77fa838d9f198147a23f", size = 75140 }, +] + +[[package]] +name = "packageurl-python" +version = "0.16.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/68/7d/0bd319dc94c7956b4d864e87d3dc03739f125ce174671e3128edd566a63e/packageurl_python-0.16.0.tar.gz", hash = "sha256:69e3bf8a3932fe9c2400f56aaeb9f86911ecee2f9398dbe1b58ec34340be365d", size = 40492 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/c4/47/3c197fb7596a813afef2e4198d507b761aed2c7150d90be64dff9fe0ea71/packageurl_python-0.16.0-py3-none-any.whl", hash = "sha256:5c3872638b177b0f1cf01c3673017b7b27ebee485693ae12a8bed70fa7fa7c35", size = 28544 }, +] + +[[package]] +name = "packaging" +version = "24.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/d0/63/68dbb6eb2de9cb10ee4c9c14a0148804425e13c4fb20d61cce69f53106da/packaging-24.2.tar.gz", hash = "sha256:c228a6dc5e932d346bc5739379109d49e8853dd8223571c7c5b55260edc0b97f", size = 163950 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/88/ef/eb23f262cca3c0c4eb7ab1933c3b1f03d021f2c48f54763065b6f0e321be/packaging-24.2-py3-none-any.whl", hash = "sha256:09abb1bccd265c01f4a3aa3f7a7db064b36514d2cba19a2f694fe6150451a759", size = 65451 }, +] + +[[package]] +name = "pip" +version = "24.3.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/f4/b1/b422acd212ad7eedddaf7981eee6e5de085154ff726459cf2da7c5a184c1/pip-24.3.1.tar.gz", hash = "sha256:ebcb60557f2aefabc2e0f918751cd24ea0d56d8ec5445fe1807f1d2109660b99", size = 1931073 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ef/7d/500c9ad20238fcfcb4cb9243eede163594d7020ce87bd9610c9e02771876/pip-24.3.1-py3-none-any.whl", hash = "sha256:3790624780082365f47549d032f3770eeb2b1e8bd1f7b2e02dace1afa361b4ed", size = 1822182 }, +] + +[[package]] +name = "pip-api" +version = "0.0.34" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "pip" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/b9/f1/ee85f8c7e82bccf90a3c7aad22863cc6e20057860a1361083cd2adacb92e/pip_api-0.0.34.tar.gz", hash = "sha256:9b75e958f14c5a2614bae415f2adf7eeb54d50a2cfbe7e24fd4826471bac3625", size = 123017 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/91/f7/ebf5003e1065fd00b4cbef53bf0a65c3d3e1b599b676d5383ccb7a8b88ba/pip_api-0.0.34-py3-none-any.whl", hash = "sha256:8b2d7d7c37f2447373aa2cf8b1f60a2f2b27a84e1e9e0294a3f6ef10eb3ba6bb", size = 120369 }, +] + +[[package]] +name = "pip-audit" +version = "2.7.3" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "cachecontrol", extra = ["filecache"] }, + { name = "cyclonedx-python-lib" }, + { name = "html5lib" }, + { name = "packaging" }, + { name = "pip-api" }, + { name = "pip-requirements-parser" }, + { name = "requests" }, + { name = "rich" }, + { name = "toml" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/46/2f/d030d0d3a50b776f910dd87dc1d57dd4a27bfad176b85882f463632e4747/pip_audit-2.7.3.tar.gz", hash = "sha256:08891bbf179bffe478521f150818112bae998424f58bf9285c0078965aef38bc", size = 50365 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/4d/4a/c908ec8a527698a6539b431d70454e18aef04d4190ff48107ed4d3df99ff/pip_audit-2.7.3-py3-none-any.whl", hash = "sha256:46a11faee3323f76adf7987de8171daeb660e8f57d8088cc27fb1c1e5c7747b0", size = 56266 }, +] + +[[package]] +name = "pip-requirements-parser" +version = "32.0.1" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "packaging" }, + { name = "pyparsing" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/5e/2a/63b574101850e7f7b306ddbdb02cb294380d37948140eecd468fae392b54/pip-requirements-parser-32.0.1.tar.gz", hash = "sha256:b4fa3a7a0be38243123cf9d1f3518da10c51bdb165a2b2985566247f9155a7d3", size = 209359 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/54/d0/d04f1d1e064ac901439699ee097f58688caadea42498ec9c4b4ad2ef84ab/pip_requirements_parser-32.0.1-py3-none-any.whl", hash = "sha256:4659bc2a667783e7a15d190f6fccf8b2486685b6dba4c19c3876314769c57526", size = 35648 }, +] + +[[package]] +name = "pluggy" +version = "1.5.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/96/2d/02d4312c973c6050a18b314a5ad0b3210edb65a906f868e31c111dede4a6/pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1", size = 67955 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/88/5f/e351af9a41f866ac3f1fac4ca0613908d9a41741cfcf2228f4ad853b697d/pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669", size = 20556 }, +] + +[[package]] +name = "py-serializable" +version = "1.1.2" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "defusedxml" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/16/cf/6e482507764034d6c41423a19f33fdd59655052fdb2ca4358faa3b0bcfd1/py_serializable-1.1.2.tar.gz", hash = "sha256:89af30bc319047d4aa0d8708af412f6ce73835e18bacf1a080028bb9e2f42bdb", size = 55844 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/30/f2/3483060562245668bb07193b65277f0ea619cabf530deb351911eb0453eb/py_serializable-1.1.2-py3-none-any.whl", hash = "sha256:801be61b0a1ba64c3861f7c624f1de5cfbbabf8b458acc9cdda91e8f7e5effa1", size = 22786 }, +] + +[[package]] +name = "pygments" +version = "2.18.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/8e/62/8336eff65bcbc8e4cb5d05b55faf041285951b6e80f33e2bff2024788f31/pygments-2.18.0.tar.gz", hash = "sha256:786ff802f32e91311bff3889f6e9a86e81505fe99f2735bb6d60ae0c5004f199", size = 4891905 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/f7/3f/01c8b82017c199075f8f788d0d906b9ffbbc5a47dc9918a945e13d5a2bda/pygments-2.18.0-py3-none-any.whl", hash = "sha256:b8e6aca0523f3ab76fee51799c488e38782ac06eafcf95e7ba832985c8e7b13a", size = 1205513 }, +] + +[[package]] +name = "pyparsing" +version = "3.2.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/8c/d5/e5aeee5387091148a19e1145f63606619cb5f20b83fccb63efae6474e7b2/pyparsing-3.2.0.tar.gz", hash = "sha256:cbf74e27246d595d9a74b186b810f6fbb86726dbf3b9532efb343f6d7294fe9c", size = 920984 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/be/ec/2eb3cd785efd67806c46c13a17339708ddc346cbb684eade7a6e6f79536a/pyparsing-3.2.0-py3-none-any.whl", hash = "sha256:93d9577b88da0bbea8cc8334ee8b918ed014968fd2ec383e868fb8afb1ccef84", size = 106921 }, +] + +[[package]] +name = "pytest" +version = "8.3.4" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "colorama", marker = "sys_platform == 'win32'" }, + { name = "iniconfig" }, + { name = "packaging" }, + { name = "pluggy" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/05/35/30e0d83068951d90a01852cb1cef56e5d8a09d20c7f511634cc2f7e0372a/pytest-8.3.4.tar.gz", hash = "sha256:965370d062bce11e73868e0335abac31b4d3de0e82f4007408d242b4f8610761", size = 1445919 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/11/92/76a1c94d3afee238333bc0a42b82935dd8f9cf8ce9e336ff87ee14d9e1cf/pytest-8.3.4-py3-none-any.whl", hash = "sha256:50e16d954148559c9a74109af1eaf0c945ba2d8f30f0a3d3335edde19788b6f6", size = 343083 }, +] + +[[package]] +name = "pytest-cov" +version = "6.0.0" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "coverage", extra = ["toml"] }, + { name = "pytest" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/be/45/9b538de8cef30e17c7b45ef42f538a94889ed6a16f2387a6c89e73220651/pytest-cov-6.0.0.tar.gz", hash = "sha256:fde0b595ca248bb8e2d76f020b465f3b107c9632e6a1d1705f17834c89dcadc0", size = 66945 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/36/3b/48e79f2cd6a61dbbd4807b4ed46cb564b4fd50a76166b1c4ea5c1d9e2371/pytest_cov-6.0.0-py3-none-any.whl", hash = "sha256:eee6f1b9e61008bd34975a4d5bab25801eb31898b032dd55addc93e96fcaaa35", size = 22949 }, +] + +[[package]] +name = "requests" +version = "2.32.3" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "certifi" }, + { name = "charset-normalizer" }, + { name = "idna" }, + { name = "urllib3" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/63/70/2bf7780ad2d390a8d301ad0b550f1581eadbd9a20f896afe06353c2a2913/requests-2.32.3.tar.gz", hash = "sha256:55365417734eb18255590a9ff9eb97e9e1da868d4ccd6402399eaf68af20a760", size = 131218 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/f9/9b/335f9764261e915ed497fcdeb11df5dfd6f7bf257d4a6a2a686d80da4d54/requests-2.32.3-py3-none-any.whl", hash = "sha256:70761cfe03c773ceb22aa2f671b4757976145175cdfca038c02654d061d6dcc6", size = 64928 }, +] + +[[package]] +name = "rich" +version = "13.9.4" +source = { registry = "https://pypi.org/simple" } +dependencies = [ + { name = "markdown-it-py" }, + { name = "pygments" }, +] +sdist = { url = "https://files.pythonhosted.org/packages/ab/3a/0316b28d0761c6734d6bc14e770d85506c986c85ffb239e688eeaab2c2bc/rich-13.9.4.tar.gz", hash = "sha256:439594978a49a09530cff7ebc4b5c7103ef57baf48d5ea3184f21d9a2befa098", size = 223149 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/19/71/39c7c0d87f8d4e6c020a393182060eaefeeae6c01dab6a84ec346f2567df/rich-13.9.4-py3-none-any.whl", hash = "sha256:6049d5e6ec054bf2779ab3358186963bac2ea89175919d699e378b99738c2a90", size = 242424 }, +] + +[[package]] +name = "setuptools" +version = "75.6.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/43/54/292f26c208734e9a7f067aea4a7e282c080750c4546559b58e2e45413ca0/setuptools-75.6.0.tar.gz", hash = "sha256:8199222558df7c86216af4f84c30e9b34a61d8ba19366cc914424cdbd28252f6", size = 1337429 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/55/21/47d163f615df1d30c094f6c8bbb353619274edccf0327b185cc2493c2c33/setuptools-75.6.0-py3-none-any.whl", hash = "sha256:ce74b49e8f7110f9bf04883b730f4765b774ef3ef28f722cce7c273d253aaf7d", size = 1224032 }, +] + +[[package]] +name = "six" +version = "1.17.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/94/e7/b2c673351809dca68a0e064b6af791aa332cf192da575fd474ed7d6f16a2/six-1.17.0.tar.gz", hash = "sha256:ff70335d468e7eb6ec65b95b99d3a2836546063f63acc5171de367e834932a81", size = 34031 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/b7/ce/149a00dd41f10bc29e5921b496af8b574d8413afcd5e30dfa0ed46c2cc5e/six-1.17.0-py2.py3-none-any.whl", hash = "sha256:4721f391ed90541fddacab5acf947aa0d3dc7d27b2e1e8eda2be8970586c3274", size = 11050 }, +] + +[[package]] +name = "sortedcontainers" +version = "2.4.0" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/e8/c4/ba2f8066cceb6f23394729afe52f3bf7adec04bf9ed2c820b39e19299111/sortedcontainers-2.4.0.tar.gz", hash = "sha256:25caa5a06cc30b6b83d11423433f65d1f9d76c4c6a0c90e3379eaa43b9bfdb88", size = 30594 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/32/46/9cb0e58b2deb7f82b84065f37f3bffeb12413f947f9388e4cac22c4621ce/sortedcontainers-2.4.0-py2.py3-none-any.whl", hash = "sha256:a163dcaede0f1c021485e957a39245190e74249897e2ae4b2aa38595db237ee0", size = 29575 }, +] + +[[package]] +name = "ssvc" +version = "1.0.11" +source = { virtual = "." } +dependencies = [ + { name = "pip-audit" }, +] + +[package.optional-dependencies] +test = [ + { name = "coverage-badge" }, + { name = "pytest" }, + { name = "pytest-cov" }, +] + +[package.metadata] +requires-dist = [ + { name = "coverage-badge", marker = "extra == 'test'", specifier = ">=1.1.2" }, + { name = "pip-audit", specifier = ">=2.7.3" }, + { name = "pytest", marker = "extra == 'test'", specifier = ">=8.3.4" }, + { name = "pytest-cov", marker = "extra == 'test'", specifier = ">=6.0.0" }, +] + +[[package]] +name = "toml" +version = "0.10.2" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/be/ba/1f744cdc819428fc6b5084ec34d9b30660f6f9daaf70eead706e3203ec3c/toml-0.10.2.tar.gz", hash = "sha256:b3bda1d108d5dd99f4a20d24d9c348e91c4db7ab1b749200bded2f839ccbe68f", size = 22253 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/44/6f/7120676b6d73228c96e17f1f794d8ab046fc910d781c8d151120c3f1569e/toml-0.10.2-py2.py3-none-any.whl", hash = "sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b", size = 16588 }, +] + +[[package]] +name = "tomli" +version = "2.2.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/18/87/302344fed471e44a87289cf4967697d07e532f2421fdaf868a303cbae4ff/tomli-2.2.1.tar.gz", hash = "sha256:cd45e1dc79c835ce60f7404ec8119f2eb06d38b1deba146f07ced3bbc44505ff", size = 17175 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/43/ca/75707e6efa2b37c77dadb324ae7d9571cb424e61ea73fad7c56c2d14527f/tomli-2.2.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:678e4fa69e4575eb77d103de3df8a895e1591b48e740211bd1067378c69e8249", size = 131077 }, + { url = "https://files.pythonhosted.org/packages/c7/16/51ae563a8615d472fdbffc43a3f3d46588c264ac4f024f63f01283becfbb/tomli-2.2.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:023aa114dd824ade0100497eb2318602af309e5a55595f76b626d6d9f3b7b0a6", size = 123429 }, + { url = "https://files.pythonhosted.org/packages/f1/dd/4f6cd1e7b160041db83c694abc78e100473c15d54620083dbd5aae7b990e/tomli-2.2.1-cp311-cp311-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:ece47d672db52ac607a3d9599a9d48dcb2f2f735c6c2d1f34130085bb12b112a", size = 226067 }, + { url = "https://files.pythonhosted.org/packages/a9/6b/c54ede5dc70d648cc6361eaf429304b02f2871a345bbdd51e993d6cdf550/tomli-2.2.1-cp311-cp311-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:6972ca9c9cc9f0acaa56a8ca1ff51e7af152a9f87fb64623e31d5c83700080ee", size = 236030 }, + { url = "https://files.pythonhosted.org/packages/1f/47/999514fa49cfaf7a92c805a86c3c43f4215621855d151b61c602abb38091/tomli-2.2.1-cp311-cp311-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c954d2250168d28797dd4e3ac5cf812a406cd5a92674ee4c8f123c889786aa8e", size = 240898 }, + { url = "https://files.pythonhosted.org/packages/73/41/0a01279a7ae09ee1573b423318e7934674ce06eb33f50936655071d81a24/tomli-2.2.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:8dd28b3e155b80f4d54beb40a441d366adcfe740969820caf156c019fb5c7ec4", size = 229894 }, + { url = "https://files.pythonhosted.org/packages/55/18/5d8bc5b0a0362311ce4d18830a5d28943667599a60d20118074ea1b01bb7/tomli-2.2.1-cp311-cp311-musllinux_1_2_i686.whl", hash = "sha256:e59e304978767a54663af13c07b3d1af22ddee3bb2fb0618ca1593e4f593a106", size = 245319 }, + { url = "https://files.pythonhosted.org/packages/92/a3/7ade0576d17f3cdf5ff44d61390d4b3febb8a9fc2b480c75c47ea048c646/tomli-2.2.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:33580bccab0338d00994d7f16f4c4ec25b776af3ffaac1ed74e0b3fc95e885a8", size = 238273 }, + { url = "https://files.pythonhosted.org/packages/72/6f/fa64ef058ac1446a1e51110c375339b3ec6be245af9d14c87c4a6412dd32/tomli-2.2.1-cp311-cp311-win32.whl", hash = "sha256:465af0e0875402f1d226519c9904f37254b3045fc5084697cefb9bdde1ff99ff", size = 98310 }, + { url = "https://files.pythonhosted.org/packages/6a/1c/4a2dcde4a51b81be3530565e92eda625d94dafb46dbeb15069df4caffc34/tomli-2.2.1-cp311-cp311-win_amd64.whl", hash = "sha256:2d0f2fdd22b02c6d81637a3c95f8cd77f995846af7414c5c4b8d0545afa1bc4b", size = 108309 }, + { url = "https://files.pythonhosted.org/packages/52/e1/f8af4c2fcde17500422858155aeb0d7e93477a0d59a98e56cbfe75070fd0/tomli-2.2.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:4a8f6e44de52d5e6c657c9fe83b562f5f4256d8ebbfe4ff922c495620a7f6cea", size = 132762 }, + { url = "https://files.pythonhosted.org/packages/03/b8/152c68bb84fc00396b83e7bbddd5ec0bd3dd409db4195e2a9b3e398ad2e3/tomli-2.2.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:8d57ca8095a641b8237d5b079147646153d22552f1c637fd3ba7f4b0b29167a8", size = 123453 }, + { url = "https://files.pythonhosted.org/packages/c8/d6/fc9267af9166f79ac528ff7e8c55c8181ded34eb4b0e93daa767b8841573/tomli-2.2.1-cp312-cp312-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:4e340144ad7ae1533cb897d406382b4b6fede8890a03738ff1683af800d54192", size = 233486 }, + { url = "https://files.pythonhosted.org/packages/5c/51/51c3f2884d7bab89af25f678447ea7d297b53b5a3b5730a7cb2ef6069f07/tomli-2.2.1-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:db2b95f9de79181805df90bedc5a5ab4c165e6ec3fe99f970d0e302f384ad222", size = 242349 }, + { url = "https://files.pythonhosted.org/packages/ab/df/bfa89627d13a5cc22402e441e8a931ef2108403db390ff3345c05253935e/tomli-2.2.1-cp312-cp312-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:40741994320b232529c802f8bc86da4e1aa9f413db394617b9a256ae0f9a7f77", size = 252159 }, + { url = "https://files.pythonhosted.org/packages/9e/6e/fa2b916dced65763a5168c6ccb91066f7639bdc88b48adda990db10c8c0b/tomli-2.2.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:400e720fe168c0f8521520190686ef8ef033fb19fc493da09779e592861b78c6", size = 237243 }, + { url = "https://files.pythonhosted.org/packages/b4/04/885d3b1f650e1153cbb93a6a9782c58a972b94ea4483ae4ac5cedd5e4a09/tomli-2.2.1-cp312-cp312-musllinux_1_2_i686.whl", hash = "sha256:02abe224de6ae62c19f090f68da4e27b10af2b93213d36cf44e6e1c5abd19fdd", size = 259645 }, + { url = "https://files.pythonhosted.org/packages/9c/de/6b432d66e986e501586da298e28ebeefd3edc2c780f3ad73d22566034239/tomli-2.2.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:b82ebccc8c8a36f2094e969560a1b836758481f3dc360ce9a3277c65f374285e", size = 244584 }, + { url = "https://files.pythonhosted.org/packages/1c/9a/47c0449b98e6e7d1be6cbac02f93dd79003234ddc4aaab6ba07a9a7482e2/tomli-2.2.1-cp312-cp312-win32.whl", hash = "sha256:889f80ef92701b9dbb224e49ec87c645ce5df3fa2cc548664eb8a25e03127a98", size = 98875 }, + { url = "https://files.pythonhosted.org/packages/ef/60/9b9638f081c6f1261e2688bd487625cd1e660d0a85bd469e91d8db969734/tomli-2.2.1-cp312-cp312-win_amd64.whl", hash = "sha256:7fc04e92e1d624a4a63c76474610238576942d6b8950a2d7f908a340494e67e4", size = 109418 }, + { url = "https://files.pythonhosted.org/packages/04/90/2ee5f2e0362cb8a0b6499dc44f4d7d48f8fff06d28ba46e6f1eaa61a1388/tomli-2.2.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:f4039b9cbc3048b2416cc57ab3bda989a6fcf9b36cf8937f01a6e731b64f80d7", size = 132708 }, + { url = "https://files.pythonhosted.org/packages/c0/ec/46b4108816de6b385141f082ba99e315501ccd0a2ea23db4a100dd3990ea/tomli-2.2.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:286f0ca2ffeeb5b9bd4fcc8d6c330534323ec51b2f52da063b11c502da16f30c", size = 123582 }, + { url = "https://files.pythonhosted.org/packages/a0/bd/b470466d0137b37b68d24556c38a0cc819e8febe392d5b199dcd7f578365/tomli-2.2.1-cp313-cp313-manylinux_2_17_aarch64.manylinux2014_aarch64.whl", hash = "sha256:a92ef1a44547e894e2a17d24e7557a5e85a9e1d0048b0b5e7541f76c5032cb13", size = 232543 }, + { url = "https://files.pythonhosted.org/packages/d9/e5/82e80ff3b751373f7cead2815bcbe2d51c895b3c990686741a8e56ec42ab/tomli-2.2.1-cp313-cp313-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:9316dc65bed1684c9a98ee68759ceaed29d229e985297003e494aa825ebb0281", size = 241691 }, + { url = "https://files.pythonhosted.org/packages/05/7e/2a110bc2713557d6a1bfb06af23dd01e7dde52b6ee7dadc589868f9abfac/tomli-2.2.1-cp313-cp313-manylinux_2_5_i686.manylinux1_i686.manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:e85e99945e688e32d5a35c1ff38ed0b3f41f43fad8df0bdf79f72b2ba7bc5272", size = 251170 }, + { url = "https://files.pythonhosted.org/packages/64/7b/22d713946efe00e0adbcdfd6d1aa119ae03fd0b60ebed51ebb3fa9f5a2e5/tomli-2.2.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:ac065718db92ca818f8d6141b5f66369833d4a80a9d74435a268c52bdfa73140", size = 236530 }, + { url = "https://files.pythonhosted.org/packages/38/31/3a76f67da4b0cf37b742ca76beaf819dca0ebef26d78fc794a576e08accf/tomli-2.2.1-cp313-cp313-musllinux_1_2_i686.whl", hash = "sha256:d920f33822747519673ee656a4b6ac33e382eca9d331c87770faa3eef562aeb2", size = 258666 }, + { url = "https://files.pythonhosted.org/packages/07/10/5af1293da642aded87e8a988753945d0cf7e00a9452d3911dd3bb354c9e2/tomli-2.2.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:a198f10c4d1b1375d7687bc25294306e551bf1abfa4eace6650070a5c1ae2744", size = 243954 }, + { url = "https://files.pythonhosted.org/packages/5b/b9/1ed31d167be802da0fc95020d04cd27b7d7065cc6fbefdd2f9186f60d7bd/tomli-2.2.1-cp313-cp313-win32.whl", hash = "sha256:d3f5614314d758649ab2ab3a62d4f2004c825922f9e370b29416484086b264ec", size = 98724 }, + { url = "https://files.pythonhosted.org/packages/c7/32/b0963458706accd9afcfeb867c0f9175a741bf7b19cd424230714d722198/tomli-2.2.1-cp313-cp313-win_amd64.whl", hash = "sha256:a38aa0308e754b0e3c67e344754dff64999ff9b513e691d0e786265c93583c69", size = 109383 }, + { url = "https://files.pythonhosted.org/packages/6e/c2/61d3e0f47e2b74ef40a68b9e6ad5984f6241a942f7cd3bbfbdbd03861ea9/tomli-2.2.1-py3-none-any.whl", hash = "sha256:cb55c73c5f4408779d0cf3eef9f762b9c9f147a77de7b258bef0a5628adc85cc", size = 14257 }, +] + +[[package]] +name = "urllib3" +version = "2.2.3" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/ed/63/22ba4ebfe7430b76388e7cd448d5478814d3032121827c12a2cc287e2260/urllib3-2.2.3.tar.gz", hash = "sha256:e7d814a81dad81e6caf2ec9fdedb284ecc9c73076b62654547cc64ccdcae26e9", size = 300677 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/ce/d9/5f4c13cecde62396b0d3fe530a50ccea91e7dfc1ccf0e09c228841bb5ba8/urllib3-2.2.3-py3-none-any.whl", hash = "sha256:ca899ca043dcb1bafa3e262d73aa25c465bfb49e0bd9dd5d59f1d0acba2f8fac", size = 126338 }, +] + +[[package]] +name = "webencodings" +version = "0.5.1" +source = { registry = "https://pypi.org/simple" } +sdist = { url = "https://files.pythonhosted.org/packages/0b/02/ae6ceac1baeda530866a85075641cec12989bd8d31af6d5ab4a3e8c92f47/webencodings-0.5.1.tar.gz", hash = "sha256:b36a1c245f2d304965eb4e0a82848379241dc04b865afcc4aab16748587e1923", size = 9721 } +wheels = [ + { url = "https://files.pythonhosted.org/packages/f4/24/2a3e3df732393fed8b3ebf2ec078f05546de641fe1b667ee316ec1dcf3b7/webencodings-0.5.1-py2.py3-none-any.whl", hash = "sha256:a0af1213f3c2226497a97e2b3aa01a7e4bee4f403f95be16fc9acd2947514a78", size = 11774 }, +]