v-asshrirao
commented
8 months ago @Liveingeo, Thank you for reporting this. Please allow us some time to validate and we will try to revert ASAP.
Closed Liveingeo closed 8 months ago
v-asshrirao
commented
8 months ago @Liveingeo, Thank you for reporting this. Please allow us some time to validate and we will try to revert ASAP.
v-asshrirao
commented
8 months ago @Liveingeo , Thank you again for reporting this. We usually address security issues from ADO component governance and GitHub dependabot alerts before every release. For our next release along with governance and dependabot alerts we will also consider issues which you have pointed out.
Since this is an open source another option you can consider is to download the code and customize it as per your needs.
Liveingeo
commented
8 months ago @v-asshrirao : When will be the next release? And are this findings of any concerns or any of them would justify dismissing as false positives?
v-asshrirao
commented
8 months ago @Liveingeo, We do not have any date planned as of now. But we will add this to backlog and validate based on priority before release.
v-asshrirao
commented
8 months ago @Liveingeo, If you need any other information please let us know else confirm if we can close this ticket.
Liveingeo
commented
8 months ago @v-asshrirao is it possible for the dev team to review the highlighted Issues and let us know the severity of it. Some assurance of using this code until the fix comes in later release.
v-asshrirao
commented
8 months ago @Liveingeo , We have reviewed the issues and only one is related to code and its not severe.
Few of the are related to build in files which get generated when we create TeamsFx App and other are related to template we are using for creating resources in Azure and none of them are severe.
We will close this ticket now. You can reopen this if required.
We recently conducted a Sonarcloud scan of the Microsoft TEOC code (https://github.com/OfficeDev/microsoft-teams-emergency-operations-center), which yielded findings of 13 security hotspots and several high-severity issues. Could you verify the veracity of these concerns and to discern whether they might be categorized as false positives. To provide you with a succinct overview, I have attached a summary of the results, have not included the High severity issues just the security Hotspots.
Sonarcloud Scan results for the TEOC Public Repo.docx
We anticipate that the Microsoft team has conducted its own assessments through Static Application Security Testing (SAST) and Software Composition Analysis (SCA) scans on the codebase. We are keen to identify whether there are any ongoing concerns, or conversely, if there is a level of assurance that would justify dismissing some of these issues.