Expected Issues Locations

[bperry-mf]

Describe the bug I was wondering if the expected issues provided (scanner/sast/expectedIssues.csv) within the repo is current. If not, is there a separate repo or file that contain an updated version of the expected issues?

To Reproduce The scanner/sast/expectedIssues.csv file defines the following entries as a vulnerability, but the line of code does not correspond to a vulnerability:

• The line of code is the beginning of a try-catch block:
  • SQL Injection : src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java : 218
• The file does not exist:
  • Reflected XXS : src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java : 60
  • Reflected XXS : src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java : 82
• The line of code is the closing bracket of an if-statement '}':
  • Path Traversal : src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java : 65

Expected behavior The expectedIssues.csv entries to reference a line of code that contains a function call, "return" statement, or a variable assignement when applicable.

[preetkaran20]

Hi @bperry-mf , Yes you are right. The expectedIssues.csv gets outdated with the code changes. Is it possible for you to fix it? We are struggling to maintain it as well and the thought is to generate it dynamically but seems complex.

Thanks, Karan