Open mend-for-github-com[bot] opened 3 months ago
I've been working on assessing and addressing these issues on the feature/hardening
branch.
Some of these issues are false-positives, some are issues that require changes to address correctly.
I'm now investigating solutions to the path/directory traversal issues listed in here and using this as a refence for how to resolve these issues: https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87151932
Code Security Report
Scan Metadata
Latest Scan: 2024-05-31 07:55pm Total Findings: 16 | New Findings: 3 | Resolved Findings: 1 Tested Project Files: 22 Detected Programming Languages: 1 (C/C++ (Beta))
Most Relevant Findings
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3318-L332332 Data Flow/s detected
View Data Flow 1
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323View Data Flow 2
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323View Data Flow 3
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Out of Buffer Bounds Write Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/memory/buffer/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Out of Buffer Bounds Write Video](https://media.securecodewarrior.com/v2/Module_56_Buffer_Overflow_v2.mp4)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3318-L332332 Data Flow/s detected
View Data Flow 1
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3287 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3315 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323View Data Flow 2
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3287 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3315 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323View Data Flow 3
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3287 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3315 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3323
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Buffer Overflow Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/memory/stack/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Buffer Overflow Video](https://media.securecodewarrior.com/v2/Module_53_Stack_Overflow_v2.mp4)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L456-L4611 Data Flow/s detected
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L446 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L460 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L461
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L455-L4601 Data Flow/s detected
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L446 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Format.c#L460
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L783-L7881 Data Flow/s detected
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L776 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L787 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L788
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L782-L7871 Data Flow/s detected
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L776 https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L787
Secure Code Warrior Training Material
● Training ▪ [Secure Code Warrior Path/Directory Traversal Training](https://portal.securecodewarrior.com/?utm_source=partner-integration:mend&partner_id=mend#/contextual-microlearning/web/injection/pathtraversal/cpp/vanilla) ● Videos ▪ [Secure Code Warrior Path/Directory Traversal Video](https://media.securecodewarrior.com/v2/module_196_path_traversal.mp4) ● Further Reading ▪ [OWASP Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) ▪ [OWASP Input Validation Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html)
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/src/openseachest_util_options.c#L3822
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L1097
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L1089
Vulnerable Code
https://github.com/Seagate/openSeaChest/blob/c512193ee90f96640f72d61d234c9947bb29f0ef/utils/C/openSeaChest/openSeaChest_Erase.c#L1917Findings Overview