Closed secureness closed 1 month ago
leonardo-doyensec
commented
2 months ago I've also noticed that the issue that this PR is referring to is incorrect. I think this plugin is linked to https://github.com/google/tsunami-security-scanner-plugins/issues/433
secureness
commented
2 months ago I've also noticed that the issue that this PR is referring to is incorrect. I think this plugin is linked to #433
Yes you are right, sorry about this :))
leonardo-doyensec
commented
2 months ago Hi @secureness,
I'm noticing that after your changes the plugin still not working properly. I think that the root cause is the modelNamesJo.isEmpty() method. Please remove it.
~ Leonardo (Doyensec)
maoning
commented
2 months ago @secureness could you check if the proposed change works? I would like to merge in this PR asap to unblock you from picking up the hive weak cred plugin.
secureness
commented
2 months ago @maoning @leonardo-doyensec I'm sorry if it took too long to fix the review suggestion.
leonardo-doyensec
commented
1 month ago Hi @secureness , thank you for your changes. However after the last commits, the plugin no longer builds. This is an issue related to gradlew. Please upgrade it to version 7. You can take a look at the solution adopted here https://github.com/google/tsunami-security-scanner-plugins/pull/456/commits/251cdd2e8877aefd4712cb4c10c0812997fbe74d
~ Leonardo (Doyensec)
secureness
commented
1 month ago @leonardo-doyensec thanks for the help. I just wanted to let you know that it is done now.
secureness
commented
1 month ago @leonardo-doyensec I made some changes according to the official Google(the google/ directory) tsunami plugins. I have the # of detected vulnerability: 1. message after the scan results.
Also, I updated the testbed https://github.com/google/security-testbeds/pull/51.
leonardo-doyensec
commented
1 month ago LGTM - Approved @maoning you can merge it. We also need to merge the security testbed https://github.com/google/security-testbeds/pull/51
Reviewer: Leonardo, Doyensec
Plugin: Triton Inference Server Model Overwrite lead to RCE Feedback: The overall quality is below standard. The plugin was not working at first and several interactions were required to make it work properly. Furthermore, some elements of formatting were missing, which further hindered the review of the plugin. The security testbed was easy to deploy Drawbacks: None
tooryx
commented
1 month ago Hi @secureness,
Your PR has been merged. This usually means a reward will be granted. Google will start the internal QC process and the reward amount will be determined based on the quality of the detector report. Please be patient and allow up to a week for the QC process to finish. You'll be notified once the decision is made.
Thanks!
secureness
commented
3 weeks ago @tooryx After 27 days I didn't get any response yet. Is there anything wrong with this submission?
tooryx
commented
3 weeks ago Hi @secureness,
I will check with the team and get back to you this week.
Cheers, ~tooryx
tooryx
commented
3 weeks ago You will receive an update on the tracking bug soon. Sorry for the delay!
https://github.com/google/tsunami-security-scanner-plugins/issues/433