search

jasonwee / common_java

Apache License 2.0
0 stars 0 forks source link

semgrep output #2

Open jasonwee opened 8 months ago

jasonwee commented 8 months ago

better response? hide some internal stack traces...

$ semgrep scan --config auto

┌──── ○○○ ────┐
│ Semgrep CLI │               
└─────────────┘               

Scanning 100 files (only git-tracked) with:

✔ Semgrep OSS
  ✔ Basic security coverage for first-party code vulnerabilities.

✔ Semgrep Code (SAST)
  ✔ Find and fix vulnerabilities in the code you write with advanced scanning and expert security rules.

✘ Semgrep Supply Chain (SCA)
  ✘ Find and fix the reachable vulnerabilities in your OSS dependencies.

  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00                                                                                                                        

┌─────────────────┐
│ 8 Code Findings │
└─────────────────┘

    src/main/java/ch/weetech/network/HttpClientApp.java 
       java.lang.security.audit.active-debug-code-printstacktrace.active-debug-code-printstacktrace
          Possible active debug code detected. Deploying an application with debug code can create           
          unintended entry points or expose sensitive information.                                           
          Details: https://sg.run/4K8z                                                                       

           67┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
           72┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
           77┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
           82┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
          126┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
          131┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
          136┆ e.printStackTrace(new PrintWriter(sw));
            ⋮┆----------------------------------------
          141┆ e.printStackTrace(new PrintWriter(sw));

┌──────────────┐
│ Scan Summary │
└──────────────┘
Some files were skipped or only partially analyzed.
  Scan was limited to files tracked by git.
  Partially scanned: 1 files only partially analyzed due to parsing or internal Semgrep errors
  Scan skipped: 36 files matching .semgrepignore patterns
  For a full list of skipped files, run semgrep with the --verbose flag.

Ran 291 rules on 64 files: 8 findings.
jasonwee commented 8 months ago

https://medium.com/@mostafa.elnakeb/supercharging-your-code-quality-with-semgrep-sast-in-github-actions-c8f30eb26655