mtotschnig
commented
2 years ago @misterAnderson90 Thank you for informing me about your work. This is very welcome. Could you share it with support@myexpenses.mobi?
Open misterAnderson90 opened 2 years ago
mtotschnig
commented
2 years ago @misterAnderson90 Thank you for informing me about your work. This is very welcome. Could you share it with support@myexpenses.mobi?
mtotschnig
commented
2 years ago @misterAnderson90 I did not receive the announced information. Could you resend it?
misterAnderson90
commented
2 years ago Hello @mtotschnig,
I'm sorry for letting you wait so much. I've shared the gists with you by e-mail. Please let me know if you are interested to discuss any of the gists and receiving the complete report.
best regards.
misterAnderson90
commented
2 years ago Hello @mtotschnig,
Did you receive the email with the gists? If yes, could you please evaluate the warnings and/or share your perceptions about these warnings? If you are interested, I can send you the complete report with all warnings reported by the SAST tool.
mtotschnig
commented
2 years ago @misterAnderson90 Thank you very much for sharing the result, and sorry for taking so long to react. I have commentd on the gists you have shared, and would be very interested in the complete report.
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 86 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on MyExpenses (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve MyExpenses's security, and the quality of the reports of static analysis tools. (*) https://github.com/CROSSINGTUD/CryptoAnalysis