bgoglin
commented
2 years ago Hello. Yes please share them with me. When you say "01 warnings", you really mean "1" ? Or did you forget a digit ?
Open misterAnderson90 opened 2 years ago
bgoglin
commented
2 years ago Hello. Yes please share them with me. When you say "01 warnings", you really mean "1" ? Or did you forget a digit ?
misterAnderson90
commented
2 years ago Hello @bgoglin,
Sorry for taking so long for sending you the gist. The warning reported is related to the library Volley used by your app.
How do you perceive the importance of a tool like this?
bgoglin
commented
2 years ago Hello. So you're talking about the Android app, I thought you were talking about the main C project. @vhoyet Do you have an opinion about what to do about this?
vhoyet
commented
2 years ago Hello, the warning seems hard to locate. I can't find any direct use of com.android.volley.InternalUtils in the app. It might be used internally by other methods from com.android.volley, maybe it should be pointed to android developpers then, since these methods don't raise any warning ?
I guess if we can locate it, it should be enough to encode the parameter to any of {SHA-256, SHA-384, SHA-512}.
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 01 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on hwloc (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve hwloc's security, and the quality of the reports of static analysis tools.
(*) https://github.com/CROSSINGTUD/CryptoAnalysis