pmiddend
commented
2 years ago Sounds like an interesting project! You can share the gists with me, sure
Open misterAnderson90 opened 2 years ago
pmiddend
commented
2 years ago Sounds like an interesting project! You can share the gists with me, sure
misterAnderson90
commented
2 years ago Dear Philipp,
From the 16 warnings that CogniCrypt reported, we randomly selected 5 gists to share with you. If you are interested, we can share the report with all warnings.
Gist 01 - Mac Gist 02 - MessageDigest Gist 03 - MessageDigest Gist 04 - Mac Gist 05 - MessageDigest
For any doubts, you can comment directly in the gists and we can clarify the issues.
Best regards,
misterAnderson90
commented
2 years ago Hello @pmiddend,
How did you perceive the value of these warnings? Could you please share your perceptions with me?
Thanks a lot for your collaboration.
pmiddend
commented
2 years ago @misterAnderson90 Sorry for replying so late, somehow this message got buried in my inbox.
First of all, I think I understand the warnings, in principle, and having a service that detects those seems useful.
However, all of these warnings are in dependencies of the project I use, so they don't pertain my code. I'd have to now manually search for the right dependency (maybe even a transitive one), and either report the issue to the maintainer, fix it myself, or trying "randomly" to increase my dependency versions.
Which is fine, but then, this static analysis is not so useful to me.
I hope that answers your question?
misterAnderson90
commented
2 years ago Hello @pmiddend,
Thanks a lot for your contribution. Based on your feedback, can you see suggestions to improve the quality of this SAST tool? For example, would you think is it going to be better if the SAST only reports warnings related to your code instead of both the project code and its dependencies?
Any suggestions are very welcome.
pmiddend
commented
2 years ago Hi @misterAnderson90
what you're suggesting would be indeed very helpful. In a perfect world, the tool would have a view showing two groups:
I hope that helps a bit.
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 16 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on piggybudget (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve piggybudget's security, and the quality of the reports of static analysis tools. (*) https://github.com/CROSSINGTUD/CryptoAnalysis