Security scan with Checkmarx shows hundreds vulnerabilities

[jvanderes]

This is really a great project, but a security scan with Checkmarx shows hundreds of vulnerabilities in the C code. Is it possible to fix High and Medium vulnerabilities coming from Checkmarx?

[RonSMeyer]

Is there any indication what the vulnerabilities are?

On 12/8/20 4:56 AM, jvanderes wrote:

This is really a great project, but I am not allowed to used in my organisation because of the security scan outcome. Is it possible to fix High and Medium vulnerabilities coming from Checkmarx?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/sakachin2/XE/issues/6, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMZMFH4SV2V5XBNVG7M4A53STYA6HANCNFSM4URZPCXQ.

[jvanderes]

I think Checkmarx is really strict, it also mentions all stuff that should be checked but could be OK. The first few lines (of 813 high prio remarks) are for example: Format_String_Attack xxefile.c \gxe-1.29\src 2 333 "%s:%s:ondrop: pos=(%d,%d) protocol=%d,is_source=%d,actions=%d,suggested_action=%d,action=%d\n" \gxe-1.29\src xxefile.c 333 "%s:%s:ondrop: pos=(%d,%d) protocol=%d,is_source=%d,actions=%d,suggested_action=%d,action=%d\n" Format_String_Attack xxefile.c \gxe-1.29\src 2 547 "%s:rc of uclipboard_getcopyfilesub rc!=0%d\n" \gxe-1.29\src xxefile.c 547 "%s:rc of uclipboard_getcopyfilesub rc!=0%d\n" Command_Injection xts.c \gxe-1.29\src\xsub 2 96 parmp \gxe-1.29\src\xsub xts.c 673 system Resource_Injection xbc.c \gxe-1.29\src\xsub 2 51 parmp \gxe-1.29\src\xsub xbc.c 161 Pfnm Resource_Injection xci.c \gxe-1.29\src\xsub 2 325 parmp \gxe-1.29\src\xsub xci.c 2464 Spfnm Resource_Injection xci.c \gxe-1.29\src\xsub 2 325 parmp \gxe-1.29\src\xsub xci.c 2359 pfnmo Resource_Injection xcv.c \gxe-1.29\src\xsub 2 328 parmp \gxe-1.29\src\xsub xcv.c 357 Sstderrfnm Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\xsub xdig.c 574 BinaryExpr Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3644 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3652 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3657 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3666 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3671 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3681 Pfile Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3686 Pfile

[jvanderes]

with Headings:

Query Name Source Filename Source Folder Status Source Line Source Object Destination Folder Destination Filename Destination Line Destination Object Result State Result Severity Format_String_Attack xxefile.c \gxe-1.29\src 2 333 "%s:%s:ondrop: pos=(%d,%d) protocol=%d,is_source=%d,actions=%d,suggested_action=%d,action=%d\n" \gxe-1.29\src xxefile.c 333 "%s:%s:ondrop: pos=(%d,%d) protocol=%d,is_source=%d,actions=%d,suggested_action=%d,action=%d\n" To Verify High Format_String_Attack xxefile.c \gxe-1.29\src 2 547 "%s:rc of uclipboard_getcopyfilesub rc!=0%d\n" \gxe-1.29\src xxefile.c 547 "%s:rc of uclipboard_getcopyfilesub rc!=0%d\n" To Verify High Command_Injection xts.c \gxe-1.29\src\xsub 2 96 parmp \gxe-1.29\src\xsub xts.c 673 system To Verify High Resource_Injection xbc.c \gxe-1.29\src\xsub 2 51 parmp \gxe-1.29\src\xsub xbc.c 161 Pfnm To Verify High Resource_Injection xci.c \gxe-1.29\src\xsub 2 325 parmp \gxe-1.29\src\xsub xci.c 2464 Spfnm To Verify High Resource_Injection xci.c \gxe-1.29\src\xsub 2 325 parmp \gxe-1.29\src\xsub xci.c 2359 pfnmo To Verify High Resource_Injection xcv.c \gxe-1.29\src\xsub 2 328 parmp \gxe-1.29\src\xsub xcv.c 357 Sstderrfnm To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\xsub xdig.c 574 BinaryExpr To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3644 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3652 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3657 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3666 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3671 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3681 Pfile To Verify High Resource_Injection xdig.c \gxe-1.29\src\xsub 2 159 parmp \gxe-1.29\src\ulib ufile.c 3686 Pfile To Verify High Resource_Injection xfmt.c \gxe-1.29\src\xsub 2 204 parmp \gxe-1.29\src\xsub xfmt.c 399 Spfnm To Verify High Resource_Injection xfmt.c \gxe-1.29\src\xsub 2 204 parmp \gxe-1.29\src\xsub xfmt.c 277 pfnmo To Verify High Resource_Injection xmj.c \gxe-1.29\src\xsub 2 102 parmp \gxe-1.29\src\xsub xmj.c 260 pfnmo To Verify High Resource_Injection ufile.c \gxe-1.29\src\ulib 2 276 "stdin" \gxe-1.29\src\xe xedcmd2.c 2657 fpath To Verify High