isaak654
commented
1 year ago I'd like to know if Sandboxie has been vetted for security vulnerabilities that could allow malicious code to escape the sandbox and infect the host.
Currently, there are 22 references of FIXED SECURITY ISSUE in the CHANGELOG.md file.
Run a static scan using a good SAST tool to ensure known security vulnerabilities are fixed.
Since yesterday, we have an integrated CodeQL workflow officially provided by GitHub Security Lab: #3071 A number of CodeQL alerts have been correctly fixed and closed accordingly.
For a recommended, FREE tool, check out SonarQube: https://www.sonarqube.org/downloads/ Enterprise uses this and they've been effective in catching security vulnerabilities. Fyi, I'm not in anyway associated with them, just a tool I know.
Personally, I'm in favour of including an additional static analyzer as a separate workflow if someone creates a new pull request with instructions and active support about how to set it (as long as the alternative workflow can be run manually in the repository).
We could also issue a challenge to the hacker community to see if they can find vulnerabilities in this tool. Any findings would just make the app stronger imho.
The problem is figuring out how to do it in a way that is affordable for @DavidXanatos.
By the way:
- I had already proposed something similar in https://github.com/sandboxie-plus/Sandboxie/discussions/1753#discussioncomment-3229367
- Almost no one (at the present time) is interested to contribute in exchange of a supporter certificate that doesn't expire:
https://github.com/sandboxie-plus/Sandboxie/labels/contributor%20certificatehttps://github.com/sandboxie-plus/sandboxie-docs/labels/contributor%20certificate
Is your feature request related to a problem? Please describe. I'd like to know if Sandboxie has been vetted for security vulnerabilities that could allow malicious code to escape the sandbox and infect the host. This is very important to ensure we're not running under the false pretense of "security" when malware can easily cause a buffer overflow and escape, similar to what happened to VMWare's vulnerabilities.
Do we have the latest CVE report for Sandboxie after David Xanatos' modifications? Here's the CVE on the original Sandboxie: https://www.cvedetails.com/vulnerability-list/vendor_id-16800/Sandboxie.html
Describe the solution you'd like Run a static scan using a good SAST tool to ensure known security vulnerabilities are fixed.
Describe alternatives you've considered We could also issue a challenge to the hacker community to see if they can find vulnerabilities in this tool. Any findings would just make the app stronger imho.
Additional context For a recommended, FREE tool, check out SonarQube: https://www.sonarqube.org/downloads/ Enterprise uses this and they've been effective in catching security vulnerabilities. Fyi, I'm not in anyway associated with them, just a tool I know.