search

sustainable-computing-io / kepler-operator

Kepler Operator
Apache License 2.0
24 stars 26 forks source link

Defects and vulnerabilities reported by Snyk scan #380

Open vprashar2929 opened 3 months ago

vprashar2929 commented 3 months ago

Recently we ran a Snyk scan on the openshift-power-monitoring/power-monitoring-operator which is a fork of this repository. Upon running the scan following issues in the code were reported:

Testing /go/src/github.com/openshift-power-monitoring/power-monitoring-operator ...

 ✗ [Low] Use of Hardcoded Credentials
   ID: a837195b-e732-4599-96b6-da7c18dc5b8f 
   Path: vendor/k8s.io/klog/v2/klog_file.go, line 48 
   Info: Do not hardcode credentials in code. Found hardcoded credential used in userName.

 ✗ [Low] Use of Password Hash With Insufficient Computational Effort
   ID: 8bd77647-ce34-4092-948a-93d79c97e823 
   Path: vendor/github.com/google/uuid/hash.go, line 44 
   Info: The MD5 hash (used in crypto.md5.New) is insecure. Consider changing it to a secure hash algorithm

 ✗ [Low] Use of Password Hash With Insufficient Computational Effort
   ID: 5c990851-bed3-4932-92ac-7e21708eee6f 
   Path: vendor/github.com/google/uuid/hash.go, line 52 
   Info: The SHA1 hash (used in crypto.sha1.New) is insecure. Consider changing it to a secure hash algorithm

 ✗ [Medium] Improper Certificate Validation
   ID: e35e6c2c-16c9-498e-805f-a2fe04332c9a 
   Path: vendor/sigs.k8s.io/controller-runtime/pkg/webhook/server.go, line 275 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [Medium] Improper Certificate Validation
   ID: 2b4e53b0-48d5-44c4-bb8d-6ff8b8316b1d 
   Path: vendor/k8s.io/client-go/util/cert/server_inspection.go, line 33 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [Medium] Improper Certificate Validation
   ID: 49c69430-d38f-4c71-b608-305c7e085869 
   Path: vendor/k8s.io/client-go/util/cert/server_inspection.go, line 67 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [High] Generation of Error Message Containing Sensitive Information
   ID: db11068f-38d6-48cc-8a09-4f84007c37be 
   Path: vendor/sigs.k8s.io/controller-runtime/pkg/log/log.go, line 64 
   Info: Information exposure through error stack trace in fmt.Fprintf.

✔ Test completed

Organization:      openshift-ci-internal
Test type:         Static code analysis
Project path:      /go/src/github.com/openshift-power-monitoring/power-monitoring-operator

Summary:

  7 Code issues found
  1 [High]   3 [Medium]   3 [Low] 

Code Report Complete