rkaartikeyan commented 2 years ago

Preliminary Info

What Airship dependencies are you using?

PODS:
  - Airship (16.5.1):
    - Airship/Automation (= 16.5.1)
    - Airship/Basement (= 16.5.1)
    - Airship/Core (= 16.5.1)
    - Airship/ExtendedActions (= 16.5.1)
    - Airship/MessageCenter (= 16.5.1)
  - Airship/Automation (16.5.1):
    - Airship/Core
  - Airship/Basement (16.5.1)
  - Airship/Core (16.5.1):
    - Airship/Basement
  - Airship/ExtendedActions (16.5.1):
    - Airship/Core
  - Airship/MessageCenter (16.5.1):
    - Airship/Core

What are the versions of any relevant development tools you are using?

Xcode 13

Report

What unexpected behavior are you seeing?

Thanks for this SDK,

As part of go-live activity we got Vulnerability issues with Veracode Scan, kindly find below details for the same.

1. UATagGroupsLookupResponseCache.m

Description: Use of an unsafe function that are either deprecated due to security concerns, such as not conforming to secure coding practices, can introduce a vulnerability.

Remediation: Most, if not all, of these functions have been documented as unsafe and should not be used, as mentioned in the WWDC session 'Threat Modeling', and can be replaced with more recent API calls.

2. UATagGroupsLookupResponseCache.m

Description: Use of an unsafe function that are either deprecated due to security concerns, such as not conforming to secure coding practices, can introduce a vulnerability.

Remediation: Most, if not all, of these functions have been documented as unsafe and should not be used, as mentioned in the WWDC session 'Threat Modeling', and can be replaced with more recent API calls.

What is the expected behavior?

The above reported vulnerabilities should not appear on veracode scan.

What are the steps to reproduce the unexpected behavior?

We need to build a IPA with distribution certificate and scan with Veracode.

Do you have logging for the issue?

N/A

rlepinski commented 2 years ago

Already resolved in the latest SDK version. That class no longer exists.