Update known code flaws json files after reviewing code vulnerabilities

[mcarmona99]

Description

This issue is part of https://github.com/wazuh/wazuh/issues/10125.

In that epic issue, we investigate and fix the possible vulnerabilities found using the tool located at wazuh-qa/tests/scans/code_analysis/test_python_flaws.py.

In this issue, we should track and confirm that all the possible flaws reported have been moved to the false_positives list or removed from to_fix.

The following issues should be solved in order to merge this issue's working branch into the target branch:

• [x] https://github.com/wazuh/wazuh/pull/12101
• [x] https://github.com/wazuh/wazuh-qa/pull/2548
• [x] https://github.com/wazuh/wazuh/issues/12067
• [x] https://github.com/wazuh/wazuh/issues/11343
• [x] https://github.com/wazuh/wazuh/issues/10146
• [x] https://github.com/wazuh/wazuh/issues/10142
• [x] https://github.com/wazuh/wazuh/issues/10114
• [x] https://github.com/wazuh/wazuh/issues/10147
• [x] https://github.com/wazuh/wazuh/issues/10145
• [x] https://github.com/wazuh/wazuh/issues/10113
• [x] https://github.com/wazuh/wazuh/issues/10115
• [x] https://github.com/wazuh/wazuh/issues/10116
• [x] https://github.com/wazuh/wazuh/issues/10155
• [x] https://github.com/wazuh/wazuh/issues/10154
• [x] https://github.com/wazuh/wazuh/issues/10144
• [x] https://github.com/wazuh/wazuh/issues/8347

---

WORKING QA BRANCH: dev-fix-python-code-vulnerabilities TARGET WAZUH-QA BRANCH: master

[noise-kngdm]

Issue update

• Wazuh main issue: wazuh/wazuh#10116.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2338.
• Flaw status: FALSE POSITIVE.

[noise-kngdm]

Issue update

• Wazuh main issue: wazuh/wazuh#10155.
• Wazuh QA PR: #2339 .
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10113.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2349.
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10115.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2350.
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10145.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2351.
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10154.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2352.
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10142.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2359.
• Flaw status: FALSE POSITIVE.

[Kondent]

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10144.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2360.
• Flaw status:
  • B603:
  • wazuh/framework/wazuh/core/cluster/cluster.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/common.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/configuration.py: FALSE POSITIVE
  • wazuh/framework/scripts/wazuh-logtest.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/utils.py: FIXED
  • B404:
  • wazuh/framework/scripts/wazuh-logtest.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/cluster/cluster.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/common.py: FALSE POSITIVE
  • wazuh/framework/wazuh/core/configuration.py: FALSE POSITIVE

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10147.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2361.
• Flaw status: FALSE POSITIVE.

[mcarmona99]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10114.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2384.
• Flaw status: FALSE POSITIVE.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/10146.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2449.
• Flaw status: FALSE POSITIVE.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/11343.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2476.
• Flaw status: FIXED.

[Kondent]

Issue update

• Wazuh main issue: https://github.com/wazuh/wazuh/issues/12067.
• Wazuh QA PR: https://github.com/wazuh/wazuh-qa/pull/2539.
• Flaw status: FALSE POSITIVE.

[Kondent]

Issue update

Current status

• API:

  • New flaws: 2.
    • They are false positives, in which their surrounding lines were modified. This way Bandit is reporting them as new flaws.

• Wodles:

  • New flaws: 1.
    • It's a false positive, in which its surrounding lines were modified. This way Bandit is reporting it as a new flaw.
  • Known flaws to fix: 2.
    • Reported and fixed here: https://github.com/wazuh/wazuh/issues/12067.

• Framework:

  • New flaws: 2. i. It's a flaw regarding the following import: from subprocess import CalledProcessError, check_output at framework/wazuh/core/utils.py. It's entirely related with a rebase conflict. This line should be removed since the subprocess package is not being used here. Removed in https://github.com/wazuh/wazuh/pull/10740 and incorrectly added in https://github.com/wazuh/wazuh/pull/10635. ii. It's a false positive, in which its surrounding lines were modified. This way Bandit is reporting it as a new flaw.
  • Comments:
    • There are three false positive flaws that were recently removed since the related modules were modified and those code blocks no longer exist.
    • There is another false positive that will be removed with an upcoming fix. We're importing the subprocess module at framework/wazuh/core/common.py in despite of it's not being used.

Required fixes

• wazuh/wazuh:

  • Remove from subprocess import CalledProcessError, check_output from framework/wazuh/core/utils.py since it's not being used and it's reported as a new framework flaw.
  • Remove import subprocess from framework/wazuh/core/common.py since it's not being used and it's known as a false positive.

• wazuh/wazuh-qa:

  • After the merge of every PR to dev-fix-python-code-vulnerabilities in wazuh/wazuh, we need to verify and modify these altered false positives I mentioned above in the current status section.

With all this adjustments, the test should successfully pass with no errors regarding a possible code flaw. If a new flaw appears while doing these modifications, it should be reported in a new issue.

[mcarmona99]

Having into account the required fixes commented in the last comment, the following pull requests have been created:

• https://github.com/wazuh/wazuh/pull/12101: PR to remove the unused imports in core/utils.py and core/common.py.
• https://github.com/wazuh/wazuh-qa/pull/2548: PR to update the known_flaws JSON files in the wazuh-qa repository.