search

wazuh / wazuh-qa

Wazuh - Quality Assurance
GNU General Public License v2.0
64 stars 32 forks source link

Minor vulnerabilities in python linter action #4633

Closed Rebits closed 1 month ago

Rebits commented 12 months ago

Description

Regarding https://github.com/wazuh/wazuh-jenkins/issues/6364 it has been detected minor vulnerabilities in python linter script.

Test python flaws ``` { "new_flaws": [ { "code": " \n import subprocess\n import random\n", "filename": "./deployability/modules/workflow_engine/task.py", "issue_confidence": "HIGH", "issue_severity": "LOW", "issue_text": "Consider possible security implications associated with subprocess module.", "line_number": 5, "line_range": [ 5 ], "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess", "test_id": "B404", "test_name": "blacklist" }, { "code": " try:\n result = subprocess.run(\n [self.task_parameters['path']] + task_args,\n check=True,\n capture_output=True,\n text=True,\n )\n", "filename": "./deployability/modules/workflow_engine/task.py", "issue_confidence": "HIGH", "issue_severity": "LOW", "issue_text": "subprocess call - check for execution of untrusted input.", "line_number": 59, "line_range": [ 59, 63 ], "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html", "test_id": "B603", "test_name": "subprocess_without_shell_equals_true" }, { "code": " time_interval = self.task_parameters.get('time-seconds', [1, 5])\n sleep_time = random.uniform(time_interval[0], time_interval[1])\n \n", "filename": "./deployability/modules/workflow_engine/task.py", "issue_confidence": "HIGH", "issue_severity": "LOW", "issue_text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes.", "line_number": 91, "line_range": [ 91 ], "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random", "test_id": "B311", "test_name": "blacklist" }, { "code": " # assure there must be at least one character from each group\n random_pass = random_pass + ''.join([random.choice(chars) for chars in [string.ascii_lowercase, string.digits, string.ascii_uppercase, SPECIAL_CHARS]])\n random_pass = ''.join(random.sample(random_pass,len(random_pass)))\n", "filename": "./provisioning/roles/wazuh/ansible-wazuh-manager/files/create_user.py", "issue_confidence": "HIGH", "issue_severity": "LOW", "issue_text": "Standard pseudo-random generators are not suitable for security/cryptographic purposes.", "line_number": 55, "line_range": [ 55 ], "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b311-random", "test_id": "B311", "test_name": "blacklist" } ] } ```
pro-akim commented 11 months ago

Update

Added: Standard pseudo-random generators are not suitable for security/cryptographic purposes in Weekly 46

pro-akim commented 7 months ago

Update

New findings were added in the Weekly ## 11 scan

juliamagan commented 1 month ago

With all the migration of the repository, the dependencies are already being updated. Also, once the entire migration is complete in 4.10.0, security scans will be re-enabled to check this.