Skip to content

Commit

Permalink
ci: change failed args on codethreat scan
Browse files Browse the repository at this point in the history
  • Loading branch information
@sust4in
sust4in authored Sep 17, 2024
1 parent b910bb5 commit bd51485
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codescan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,9 @@ jobs:
ORGNAME: ${{ secrets.ORGNAME }}
with:
FAILED_ARGS: |
- max_number_of_critical: 15
- max_number_of_high: 15
- weakness_is: ".*injection"
- max_number_of_critical: 600
- max_number_of_high: 500
- weakness_is: ""
- condition: 'OR'
- automerge: false
- sync_scan: true
Expand Down

1 comment on commit bd51485

@github-actions
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 CodeThreat Security Scan Completed for IssueBlot.NET

Hello Team,

Great news! We've just completed a thorough security scan for IssueBlot.NET, and here's what we found:

Quick Overview

  • Duration: 00:16:37
  • Risk Score: F (This reflects the overall security posture based on the identified issues.)
  • Issues Fixed: 0 (The number of vulnerabilities resolved during this scan.)

📊 New Security Issues Discovered

We've identified 1 new security concerns. Here's a breakdown by severity:

  • Critical: 0(These need immediate attention. Let's prioritize fixing them ASAP.)
  • High: 1 (Serious vulnerabilities that should be addressed soon.)
  • Medium: 0 (These are important but not urgent—plan to resolve them in upcoming sprints.)
  • Low: 0 (Minor issues that can be handled as part of routine maintenance.)

🛠 Detailed Vulnerability Analysis

We've identified vulnerabilities across the codebase. Here's a detailed look

Weakness Name Severity Count
Sql Injection Critical 23
Empty Catch Block Low 8
Insecure Deserialization Binary Critical 3
Insecure Cryptographic Hash Critical 15
Insecure Pbe Work Factor High 3
Custom Ssl Validation Critical 1
Insecure Rsa Padding Critical 2
Insecure Symmetric Encryption Mode Cbc Without Hmac High 9
Insufficient Encryption Key Size Critical 1
User Driven Insecure Hash Algorithm Critical 1
Use Of Dangerous Regular Expressions High 5
Lack Of Equals Implementation Low 3
Inadequate Deserialization Validation Low 3
Insecure Reflection Medium 7
Resource Denial Of Service Critical 3
Insecure Native Code Interaction Low 1
Unnecessary Code Entrance Low 3
Implementing Icloneable Interface Low 1
Insecure Serialization Delegate Critical 1
Writable Public Static Fields Medium 2
Incorrect Readonly Member Low 1
Incorrect Call To Equals With Array Low 2
Possible Divide By Zero Low 2
Directory Traversal Critical 3
Unsafe Filesystem Resource Release High 1
Insecure Deserialization Xml Critical 1
Possibly Insecure Use Of Gethostbyaddress Low 1
Insecure Basic Authentication Critical 2
Insecure Ldap Simplebind Critical 2
Ldap Resource Injection Medium 4
Credential Exposure Log Files High 2
Log Forging For Apache Log4net Medium 3
Http Parameter Pollution Critical 3
Network Connection Identifier Injection High 4
Server Side Request Forgery Critical 14
Xpath Injection Critical 1
Connection String Injection Critical 3
Unsafe Database Resource Release High 2
Json Injection Critical 1
Executable Injection Medium 1
Code Injection Critical 1
Xml Injection High 1
Nhibernate Sql Injection Critical 1
Ldap Injection Critical 5
Exposing Unmasked Sensitive Data High 2
Cross Site Request Forgery Medium 10
Using Persistent Cookies Low 1
Insecure Cors Configuration Critical 1
Disabled Request Validation High 1
Inadequate Input Validation Mvc Web Api Medium 4
Mass Assignment Critical 1
Http Cookie Injection High 3
Insecure File Upload Critical 4
Open Redirect High 3
Http Response Splitting Critical 3
Possibly Insecure Use Of Path Combine High 4
Inadequate Input Validation Webforms Medium 8
Sensitive Information Exposure Medium 1
Potential Unsafe Decoding Medium 5
Insecure Leakage Of System Information Low 2
Hardcoded Credentials Low 24
Insecure Random Number Generator High 9
Unsafe Debug Directive Low 3
Unsafe Version Leakage Directive Low 3
Disabled Event Validation High 1
Disabled Viewstate Mac Validation High 2
Insecure Allowanonymousimpersonation Directive Medium 1
Insecure Smtp Ssl Configuration Critical 1
Missing Httponly Cookie Attribute Critical 2
Insecure Hostheaderforrequesturl Directive Low 1
Insecure Principal Permission Mode High 1
Empty Password In Configuration Medium 4
Insecure Msmq Authentication Mode High 1
Session Fixation High 1
Insecure Certificate Validation Mode Critical 5
Insecure Database Connection Strings Critical 4
Missing Fail Safe Error Handling Medium 1
Insecure Maxjsondeserializermembers Directive Low 1
Insecure Service Metadata Directive Medium 2
Insecure Plaintext Passwords Forms Authentication High 1
Insecure State Server Network Timeout Directive Low 1
Insecure Ws Http Binding Security Mode Critical 2
Insecure Storage Of Roles In Cookies Medium 1
Insecure Include Exception Detail In Faults Directive Low 1
Insecure Allowrelaxedrelativeurl Directive High 1
Disabled Signature Validation High 1
Insecure Request Validation Mode High 1
Insecure Directory Browse Directive Medium 2
Insecure Password Storage Forms Authentication Medium 2
Insecure Javascriptdonotencodeampersand Directive Medium 1
Insecure Maxhttpcollectionkeys Value Medium 1
Insecure Suppress Audit Failure Directive Low 1
Insecure Documentation Protocol Directive Medium 1
Insecure Header Checking Directive Disabled Medium 1
Xml External Entity Parsing Critical 1
Unsafe Trace Directive Low 1
Insecure Certificate Revocation Mode High 1
Insecure Legacy Forms Authentication Critical 1
Insecure Allowutf7requestcontentencoding Directive Medium 1
Insecure Session Timeout Medium 1
Missing Secure Cookie Attribute Medium 2
Insecure Allowrelaxedunicodedecoding Directive Low 1
Wcf Possible Unsafe Diagnostics Low 1
Disabled Viewstate Encryption High 1
Missing Cookie Protection High 1
Insecure Relaxedhttpusername Directive Medium 1
Impersonation In Code Medium 1
Insecure Scriptresourceallownonjsfiles Directive High 1
Insecure Elmah Configuration For Remote Access High 4
Unsafe Dynamic Method Call Critical 42
Prevent Dynamic Prototype Modification High 21
Node Js Property Injection Defense High 6

🔗 Software Composition Analysis (SCA) Insights

Our SCA scan reviewed the third-party components used in your project

src/NETMVCBlot/packages.config

Severity Summary: Critical: 0 High: 7 Medium: 7 Low: 1

  • Dependency: jQuery
    • jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
    • jquery: Untrusted code execution via
    • jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
    • jquery: Untrusted code execution via
  • Dependency: Microsoft.Owin
    • dotnet: ASP.NET cookie prefix spoofing vulnerability
    • dotnet: malicious content causes high CPU and memory usage
  • Dependency: Newtonsoft.Json
    • Improper Handling of Exceptional Conditions in Newtonsoft.Json
    • Improper Handling of Exceptional Conditions in Newtonsoft.Json
  • Dependency: bootstrap
    • Bootstrap Cross-Site Scripting (XSS) vulnerability
    • Bootstrap Cross-Site Scripting (XSS) vulnerability
  • Dependency: jQuery.Validation
    • jquery-validate: jquery.validate.js vulnerable to ReDoS
    • Regular expression denial of service in jquery-validation
  • Dependency: Microsoft.AspNet.Identity.Owin
    • dotnet: race condition in Core SignInManager PasswordSignInAsync method
  • Dependency: Microsoft.Owin.Security.Cookies
    • dotnet: malicious content causes high CPU and memory usage
  • Dependency: RazorEngine
    • Code injection in RazorEngine
  • Dependency: Antlr
  • Dependency: EntityFramework
  • Dependency: Microsoft.AspNet.Cors
  • Dependency: Microsoft.AspNet.Identity.Core
  • Dependency: Microsoft.AspNet.Identity.EntityFramework
  • Dependency: Microsoft.AspNet.Mvc
  • Dependency: Microsoft.AspNet.Razor
  • Dependency: Microsoft.AspNet.Web.Optimization
  • Dependency: Microsoft.AspNet.WebApi
  • Dependency: Microsoft.AspNet.WebApi.Client
  • Dependency: Microsoft.AspNet.WebApi.Core
  • Dependency: Microsoft.AspNet.WebApi.Cors
  • Dependency: Microsoft.AspNet.WebApi.WebHost
  • Dependency: Microsoft.AspNet.WebPages
  • Dependency: Microsoft.CodeDom.Providers.DotNetCompilerPlatform
  • Dependency: Microsoft.Owin.Host.SystemWeb
  • Dependency: Microsoft.Owin.Security
  • Dependency: Microsoft.Owin.Security.OAuth
  • Dependency: Microsoft.SharePoint.Client
  • Dependency: Microsoft.SharePoint.dll
  • Dependency: Microsoft.Web.Infrastructure
  • Dependency: Microsoft.WebSockets
  • Dependency: Microsoft.jQuery.Unobtrusive.Validation
  • Dependency: Modernizr
  • Dependency: Owin
  • Dependency: SharePoint
  • Dependency: SharePoint.Client.Search
  • Dependency: SharePoint.Client.ServerRuntime
  • Dependency: SharePoint.Search
  • Dependency: System.Net.WebSockets
  • Dependency: WebGrease

src/NETWebFormsBlot/packages.config

Severity Summary: Critical: 0 High: 2 Medium: 6 Low: 0

  • Dependency: jQuery

    • jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
    • jquery: Untrusted code execution via
    • jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
    • jquery: Untrusted code execution via

  • Dependency: Newtonsoft.Json

    • Improper Handling of Exceptional Conditions in Newtonsoft.Json
    • Improper Handling of Exceptional Conditions in Newtonsoft.Json

  • Dependency: bootstrap

    • Bootstrap Cross-Site Scripting (XSS) vulnerability
    • Bootstrap Cross-Site Scripting (XSS) vulnerability

  • Dependency: Antlr

  • Dependency: AspNet.ScriptManager.bootstrap

  • Dependency: AspNet.ScriptManager.jQuery

  • Dependency: Microsoft.AspNet.FriendlyUrls

  • Dependency: Microsoft.AspNet.FriendlyUrls.Core

  • Dependency: Microsoft.AspNet.ScriptManager.MSAjax

  • Dependency: Microsoft.AspNet.ScriptManager.WebForms

  • Dependency: Microsoft.AspNet.Web.Optimization

  • Dependency: Microsoft.AspNet.Web.Optimization.WebForms

  • Dependency: Microsoft.CodeDom.Providers.DotNetCompilerPlatform

  • Dependency: Microsoft.Web.Infrastructure

  • Dependency: Modernizr

  • Dependency: WebGrease

📈 Next Steps & Full Report

To dive deeper, click here to view the full report. It's essential to review these findings and plan the necessary fixes. If any of the critical/high issues need more discussion, let's set up a quick meeting to strategize our next steps.

🔒 Security isn't just a feature; it's a responsibility. Let's keep our codebase rock solid!

Please sign in to comment.