From f184d887d4132cfbfcaf91492439e4702ce29084 Mon Sep 17 00:00:00 2001 From: Ian Zink Date: Thu, 7 Nov 2024 16:39:50 -0600 Subject: [PATCH] Add support for code suppression fields This changes the issue count, adds a card for suppressions, and also moves any suppressed issues to the end of the list. --- sample-data/code-consistent-ignores.sarif | 6745 +++++++++++++++++ sample-data/code-upload-v1.sarif | 6732 ++++++++++++++++ src/handlebars-config.ts | 7 + src/lib/codeutil.ts | 49 +- src/lib/snyk-to-html.ts | 39 + template/code/test-report.code-snip.hbs | 39 +- template/code/test-report.hbs | 2 +- template/code/test-report.inline-css.hbs | 73 + .../test-code-consistent-ignores.json | 6745 +++++++++++++++++ test/snyk-to-html.test.ts | 24 + 10 files changed, 20448 insertions(+), 7 deletions(-) create mode 100644 sample-data/code-consistent-ignores.sarif create mode 100644 sample-data/code-upload-v1.sarif create mode 100644 src/handlebars-config.ts create mode 100644 test/fixtures/test-code-consistent-ignores.json diff --git a/sample-data/code-consistent-ignores.sarif b/sample-data/code-consistent-ignores.sarif new file mode 100644 index 0000000..d03e9ec --- /dev/null +++ b/sample-data/code-consistent-ignores.sarif @@ -0,0 +1,6745 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "go/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "go", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/citrix/terraform-provider-citrixadc/commit/a4c0975006ef2020c0db505d69bdcec13f10915b?diff=split#diff-a9109e20e39687dfe49012120251229e209c76557bfef1ac646718448d8ca653L-1", + "lines": [ + { + "line": "b, err := ioutil.ReadFile(inputFile)\n", + "lineNumber": 40, + "lineChange": "removed" + }, + { + "line": "b, err := ioutil.ReadFile(filepath.Clean(inputFile))\n", + "lineNumber": 40, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/MohawkTSDB/mohawk/commit/e4a68407d6e1f9a3ccfa1f0a320c04d693afe2a6?diff=split#diff-ffb4b68b82d9234bcba450c7ca14d76b3ea0eed74198d1811d802889c58252e5L-1", + "lines": [ + { + "line": "\t// Check for \"..\" in the url path,\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t// if we find \"..\" in the path we will not serve static files\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\tif strings.Contains(path, \"..\") {\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\ts.next.ServeHTTP(w, r)\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\treturn\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t}\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": "\t// Add index.html to path if it ends with /\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": "\tif path[len(path)-1:] == \"/\" {\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"index.html\"\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\t// Add /index.html to path if a directory\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "\tif fi, err := os.Stat(path); err == nil && fi.IsDir() {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"/index.html\"\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": "\t// If file exist serve it\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "\tif file, err := ioutil.ReadFile(path); err == nil {\n", + "lineNumber": 60, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/u-root/u-root/commit/?diff=split#diff-b2964e352f657fd0dbf5b5dc2f11b034b389e3ad9d60ef315dca58778612d468L-1", + "lines": [ + { + "line": "\tpath := filepath.Join(*directory, filepath.Clean(w.Name()))\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\tpath := filepath.Join(*directory, filepath.Join(\"/\", w.Name()))\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\tfile, err := os.Open(path)\n", + "lineNumber": 29, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 28, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "javascript/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/eclipse-vertx/vert.x/commit/d1183271de193b6bef158e2b1dfb5ba65a15cbc9?diff=split#diff-fa3b44a1f7fa945e9aedd043ef316ad52d191aef30871789663bea3426ba14baL-1", + "lines": [ + { + "line": "} else if (req.path.indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": " req.response.sendFile(\".\" + req.path);\n", + "lineNumber": 9, + "lineChange": "removed" + }, + { + "line": "} else if (req.path().indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": " req.response.sendFile(\".\" + req.path());\n", + "lineNumber": 9, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/iamfrntdv/adm-dev-kit/commit/8edeb067e703a642cb7ac7c88fb95fce8dd9c248?diff=split#diff-52baeef6a12dda5ae6078825eeb32958966ba6cbdd56792899f6273fecd26eabL-1", + "lines": [ + { + "line": "const img = fs.readFileSync(filePath);\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "res.end(img);\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": "res.sendFile(filePath, {root: './'});\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/substack/shipboard/commit/e2722480410eea3f3d7b51730dcdea49df649cd2?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": " if (has(pages, req.url)) {\n", + "lineNumber": 14, + "lineChange": "removed" + }, + { + "line": " var p = req.url.split(/[#?]/)[0];\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": " if (p === '/') {\n", + "lineNumber": 10, + "lineChange": "added" + }, + { + "line": " html('layout.html').pipe(hyperstream({\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " '#content': html(pages[req.url])\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": " '[page=create]': html('create.html'),\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": " '[page=view]': html('view.html'),\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": " '[page=edit]': html('edit.html')\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": " })).pipe(res);\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " else st(req, res);\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "};\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "function html (file) {\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " return fs.createReadStream(path.join(__dirname, 'html', file));\n", + "lineNumber": 23, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 40, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "python/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "python", + "Ssrf", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/rowanlupton/pylodon/commit/6d2e152f41f5073d6b224307690087ebdce3df12?diff=split#diff-0c2bad94cd303c5944a38a94f62a63355b8bed2e102dc87c0f44de95cf135b8aL-1", + "lines": [ + { + "line": "import json, requests\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "from flask_pymongo import PyMongo\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "from activipy import vocab\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "from .forms import userLogin, userRegister, composePost\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from .users import User\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "# from .emails import lostPassword, checkToken\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "mongo = PyMongo(app)\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "SERVER_URL = 'http://populator.smilodon.social/'\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "API_HEADERS = {'Content-Type': 'application/ld+json', 'profile': 'https://www.w3.org/ns/activitystreams'}\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "@lm.user_loader\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "def load_user(handle):\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " u = mongo.db.users.find_one({\"id\": handle})\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " if not u:\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return None\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " return User(u['id'])\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "@login_required\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\tuser = mongo.db.users.find_one({'id': current_user.get_id()})\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\tr = requests.get(user['inbox'], headers=API_HEADERS)\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "\tr = requests.get('http://localhost:5000/api/roo/inbox', headers=API_HEADERS)\n", + "lineNumber": 30, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", + "lines": [ + { + "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " args = parser.parse_args()\n", + "lineNumber": 33, + "lineChange": "removed" + }, + { + "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " request = requests.get(args.zip_url, stream=True)\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": " request = requests.get(url, stream=True)\n", + "lineNumber": 34, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/schlosser/eventum/commit/?diff=split#diff-f4729fea0d9ecf9950ff3b36ce5dfba2ab27cf3fffa642b9e0d176234cdfc8a1L-1", + "lines": [ + { + "line": "old_site_url = 'http://adicu.github.com' + request.path\n", + "lineNumber": 11, + "lineChange": "removed" + }, + { + "line": "old_site_url = 'http://adicu.github.com/' + request.path\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "response = requests.get(old_site_url)\n", + "lineNumber": 12, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 25, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "javascript/InsecureHash", + "name": "InsecureHash", + "shortDescription": { + "text": "Use of Password Hash With Insufficient Computational Effort" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nSensitive information should never be stored in plain text, since this makes it very easy for unauthorized users, whether malicious insiders or outside attackers, to access. Hashing methods are used to make stored passwords and other sensitive data unreadable to users. For example, when a password is defined for the first time, it is hashed and then stored. The next time that user attempts to log on, the password they enter is hashed following the same procedure and compared with the stored value. In this way, the original password never needs to be stored in the system.\n\nHashing is a one-way scheme, meaning a hashed password cannot be reverse engineered. However, if an outdated or custom programmed hashing scheme is used, it becomes simple for an attacker with powerful modern computing power to gain access to the hashes used. This opens up access to all stored password information, leading to breached security. Therefore, it is essential for developers to understand modern, secure password hashing techniques.\n\n## Best practices for prevention\n* Use strong standard algorithms for hashing rather than simpler but outdated methods or DIY hashing schemes, which may have inherent weaknesses.\n* Use modular design for all code dealing with hashing so it can be swapped out as security standards change over time.\n* Use salting in combination with hashing (While this places more demands on resources, it is an essential step for tighter security.).\n* Implement zero-trust architecture to ensure that access to password data is granted only for legitimate business purposes.\n* Increase developer awareness of current standards in data security and cryptography.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "InsecureHash", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/steilerDev/homebridge-openhab2-complete/commit/6e92ef40f991cc372b701390945e0e5bbeb71016?diff=split#diff-34bbd467b1ab0e3497ce244b09d2bfbc4ab192303dd90b13603baf6711b522dfL-1", + "lines": [ + { + "line": "function generate(name) {\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": " const sha1sum = crypto.createHash('sha1');\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": " sha1sum.update(name);\n", + "lineNumber": 6, + "lineChange": "removed" + }, + { + "line": "function generate(name, type) {\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": " const hash = crypto.createHash('sha512');\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": " hash.update(name);\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": " hash.update(type);\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/raphael-group/magi/commit/1e1ed6435a97858e38d0cab962d7e248710f60e1?diff=split#diff-a4bd8e7c606b00ad2f2d6eeb95ba96714ece5c8b1266c2b503f3531b12d46257L-1", + "lines": [ + { + "line": "hasher = crypto.createHash('md5').update(url),\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "hasher = crypto.createHash('RIPEMD-64').update(url),\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/mafintosh/hyperlog/commit/d93cc65e485d740face1dacffa66dbcf03bcc7c3?diff=split#diff-b29a862e995b5e16d1763a35604cec4f13f3ca08bb9318d8f7ccfa24b757f7e0L-1", + "lines": [ + { + "line": "return crypto.createHash('sha1')\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "return crypto.createHash('sha256')\n", + "lineNumber": 3, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 52, + "cwe": [ + "CWE-916" + ] + } + }, + { + "id": "python/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "PT", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/Guad/fuwa/commit/955baf1c0e8824f08a96e48a350ee3cd0e3c5493?diff=split#diff-568470d013cd12e4f388206520da39ab9a4e4c3c6b95846cbc281abc1ba3c959L-1", + "lines": [ + { + "line": "import string, random\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "import string, random, hashlib, os\n", + "lineNumber": 1, + "lineChange": "added" + }, + { + "line": "from werkzeug import secure_filename\n", + "lineNumber": 2, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "#Load config file\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "config = {}\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": "with open('config.ini', 'r') as file:\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\tfor line in file.read().splitlines():\n", + "lineNumber": 7, + "lineChange": "added" + }, + { + "line": "\t\tline = line.split('==')\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": "\t\tconfig[line[0]] = line[1]\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "app = flask.Flask(__name__) #Initialize our application\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 #Set the upload limit to 10MiB\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "def genHash(seed): #Generate five letter filenames for our files\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " base = string.ascii_lowercase+string.digits \n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " random.seed(seed)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " hash_value = \"\"\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " for i in range(5):\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " hash_value += random.choice(base)\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return hash_value\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\tif flask.request.method == 'POST':\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\t\t\tFile upload happens here.\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\t\tWe get your filename and convert it to our hash with your extension.\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\t\t\tThen we redirect to the file itself.\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "\t\tf = flask.request.files['file']\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\t\textension = f.filename.split('.')[-1]\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "\t\tfilename = genHash(f.filename) + '.' + extension\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "\t\tf.save('static/files/%s' % filename)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\t\tprint 'Uploaded file \\'%s\\'' % filename #Log what file was uploaded\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\t\treturn flask.redirect(flask.url_for('getFile', filename=filename))\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\t\thasher = hashlib.md5() \t\t\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\t\tbuf = f.read()\t\t \t\t\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\t\tf.seek(0) #Set cursor back to position 0 so we can read it again in the save function.\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# We hash the file to get its filename.\t \t\t\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# So that we can upload two different images with the same filename,\n", + "lineNumber": 38, + "lineChange": "added" + }, + { + "line": "\t\thasher.update(buf)\t \t\t# But not two same images with different filenames.\n", + "lineNumber": 39, + "lineChange": "added" + }, + { + "line": "\t\tdirname = genHash(hasher.hexdigest())\n", + "lineNumber": 40, + "lineChange": "added" + }, + { + "line": "\t\tif not os.path.exists(\"static/files/%s\" % dirname): # Check if the folder already exists\n", + "lineNumber": 41, + "lineChange": "added" + }, + { + "line": "\t\t\tos.mkdir('static/files/%s' % dirname) #Make it\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t\t\tf.save('static/files/%s/%s' % (dirname, secure_filename(f.filename)))\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\t\t\tprint 'Uploaded file \\'%s\\'' % secure_filename(f.filename) #Log what file was uploaded\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('getFile', dirname=dirname,filename=secure_filename(f.filename)))\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\telse:\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t\t\tflask.flash('File already exists in %s!' % dirname) #Display a message for the user.\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('index'))\n", + "lineNumber": 48, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/fonttools/fonttools/commit/0b99c8968e04e2e36c6c46ad8bb1a550d25969b4?diff=split#diff-e8b6161353c7ce5b13e62df1da329a85de0ef80ce8f039d283c25bf892b2b600L-1", + "lines": [ + { + "line": "os.system('gzip -9v %s' % tar)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "os.rename(gz, tgz)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": "if destdir:\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\tprint \"destination directory:\", destdir\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\tos.system('mv %s %s' % (gz, destdir))\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 36, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Chenwe-i-lin/KnowledgeFruits/commit/?diff=split#diff-ab8c675e5b4b07c550455b0884835f1df471bb69ad7142f6ad43b26cf33eb4e6L-1", + "lines": [ + { + "line": "base_path = os.path.abspath(os.path.dirname(__file__))\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "base_path_for_data = os.path.join(base_path,'data/texture')\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": "file = os.path.join(base_path_for_data, image + '.png')\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "if os.path.abspath(file).startswith(base_path_for_data):\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "with open(os.getcwd() + \"/data/texture/\" + image + '.png', \"rb\") as f:\n", + "lineNumber": 15, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 36, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "python/TarSlip", + "name": "TarSlip", + "shortDescription": { + "text": "Arbitrary File Write via Archive Extraction (Tar Slip)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nZip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.\n\n## Example\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "TarSlip", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/AlexKuhnle/ShapeWorld/commit/798a52fa5a7e01e6822dcf157600ec9b9b3e1350?diff=split#diff-be0584efe894029a1b0526edab5d2e8f7c2888ce3648e9ef4287200f61b6ac32L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": "with tarfile.open(os.path.join(directory, 'resources', language + '.dat.tar.gz'), 'r:gz') as filehandle:\n", + "lineNumber": 17, + "lineChange": "removed" + }, + { + "line": " try:\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": " fileinfo = filehandle.getmember(language + '.dat')\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": " except KeyError:\n", + "lineNumber": 20, + "lineChange": "removed" + }, + { + "line": " assert False\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": " filehandle.extract(member=fileinfo)\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": "import gzip\n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "with gzip.open(os.path.join(directory, 'resources', language + '.dat.gz'), 'rb') as gzip_filehandle:\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": " with open(os.path.join(directory, 'resources', language + '.dat'), 'wb') as filehandle:\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": " filehandle.write(gzip_filehandle.read())\n", + "lineNumber": 19, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Hydrospheredata/kubeflow-workshop/commit/754457fccfe919cde60d4ca240f28b374f593334?diff=split#diff-8ac076fbde9e80ce02018a52a6ad9e873aa9be704e8dac4b8abc44b314b588b9L-1", + "lines": [ + { + "line": "import os, gzip, tarfile, shutil, glob\n", + "lineNumber": 2, + "lineChange": "none" + }, + { + "line": "import urllib, urllib.parse, urllib.request\n", + "lineNumber": 3, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "def download_files(base_url, base_dir, files):\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": " \"\"\" Download required data \"\"\"\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " downloaded = []\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " os.makedirs(base_dir, exist_ok=True)\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": " for file in files:\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": " print(f\"Started downloading {file}\", flush=True)\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": " download_url = urllib.parse.urljoin(base_url, file)\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": " download_path = os.path.join(base_dir, file)\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " local_file, _ = urllib.request.urlretrieve(download_url, download_path)\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " unpack_file(local_file, base_dir)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " return downloaded\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "def unpack_file(file, base_dir):\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " \"\"\" Unpacking all compressed files. \"\"\"\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " print(f\"Unpacking {file}\", flush=True)\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": " if os.path.split(base_dir)[-1] == \"mnist\":\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "with gzip.open(file, 'rb') as f_in, open(file[:-3],'wb') as f_out:\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": " shutil.copyfileobj(f_in, f_out)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "if os.path.split(base_dir)[-1] == \"notmnist\":\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": " with tarfile.open(file) as f_tar: \n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " f_tar.extractall(base_dir)\n", + "lineNumber": 31, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/lpcinelli/foreground-segmentation/commit/17489eb13e3d50a2b2c373258d05a6c0160fd4f5?diff=split#diff-0127893470062e012505a30a335e174e59d3db3e164684944b6a83e57cdb6cb2L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "import urllib\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "from zipfile import ZipFile\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "import glob2 as glob\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "import numpy as np\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "import pandas as pd\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from PIL import Image\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "from tqdm import tqdm\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "URL = \"http://wordpress-jodoin.dmi.usherb.ca/static/dataset/dataset2014.zip\"\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "MD5 = \"d86332547edbc25f4ddbcd49f92413cf\"\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "BASE_PATH = os.path.dirname(os.path.abspath(__file__))\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "def md5file(fname):\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " hash_md5 = hashlib.md5()\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " with open(fname, \"rb\") as f:\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " for chunk in iter(lambda: f.read(4096), b\"\"):\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " hash_md5.update(chunk)\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " return hash_md5.hexdigest()\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": "def download(url, md5sum, target_dir):\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " \"\"\"Download file from url to target_dir, and check md5sum.\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " Adapted from PaddlePaddle/DeepSpeech repo\"\"\"\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " if not os.path.exists(target_dir): os.makedirs(target_dir)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": " filepath = os.path.join(target_dir, url.split(\"/\")[-1])\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "if not (os.path.exists(filepath) and md5file(filepath) == md5sum):\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " print(\"Downloading %s ...\" % url)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " os.system(\"wget -c \" + url + \" -P \" + target_dir)\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " print(\"\\nMD5 Chesksum %s ...\" % filepath)\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " if not md5file(filepath) == md5sum:\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " raise RuntimeError(\"MD5 checksum failed.\")\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": " else:\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": " print(\"File exists, skip downloading. (%s)\" % filepath)\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": " return filepath\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": "def unpack(filepath, target_dir, rm_tar=False):\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " \"\"\"Unpack the file to the target_dir.\"\"\"\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": " print(\"Unpacking %s ...\" % filepath)\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " tar = tarfile.open(filepath)\n", + "lineNumber": 44, + "lineChange": "removed" + }, + { + "line": " tar.extractall(target_dir)\n", + "lineNumber": 45, + "lineChange": "removed" + }, + { + "line": " tar.close()\n", + "lineNumber": 46, + "lineChange": "removed" + }, + { + "line": " if rm_tar == True:\n", + "lineNumber": 47, + "lineChange": "removed" + }, + { + "line": " if os.path.exists(os.path.join(target_dir, 'dataset')):\n", + "lineNumber": 69, + "lineChange": "added" + }, + { + "line": " print(\"Skip unpacking. Data already extracted at %s.\" % os.path.join(\n", + "lineNumber": 70, + "lineChange": "added" + }, + { + "line": " target_dir, 'dataset'))\n", + "lineNumber": 71, + "lineChange": "added" + }, + { + "line": " return\n", + "lineNumber": 72, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 73, + "lineChange": "added" + }, + { + "line": " print(\"Unpacking {}...\".format(filepath))\n", + "lineNumber": 74, + "lineChange": "added" + }, + { + "line": " with ZipFile(filepath) as fzip:\n", + "lineNumber": 75, + "lineChange": "added" + }, + { + "line": " fzip.extractall(target_dir)\n", + "lineNumber": 76, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "added" + }, + { + "line": " if remove:\n", + "lineNumber": 78, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 49, + "cwe": [ + "CWE-22" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "go/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from file name flows into os.RemoveAll, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "arguments": [ + "[file name](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[os.RemoveAll](7)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + ], + "fingerprints": { + "0": "998e99d008f4ed509ec6ea9ca36a6e5937d20273899c2f657a7aca2622dd2916", + "1": "35b36391.287901c3.45df3e14.0c66bee6.84c49f13.67ab4541.860c51ff.d84e5c6a.fad7f6c7.73eb5804.45df3e14.e22980a8.e8c00e77.9383b6fc.c2cfdcd9.d84e5c6a", + "identity": "d6a92302-1515-479e-b119-2768df2d0261" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 18, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 3, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 6, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 55, + "endColumn": 66 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 23, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 508, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.readdir, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31)", + "[fs.readdir](32)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + ], + "fingerprints": { + "0": "40dcd0ff18dad04e05324109ba598808175487b8303c1d0f095e33154f35becc", + "1": "227ff053.93dc32e3.126beb45.f22d421d.ef9f7d82.8020cfdf.83265159.43a0f1fe.6bb676bb.277c621c.c9330245.8a2e0395.acf24367.5fce695c.55818220.ef6bffc1", + "identity": "7b341903-0e0b-4e39-90e4-ef6fa2ce58d4" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 114, + "endLine": 114, + "startColumn": 62, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 156, + "endLine": 156, + "startColumn": 3, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 37, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 16, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.stat, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25)", + "[fs.stat](26)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + ], + "fingerprints": { + "0": "5e0b622c51f8c9f1cdbc7e767b9258c4c32f4122c85c5887b603e62d7ba03b5f", + "1": "227ff053.93dc32e3.126beb45.ed202363.c2cde80a.2da1a176.83265159.43a0f1fe.6bb676bb.c4f12ae6.97923ac6.df3c423f.601e4ccc.1d3def36.3e0616cf.ef6bffc1", + "identity": "7d9ef9cb-339e-4241-b820-5ddabcfdd259" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 32, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18)", + "[requests.get](19)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + ], + "fingerprints": { + "0": "1ac4c999d9f9c976efa5283a07e8d070ea9c476bd0b67cc95af2f19f60486d46", + "1": "2b627c13.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.75d4ed92.8794408a.e06468b8.2da3d253.16f66073.3beeacb6.25ac000c.73cfdf26.cc914b1e.f46ed94e", + "identity": "c3c7608f-9d2f-4597-8e50-42e7eaa3cb95" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20)", + "[requests.get](21)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + ], + "fingerprints": { + "0": "9a3787f3591d8ec7fbba72d1451e02cb5788ecdde35dea680749d037c3222282", + "1": "befed5bc.4e7b2cf3.ef7ad415.139c59a8.25ac000c.ba14daf2.081ac3f4.ebed174f.129db901.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.cc914b1e.36100b92", + "identity": "6657f475-9800-4c42-971a-52233cae9260" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14)", + "[requests.get](15)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 27, + "endColumn": 44 + } + } + } + ], + "fingerprints": { + "0": "5e83a48b58134323a3afdec34bce3b5f67930ae86ccd334485fa819643306a19", + "1": "8a30cfc6.2fab3ddd.79e62dc9.3beeacb6.1a0abf6d.f7316481.0a7337bb.8794408a.8a30cfc6.2fab3ddd.7dc6970d.3beeacb6.25ac000c.73cfdf26.51b4c2f8.247d501d", + "identity": "a3f8fce9-55d2-4081-8d8e-a073f243152d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "this is a temporary ignore until the year 2099", + "properties": { + "category": "temporary-ignore", + "expiration": "2099-01-05T06:00:00Z", + "ignoredOn": "2024-11-07T22:24:42.223Z", + "ignoredBy": { + "name": "Ian Zink", + "email": "ian.zink@snyk.io" + } + } + } + ] + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "md5 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[md5](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + ], + "fingerprints": { + "0": "479642e07aa12fee9dc1506f4eda082c7e69a5328eac0d4d0fd51927b86eaccf", + "1": "37bc1bfe.4773f344.191eaf2b.5e127924.ef9f7d82.8020cfdf.7a8c7288.71520ffe.9ff0579e.706318d0.191eaf2b.5e127924.ef9f7d82.5fce695c.04f551bd.71520ffe", + "identity": "9587a91d-4df4-49bd-bca8-9218d6d56cbd" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 171, + "endLine": 171, + "startColumn": 17, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "sha1 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[sha1](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "5402b52f3d79f78a64fbffbae9bb024a432ccf8e514f3db9371538a89377ae99", + "1": "37bc1bfe.ef45cec4.191eaf2b.d7919eeb.ef9f7d82.82ca542b.cd61fc56.71520ffe.9ff0579e.706318d0.191eaf2b.d7919eeb.ef9f7d82.5fce695c.cd61fc56.71520ffe", + "identity": "96ea0b3c-f347-436c-967d-c9795a5fbec8" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 36, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33)", + "[open](34)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + ], + "fingerprints": { + "0": "245fb45dffe940840d9bb382473ed5c68c335cf2ba9061d480909dc4b38f3980", + "1": "2e8ddaeb.09b47a5b.187bf175.e8753240.f3eda546.addfbd48.081ac3f4.a4830b9a.a756d36d.04ad2656.184a673a.e8753240.25ac000c.526495d1.e21874cf.0405b305", + "identity": "5b3fe9c9-a3c5-4aed-9c0a-32902e91a829" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 5, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 127, + "endLine": 127, + "startColumn": 46, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 25, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35)", + "[open](36)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + ], + "fingerprints": { + "0": "61f31832f7551d38760fdd29e60545da5145a358b4d6b62bdf22df5f695544b1", + "1": "2e8ddaeb.0305cef3.187bf175.2c554a8d.f3eda546.c553eccf.081ac3f4.0405b305.da9cf85a.04ad2656.184a673a.3beeacb6.25ac000c.c84fb153.2701234b.163a4e7f", + "identity": "dbeeb6a3-52aa-4a39-9b84-7c4c3dcdf79b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 62 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 74 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 5, + "endColumn": 90 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 133, + "endLine": 133, + "startColumn": 54, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 38, + "endLine": 38, + "startColumn": 33, + "endColumn": 37 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 48, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 35, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 15, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 36, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into urllib.request.urlretrieve, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27)", + "[urllib.request.urlretrieve](28)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "0282674d572f7f297cd1aa78d33f45124c60e98e37f6259e7e562ff742f2dffe", + "1": "5ca5064a.b9c753f4.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305.ebdf5327.04ad2656.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305", + "identity": "26a7896d-933e-4c5d-af1e-872a99139bdb" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into extractall, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15)", + "[extractall](16)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "1fe02d7432ce63d25cde1d07567918e0db228ef216fdfd91b82d3f17d235cdbe", + "1": "ac3946d7.794dc90c.2683ade8.139c59a8.056de048.ba14daf2.081ac3f4.8794408a.ac3946d7.04ad2656.187bf175.3beeacb6.aa4d77a8.526495d1.9280a36a.163a4e7f", + "identity": "d004df0d-e867-4493-a0d9-6f432197c7d4" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 61, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 76, + "endColumn": 80 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 70 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 34, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 30, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 52, + "endColumn": 64 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 33, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 28, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "this is by design", + "properties": { + "category": "not-vulnerable", + "expiration": null, + "ignoredOn": "2024-11-07T22:29:45.657Z", + "ignoredBy": { + "name": "Ian Zink", + "email": "ian.zink@snyk.io" + } + } + } + ] + }, + { + "ruleId": "python/TarSlip", + "ruleIndex": 5, + "level": "warning", + "message": { + "text": "Calling extractall to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "markdown": "Calling {0} to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "arguments": [ + "[extractall](0)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "660533bad4614fc5e6d0a8f09aac6f01fba6015567fadfe0e81a506f14f52d56", + "1": "560a52d0.755ecede.187bf175.8a4e3f10.64ffc8ed.fb8cc529.28caaf2d.fa07e0a8.66f0b7f9.755ecede.187bf175.8a4e3f10.64ffc8ed.c7570064.292a8005.d53c5b6c", + "identity": "32200593-2fe9-40f1-bf2c-587b822f0ae5" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 558, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + } + ], + "properties": { + "coverage": [ + { + "files": 15, + "isSupported": true, + "lang": "JavaScript", + "type": "SUPPORTED" + }, + { + "files": 340, + "isSupported": true, + "lang": "TypeScript", + "type": "SUPPORTED" + }, + { + "files": 29, + "isSupported": true, + "lang": "Go", + "type": "SUPPORTED" + }, + { + "files": 1, + "isSupported": true, + "lang": ".config", + "type": "SUPPORTED" + }, + { + "files": 1, + "isSupported": true, + "lang": "XML", + "type": "SUPPORTED" + }, + { + "files": 3, + "isSupported": true, + "lang": "Python", + "type": "SUPPORTED" + } + ] + } + } + ] +} diff --git a/sample-data/code-upload-v1.sarif b/sample-data/code-upload-v1.sarif new file mode 100644 index 0000000..1b7a4b5 --- /dev/null +++ b/sample-data/code-upload-v1.sarif @@ -0,0 +1,6732 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "python/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "PT", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/Guad/fuwa/commit/955baf1c0e8824f08a96e48a350ee3cd0e3c5493?diff=split#diff-568470d013cd12e4f388206520da39ab9a4e4c3c6b95846cbc281abc1ba3c959L-1", + "lines": [ + { + "line": "import string, random\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "import string, random, hashlib, os\n", + "lineNumber": 1, + "lineChange": "added" + }, + { + "line": "from werkzeug import secure_filename\n", + "lineNumber": 2, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "#Load config file\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "config = {}\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": "with open('config.ini', 'r') as file:\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\tfor line in file.read().splitlines():\n", + "lineNumber": 7, + "lineChange": "added" + }, + { + "line": "\t\tline = line.split('==')\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": "\t\tconfig[line[0]] = line[1]\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "app = flask.Flask(__name__) #Initialize our application\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 #Set the upload limit to 10MiB\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "def genHash(seed): #Generate five letter filenames for our files\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " base = string.ascii_lowercase+string.digits \n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " random.seed(seed)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " hash_value = \"\"\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " for i in range(5):\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " hash_value += random.choice(base)\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return hash_value\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\tif flask.request.method == 'POST':\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\t\t\tFile upload happens here.\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\t\tWe get your filename and convert it to our hash with your extension.\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\t\t\tThen we redirect to the file itself.\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "\t\tf = flask.request.files['file']\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\t\textension = f.filename.split('.')[-1]\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "\t\tfilename = genHash(f.filename) + '.' + extension\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "\t\tf.save('static/files/%s' % filename)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\t\tprint 'Uploaded file \\'%s\\'' % filename #Log what file was uploaded\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\t\treturn flask.redirect(flask.url_for('getFile', filename=filename))\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\t\thasher = hashlib.md5() \t\t\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\t\tbuf = f.read()\t\t \t\t\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\t\tf.seek(0) #Set cursor back to position 0 so we can read it again in the save function.\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# We hash the file to get its filename.\t \t\t\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# So that we can upload two different images with the same filename,\n", + "lineNumber": 38, + "lineChange": "added" + }, + { + "line": "\t\thasher.update(buf)\t \t\t# But not two same images with different filenames.\n", + "lineNumber": 39, + "lineChange": "added" + }, + { + "line": "\t\tdirname = genHash(hasher.hexdigest())\n", + "lineNumber": 40, + "lineChange": "added" + }, + { + "line": "\t\tif not os.path.exists(\"static/files/%s\" % dirname): # Check if the folder already exists\n", + "lineNumber": 41, + "lineChange": "added" + }, + { + "line": "\t\t\tos.mkdir('static/files/%s' % dirname) #Make it\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t\t\tf.save('static/files/%s/%s' % (dirname, secure_filename(f.filename)))\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\t\t\tprint 'Uploaded file \\'%s\\'' % secure_filename(f.filename) #Log what file was uploaded\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('getFile', dirname=dirname,filename=secure_filename(f.filename)))\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\telse:\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t\t\tflask.flash('File already exists in %s!' % dirname) #Display a message for the user.\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('index'))\n", + "lineNumber": 48, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/fonttools/fonttools/commit/0b99c8968e04e2e36c6c46ad8bb1a550d25969b4?diff=split#diff-e8b6161353c7ce5b13e62df1da329a85de0ef80ce8f039d283c25bf892b2b600L-1", + "lines": [ + { + "line": "os.system('gzip -9v %s' % tar)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "os.rename(gz, tgz)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": "if destdir:\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\tprint \"destination directory:\", destdir\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\tos.system('mv %s %s' % (gz, destdir))\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 36, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Chenwe-i-lin/KnowledgeFruits/commit/?diff=split#diff-ab8c675e5b4b07c550455b0884835f1df471bb69ad7142f6ad43b26cf33eb4e6L-1", + "lines": [ + { + "line": "base_path = os.path.abspath(os.path.dirname(__file__))\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "base_path_for_data = os.path.join(base_path,'data/texture')\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": "file = os.path.join(base_path_for_data, image + '.png')\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "if os.path.abspath(file).startswith(base_path_for_data):\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "with open(os.getcwd() + \"/data/texture/\" + image + '.png', \"rb\") as f:\n", + "lineNumber": 15, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 36, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "go/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "go", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/citrix/terraform-provider-citrixadc/commit/a4c0975006ef2020c0db505d69bdcec13f10915b?diff=split#diff-a9109e20e39687dfe49012120251229e209c76557bfef1ac646718448d8ca653L-1", + "lines": [ + { + "line": "b, err := ioutil.ReadFile(inputFile)\n", + "lineNumber": 40, + "lineChange": "removed" + }, + { + "line": "b, err := ioutil.ReadFile(filepath.Clean(inputFile))\n", + "lineNumber": 40, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/MohawkTSDB/mohawk/commit/e4a68407d6e1f9a3ccfa1f0a320c04d693afe2a6?diff=split#diff-ffb4b68b82d9234bcba450c7ca14d76b3ea0eed74198d1811d802889c58252e5L-1", + "lines": [ + { + "line": "\t// Check for \"..\" in the url path,\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t// if we find \"..\" in the path we will not serve static files\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\tif strings.Contains(path, \"..\") {\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\ts.next.ServeHTTP(w, r)\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\treturn\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t}\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": "\t// Add index.html to path if it ends with /\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": "\tif path[len(path)-1:] == \"/\" {\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"index.html\"\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\t// Add /index.html to path if a directory\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "\tif fi, err := os.Stat(path); err == nil && fi.IsDir() {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"/index.html\"\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": "\t// If file exist serve it\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "\tif file, err := ioutil.ReadFile(path); err == nil {\n", + "lineNumber": 60, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/u-root/u-root/commit/?diff=split#diff-b2964e352f657fd0dbf5b5dc2f11b034b389e3ad9d60ef315dca58778612d468L-1", + "lines": [ + { + "line": "\tpath := filepath.Join(*directory, filepath.Clean(w.Name()))\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\tpath := filepath.Join(*directory, filepath.Join(\"/\", w.Name()))\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\tfile, err := os.Open(path)\n", + "lineNumber": 29, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 28, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "javascript/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/eclipse-vertx/vert.x/commit/d1183271de193b6bef158e2b1dfb5ba65a15cbc9?diff=split#diff-fa3b44a1f7fa945e9aedd043ef316ad52d191aef30871789663bea3426ba14baL-1", + "lines": [ + { + "line": "} else if (req.path.indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": " req.response.sendFile(\".\" + req.path);\n", + "lineNumber": 9, + "lineChange": "removed" + }, + { + "line": "} else if (req.path().indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": " req.response.sendFile(\".\" + req.path());\n", + "lineNumber": 9, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/iamfrntdv/adm-dev-kit/commit/8edeb067e703a642cb7ac7c88fb95fce8dd9c248?diff=split#diff-52baeef6a12dda5ae6078825eeb32958966ba6cbdd56792899f6273fecd26eabL-1", + "lines": [ + { + "line": "const img = fs.readFileSync(filePath);\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "res.end(img);\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": "res.sendFile(filePath, {root: './'});\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/substack/shipboard/commit/e2722480410eea3f3d7b51730dcdea49df649cd2?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": " if (has(pages, req.url)) {\n", + "lineNumber": 14, + "lineChange": "removed" + }, + { + "line": " var p = req.url.split(/[#?]/)[0];\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": " if (p === '/') {\n", + "lineNumber": 10, + "lineChange": "added" + }, + { + "line": " html('layout.html').pipe(hyperstream({\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " '#content': html(pages[req.url])\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": " '[page=create]': html('create.html'),\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": " '[page=view]': html('view.html'),\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": " '[page=edit]': html('edit.html')\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": " })).pipe(res);\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " else st(req, res);\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "};\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "function html (file) {\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " return fs.createReadStream(path.join(__dirname, 'html', file));\n", + "lineNumber": 23, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 40, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "python/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "python", + "Ssrf", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/rowanlupton/pylodon/commit/6d2e152f41f5073d6b224307690087ebdce3df12?diff=split#diff-0c2bad94cd303c5944a38a94f62a63355b8bed2e102dc87c0f44de95cf135b8aL-1", + "lines": [ + { + "line": "import json, requests\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "from flask_pymongo import PyMongo\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "from activipy import vocab\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "from .forms import userLogin, userRegister, composePost\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from .users import User\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "# from .emails import lostPassword, checkToken\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "mongo = PyMongo(app)\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "SERVER_URL = 'http://populator.smilodon.social/'\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "API_HEADERS = {'Content-Type': 'application/ld+json', 'profile': 'https://www.w3.org/ns/activitystreams'}\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "@lm.user_loader\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "def load_user(handle):\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " u = mongo.db.users.find_one({\"id\": handle})\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " if not u:\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return None\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " return User(u['id'])\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "@login_required\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\tuser = mongo.db.users.find_one({'id': current_user.get_id()})\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\tr = requests.get(user['inbox'], headers=API_HEADERS)\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "\tr = requests.get('http://localhost:5000/api/roo/inbox', headers=API_HEADERS)\n", + "lineNumber": 30, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", + "lines": [ + { + "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " args = parser.parse_args()\n", + "lineNumber": 33, + "lineChange": "removed" + }, + { + "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " request = requests.get(args.zip_url, stream=True)\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": " request = requests.get(url, stream=True)\n", + "lineNumber": 34, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/schlosser/eventum/commit/?diff=split#diff-f4729fea0d9ecf9950ff3b36ce5dfba2ab27cf3fffa642b9e0d176234cdfc8a1L-1", + "lines": [ + { + "line": "old_site_url = 'http://adicu.github.com' + request.path\n", + "lineNumber": 11, + "lineChange": "removed" + }, + { + "line": "old_site_url = 'http://adicu.github.com/' + request.path\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "response = requests.get(old_site_url)\n", + "lineNumber": 12, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 25, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "javascript/InsecureHash", + "name": "InsecureHash", + "shortDescription": { + "text": "Use of Password Hash With Insufficient Computational Effort" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nSensitive information should never be stored in plain text, since this makes it very easy for unauthorized users, whether malicious insiders or outside attackers, to access. Hashing methods are used to make stored passwords and other sensitive data unreadable to users. For example, when a password is defined for the first time, it is hashed and then stored. The next time that user attempts to log on, the password they enter is hashed following the same procedure and compared with the stored value. In this way, the original password never needs to be stored in the system.\n\nHashing is a one-way scheme, meaning a hashed password cannot be reverse engineered. However, if an outdated or custom programmed hashing scheme is used, it becomes simple for an attacker with powerful modern computing power to gain access to the hashes used. This opens up access to all stored password information, leading to breached security. Therefore, it is essential for developers to understand modern, secure password hashing techniques.\n\n## Best practices for prevention\n* Use strong standard algorithms for hashing rather than simpler but outdated methods or DIY hashing schemes, which may have inherent weaknesses.\n* Use modular design for all code dealing with hashing so it can be swapped out as security standards change over time.\n* Use salting in combination with hashing (While this places more demands on resources, it is an essential step for tighter security.).\n* Implement zero-trust architecture to ensure that access to password data is granted only for legitimate business purposes.\n* Increase developer awareness of current standards in data security and cryptography.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "InsecureHash", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/steilerDev/homebridge-openhab2-complete/commit/6e92ef40f991cc372b701390945e0e5bbeb71016?diff=split#diff-34bbd467b1ab0e3497ce244b09d2bfbc4ab192303dd90b13603baf6711b522dfL-1", + "lines": [ + { + "line": "function generate(name) {\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": " const sha1sum = crypto.createHash('sha1');\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": " sha1sum.update(name);\n", + "lineNumber": 6, + "lineChange": "removed" + }, + { + "line": "function generate(name, type) {\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": " const hash = crypto.createHash('sha512');\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": " hash.update(name);\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": " hash.update(type);\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/raphael-group/magi/commit/1e1ed6435a97858e38d0cab962d7e248710f60e1?diff=split#diff-a4bd8e7c606b00ad2f2d6eeb95ba96714ece5c8b1266c2b503f3531b12d46257L-1", + "lines": [ + { + "line": "hasher = crypto.createHash('md5').update(url),\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "hasher = crypto.createHash('RIPEMD-64').update(url),\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/mafintosh/hyperlog/commit/d93cc65e485d740face1dacffa66dbcf03bcc7c3?diff=split#diff-b29a862e995b5e16d1763a35604cec4f13f3ca08bb9318d8f7ccfa24b757f7e0L-1", + "lines": [ + { + "line": "return crypto.createHash('sha1')\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "return crypto.createHash('sha256')\n", + "lineNumber": 3, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 52, + "cwe": [ + "CWE-916" + ] + } + }, + { + "id": "python/TarSlip", + "name": "TarSlip", + "shortDescription": { + "text": "Arbitrary File Write via Archive Extraction (Tar Slip)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nZip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.\n\n## Example\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "TarSlip", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/AlexKuhnle/ShapeWorld/commit/798a52fa5a7e01e6822dcf157600ec9b9b3e1350?diff=split#diff-be0584efe894029a1b0526edab5d2e8f7c2888ce3648e9ef4287200f61b6ac32L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": "with tarfile.open(os.path.join(directory, 'resources', language + '.dat.tar.gz'), 'r:gz') as filehandle:\n", + "lineNumber": 17, + "lineChange": "removed" + }, + { + "line": " try:\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": " fileinfo = filehandle.getmember(language + '.dat')\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": " except KeyError:\n", + "lineNumber": 20, + "lineChange": "removed" + }, + { + "line": " assert False\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": " filehandle.extract(member=fileinfo)\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": "import gzip\n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "with gzip.open(os.path.join(directory, 'resources', language + '.dat.gz'), 'rb') as gzip_filehandle:\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": " with open(os.path.join(directory, 'resources', language + '.dat'), 'wb') as filehandle:\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": " filehandle.write(gzip_filehandle.read())\n", + "lineNumber": 19, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Hydrospheredata/kubeflow-workshop/commit/754457fccfe919cde60d4ca240f28b374f593334?diff=split#diff-8ac076fbde9e80ce02018a52a6ad9e873aa9be704e8dac4b8abc44b314b588b9L-1", + "lines": [ + { + "line": "import os, gzip, tarfile, shutil, glob\n", + "lineNumber": 2, + "lineChange": "none" + }, + { + "line": "import urllib, urllib.parse, urllib.request\n", + "lineNumber": 3, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "def download_files(base_url, base_dir, files):\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": " \"\"\" Download required data \"\"\"\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " downloaded = []\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " os.makedirs(base_dir, exist_ok=True)\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": " for file in files:\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": " print(f\"Started downloading {file}\", flush=True)\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": " download_url = urllib.parse.urljoin(base_url, file)\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": " download_path = os.path.join(base_dir, file)\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " local_file, _ = urllib.request.urlretrieve(download_url, download_path)\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " unpack_file(local_file, base_dir)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " return downloaded\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "def unpack_file(file, base_dir):\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " \"\"\" Unpacking all compressed files. \"\"\"\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " print(f\"Unpacking {file}\", flush=True)\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": " if os.path.split(base_dir)[-1] == \"mnist\":\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "with gzip.open(file, 'rb') as f_in, open(file[:-3],'wb') as f_out:\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": " shutil.copyfileobj(f_in, f_out)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "if os.path.split(base_dir)[-1] == \"notmnist\":\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": " with tarfile.open(file) as f_tar: \n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " f_tar.extractall(base_dir)\n", + "lineNumber": 31, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/lpcinelli/foreground-segmentation/commit/17489eb13e3d50a2b2c373258d05a6c0160fd4f5?diff=split#diff-0127893470062e012505a30a335e174e59d3db3e164684944b6a83e57cdb6cb2L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "import urllib\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "from zipfile import ZipFile\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "import glob2 as glob\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "import numpy as np\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "import pandas as pd\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from PIL import Image\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "from tqdm import tqdm\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "URL = \"http://wordpress-jodoin.dmi.usherb.ca/static/dataset/dataset2014.zip\"\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "MD5 = \"d86332547edbc25f4ddbcd49f92413cf\"\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "BASE_PATH = os.path.dirname(os.path.abspath(__file__))\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "def md5file(fname):\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " hash_md5 = hashlib.md5()\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " with open(fname, \"rb\") as f:\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " for chunk in iter(lambda: f.read(4096), b\"\"):\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " hash_md5.update(chunk)\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " return hash_md5.hexdigest()\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": "def download(url, md5sum, target_dir):\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " \"\"\"Download file from url to target_dir, and check md5sum.\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " Adapted from PaddlePaddle/DeepSpeech repo\"\"\"\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " if not os.path.exists(target_dir): os.makedirs(target_dir)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": " filepath = os.path.join(target_dir, url.split(\"/\")[-1])\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "if not (os.path.exists(filepath) and md5file(filepath) == md5sum):\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " print(\"Downloading %s ...\" % url)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " os.system(\"wget -c \" + url + \" -P \" + target_dir)\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " print(\"\\nMD5 Chesksum %s ...\" % filepath)\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " if not md5file(filepath) == md5sum:\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " raise RuntimeError(\"MD5 checksum failed.\")\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": " else:\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": " print(\"File exists, skip downloading. (%s)\" % filepath)\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": " return filepath\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": "def unpack(filepath, target_dir, rm_tar=False):\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " \"\"\"Unpack the file to the target_dir.\"\"\"\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": " print(\"Unpacking %s ...\" % filepath)\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " tar = tarfile.open(filepath)\n", + "lineNumber": 44, + "lineChange": "removed" + }, + { + "line": " tar.extractall(target_dir)\n", + "lineNumber": 45, + "lineChange": "removed" + }, + { + "line": " tar.close()\n", + "lineNumber": 46, + "lineChange": "removed" + }, + { + "line": " if rm_tar == True:\n", + "lineNumber": 47, + "lineChange": "removed" + }, + { + "line": " if os.path.exists(os.path.join(target_dir, 'dataset')):\n", + "lineNumber": 69, + "lineChange": "added" + }, + { + "line": " print(\"Skip unpacking. Data already extracted at %s.\" % os.path.join(\n", + "lineNumber": 70, + "lineChange": "added" + }, + { + "line": " target_dir, 'dataset'))\n", + "lineNumber": 71, + "lineChange": "added" + }, + { + "line": " return\n", + "lineNumber": 72, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 73, + "lineChange": "added" + }, + { + "line": " print(\"Unpacking {}...\".format(filepath))\n", + "lineNumber": 74, + "lineChange": "added" + }, + { + "line": " with ZipFile(filepath) as fzip:\n", + "lineNumber": 75, + "lineChange": "added" + }, + { + "line": " fzip.extractall(target_dir)\n", + "lineNumber": 76, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "added" + }, + { + "line": " if remove:\n", + "lineNumber": 78, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 49, + "cwe": [ + "CWE-22" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "python/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33)", + "[open](34)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + ], + "fingerprints": { + "0": "245fb45dffe940840d9bb382473ed5c68c335cf2ba9061d480909dc4b38f3980", + "1": "2e8ddaeb.09b47a5b.187bf175.e8753240.f3eda546.addfbd48.081ac3f4.a4830b9a.a756d36d.04ad2656.184a673a.e8753240.25ac000c.526495d1.e21874cf.0405b305", + "identity": "f9083bf9-efa3-4dd2-bbab-18195ff61ddc" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 5, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 127, + "endLine": 127, + "startColumn": 46, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 25, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "this is expected by this functionality not a security issue", + "kind": "external" + } + ] + }, + { + "ruleId": "python/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35)", + "[open](36)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + ], + "fingerprints": { + "0": "61f31832f7551d38760fdd29e60545da5145a358b4d6b62bdf22df5f695544b1", + "1": "2e8ddaeb.0305cef3.187bf175.2c554a8d.f3eda546.c553eccf.081ac3f4.0405b305.da9cf85a.04ad2656.184a673a.3beeacb6.25ac000c.c84fb153.2701234b.163a4e7f", + "identity": "2096fa94-3a44-46fe-9728-97b63cc23e79" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 62 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 74 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 5, + "endColumn": 90 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 133, + "endLine": 133, + "startColumn": 54, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 38, + "endLine": 38, + "startColumn": 33, + "endColumn": 37 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 48, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 35, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 15, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 36, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "python/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into urllib.request.urlretrieve, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27)", + "[urllib.request.urlretrieve](28)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "0282674d572f7f297cd1aa78d33f45124c60e98e37f6259e7e562ff742f2dffe", + "1": "5ca5064a.b9c753f4.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305.ebdf5327.04ad2656.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305", + "identity": "32b32132-2c54-4af5-adc4-4b8cdb022f6b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "python/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into extractall, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15)", + "[extractall](16)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "1fe02d7432ce63d25cde1d07567918e0db228ef216fdfd91b82d3f17d235cdbe", + "1": "ac3946d7.794dc90c.2683ade8.139c59a8.056de048.ba14daf2.081ac3f4.8794408a.ac3946d7.04ad2656.187bf175.3beeacb6.aa4d77a8.526495d1.9280a36a.163a4e7f", + "identity": "fc6808da-9297-477b-a549-fbda368ae451" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 61, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 76, + "endColumn": 80 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 70 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 34, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 30, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 52, + "endColumn": 64 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 33, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 28, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "go/PT", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from file name flows into os.RemoveAll, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "arguments": [ + "[file name](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[os.RemoveAll](7)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + ], + "fingerprints": { + "0": "998e99d008f4ed509ec6ea9ca36a6e5937d20273899c2f657a7aca2622dd2916", + "1": "35b36391.287901c3.45df3e14.0c66bee6.84c49f13.67ab4541.860c51ff.d84e5c6a.fad7f6c7.73eb5804.45df3e14.e22980a8.e8c00e77.9383b6fc.c2cfdcd9.d84e5c6a", + "identity": "7981f9c5-5427-4f25-8517-c7784922b5ab" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 18, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 3, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 6, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 55, + "endColumn": 66 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 23, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 508, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.readdir, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31)", + "[fs.readdir](32)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + ], + "fingerprints": { + "0": "40dcd0ff18dad04e05324109ba598808175487b8303c1d0f095e33154f35becc", + "1": "227ff053.93dc32e3.126beb45.f22d421d.ef9f7d82.8020cfdf.83265159.43a0f1fe.6bb676bb.277c621c.c9330245.8a2e0395.acf24367.5fce695c.55818220.ef6bffc1", + "identity": "7e33260c-c729-4620-8036-237ef8eadad7" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 114, + "endLine": 114, + "startColumn": 62, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 156, + "endLine": 156, + "startColumn": 3, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 37, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 16, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.stat, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25)", + "[fs.stat](26)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + ], + "fingerprints": { + "0": "5e0b622c51f8c9f1cdbc7e767b9258c4c32f4122c85c5887b603e62d7ba03b5f", + "1": "227ff053.93dc32e3.126beb45.ed202363.c2cde80a.2da1a176.83265159.43a0f1fe.6bb676bb.c4f12ae6.97923ac6.df3c423f.601e4ccc.1d3def36.3e0616cf.ef6bffc1", + "identity": "d7b416cf-489e-4df3-a1b3-0b7589a271b5" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 32, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18)", + "[requests.get](19)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + ], + "fingerprints": { + "0": "1ac4c999d9f9c976efa5283a07e8d070ea9c476bd0b67cc95af2f19f60486d46", + "1": "2b627c13.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.75d4ed92.8794408a.e06468b8.2da3d253.16f66073.3beeacb6.25ac000c.73cfdf26.cc914b1e.f46ed94e", + "identity": "dab39dc5-d17c-4835-a825-dc4ca256b1de" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20)", + "[requests.get](21)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + ], + "fingerprints": { + "0": "9a3787f3591d8ec7fbba72d1451e02cb5788ecdde35dea680749d037c3222282", + "1": "befed5bc.4e7b2cf3.ef7ad415.139c59a8.25ac000c.ba14daf2.081ac3f4.ebed174f.129db901.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.cc914b1e.36100b92", + "identity": "eae534c8-4058-4544-99b3-51252dfab27f" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 3, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14)", + "[requests.get](15)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 27, + "endColumn": 44 + } + } + } + ], + "fingerprints": { + "0": "5e83a48b58134323a3afdec34bce3b5f67930ae86ccd334485fa819643306a19", + "1": "8a30cfc6.2fab3ddd.79e62dc9.3beeacb6.1a0abf6d.f7316481.0a7337bb.8794408a.8a30cfc6.2fab3ddd.7dc6970d.3beeacb6.25ac000c.73cfdf26.51b4c2f8.247d501d", + "identity": "6dbae7c5-a60a-49d8-9580-582c4be091ff" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 4, + "level": "note", + "message": { + "text": "md5 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[md5](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + ], + "fingerprints": { + "0": "479642e07aa12fee9dc1506f4eda082c7e69a5328eac0d4d0fd51927b86eaccf", + "1": "37bc1bfe.4773f344.191eaf2b.5e127924.ef9f7d82.8020cfdf.7a8c7288.71520ffe.9ff0579e.706318d0.191eaf2b.5e127924.ef9f7d82.5fce695c.04f551bd.71520ffe", + "identity": "f6312a1e-33d5-4c86-a4dc-f289de5b61cd" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 171, + "endLine": 171, + "startColumn": 17, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "", + "kind": "external" + } + ] + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 4, + "level": "note", + "message": { + "text": "sha1 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[sha1](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "5402b52f3d79f78a64fbffbae9bb024a432ccf8e514f3db9371538a89377ae99", + "1": "37bc1bfe.ef45cec4.191eaf2b.d7919eeb.ef9f7d82.82ca542b.cd61fc56.71520ffe.9ff0579e.706318d0.191eaf2b.d7919eeb.ef9f7d82.5fce695c.cd61fc56.71520ffe", + "identity": "064cc098-1bd5-4b68-b188-ce04ed186529" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 36, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "", + "kind": "external" + } + ] + }, + { + "ruleId": "python/TarSlip", + "ruleIndex": 5, + "level": "warning", + "message": { + "text": "Calling extractall to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "markdown": "Calling {0} to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "arguments": [ + "[extractall](0)" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "660533bad4614fc5e6d0a8f09aac6f01fba6015567fadfe0e81a506f14f52d56", + "1": "560a52d0.755ecede.187bf175.8a4e3f10.64ffc8ed.fb8cc529.28caaf2d.fa07e0a8.66f0b7f9.755ecede.187bf175.8a4e3f10.64ffc8ed.c7570064.292a8005.d53c5b6c", + "identity": "fd4b7755-3cbb-40e5-afb0-6cda6d6c9817" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 558, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [] + } + ], + "properties": { + "coverage": [ + { + "isSupported": true, + "lang": "Python", + "files": 3, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": ".config", + "files": 1, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "Go", + "files": 29, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "JavaScript", + "files": 14, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "XML", + "files": 1, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "HTML", + "files": 3, + "type": "SUPPORTED" + }, + { + "isSupported": true, + "lang": "TypeScript", + "files": 340, + "type": "SUPPORTED" + } + ], + "uploadResult": { + "projectId": "0bf2a810-99a4-49af-bc81-12d09bda49e1", + "snapshotId": "8086c069-1ebf-4b53-b2c1-3d56377e76d2", + "reportUrl": "https://app.snyk.io/org/ian.zink/project/0bf2a810-99a4-49af-bc81-12d09bda49e1/history/8086c069-1ebf-4b53-b2c1-3d56377e76d2" + } + } + } + ] +} diff --git a/src/handlebars-config.ts b/src/handlebars-config.ts new file mode 100644 index 0000000..c3d78ab --- /dev/null +++ b/src/handlebars-config.ts @@ -0,0 +1,7 @@ +const Handlebars = require('handlebars'); +import { firstInitial, formatDate } from './lib/codeutil'; + +export function registerHandlebarsHelpers() { + Handlebars.registerHelper('firstInitial', firstInitial); + Handlebars.registerHelper('formatDate', formatDate); +} diff --git a/src/lib/codeutil.ts b/src/lib/codeutil.ts index 19d06a8..735a2fb 100644 --- a/src/lib/codeutil.ts +++ b/src/lib/codeutil.ts @@ -109,10 +109,17 @@ export async function processSourceCode(dataArray){ const rulesArray = dataArray[0].runs[0].tool.driver.rules; for (const issue of dataArray[0].runs[0].results){ issue.severitytext = codeSeverityMap[issue.level]; - findSeverityIndex = codeSeverityCounter.findIndex( - (f) => f.severity === issue.severitytext, - ); - codeSeverityCounter[findSeverityIndex].counter++; + + // Only count non-suppressed issues + if (!issue.suppressions || issue.suppressions.length === 0) { + findSeverityIndex = codeSeverityCounter.findIndex( + (f) => f.severity === issue.severitytext, + ); + if (findSeverityIndex !== -1) { + codeSeverityCounter[findSeverityIndex].counter++; + } + } + //add the code snippet here... issue.locations[0].physicalLocation.codeString = await readCodeSnippet( issue.locations[0], @@ -149,4 +156,36 @@ export async function processSourceCode(dataArray){ }; }); return OrderedIssuesArray; -} \ No newline at end of file +} + +export function processSuppression(suppression: any) { + if (!suppression) return null; + + return { + justification: suppression.justification, + category: suppression.properties?.category || 'unknown', + expiration: suppression.properties?.expiration, + ignoredOn: suppression.properties?.ignoredOn || { + date: 'unknown', + reason: 'unknown', + }, + ignoredBy: suppression.properties?.ignoredBy || { + name: 'unknown', + email: '?' + }, + }; +} + +export function firstInitial(email: string | null | undefined): string { + if (!email || typeof email !== 'string') { + return '?'; // Return a placeholder if email is null, undefined, or not a string + } + return email.charAt(0).toUpperCase(); +} + +export function formatDate(date: string | null | undefined): string { + if (!date) { + return 'Unknown date'; + } + return new Date(date).toISOString().slice(0, 19).replace('T', ' ') + ' GMT'; +} diff --git a/src/lib/snyk-to-html.ts b/src/lib/snyk-to-html.ts index 1b9040a..5530fd0 100755 --- a/src/lib/snyk-to-html.ts +++ b/src/lib/snyk-to-html.ts @@ -11,7 +11,11 @@ import path = require('path'); import { addIssueDataToPatch, getUpgrades, severityMap, IacProjectType } from './vuln'; import { processSourceCode, + processSuppression, } from './codeutil'; +import { registerHandlebarsHelpers } from '../handlebars-config'; + +registerHandlebarsHelpers(); import { formatDateTime } from './dateutil'; @@ -347,6 +351,32 @@ async function processCodeData( const OrderedIssuesArray = await processSourceCode(dataArray); + // Process suppressions + OrderedIssuesArray.forEach(project => { + let hasSuppressedVulns = false; + const projectVulns = project.vulnerabilities.map(vuln => { + if (vuln.suppressions && vuln.suppressions.length > 0) { + hasSuppressedVulns = true; + vuln.suppression = processSuppression(vuln.suppressions[0]); + } + return vuln; + }); + + if (!hasSuppressedVulns) { + project.vulnerabilities = projectVulns; + return; // Early return if no suppressions + } + + // Sort only if necessary + projectVulns.sort((a, b) => { + if (a.suppression && !b.suppression) return 1; + if (!a.suppression && b.suppression) return -1; + return 0; + }); + + project.vulnerabilities = projectVulns; + }); + const totalIssues = dataArray[0].runs[0].results.length; const processedData = { projects: OrderedIssuesArray, @@ -443,3 +473,12 @@ const hh = { }; Object.keys(hh).forEach(k => Handlebars.registerHelper(k, hh[k])); + +function getIssueCountsBySeverity(issuesGroupedBySeverity: any) { + const counts: { [key: string]: number } = {}; + Object.keys(issuesGroupedBySeverity).forEach((severity) => { + counts[severity] = issuesGroupedBySeverity[severity].filter((issue: any) => !issue.suppression).length; + }); + return counts; +} + diff --git a/template/code/test-report.code-snip.hbs b/template/code/test-report.code-snip.hbs index c55a056..ef9cddc 100644 --- a/template/code/test-report.code-snip.hbs +++ b/template/code/test-report.code-snip.hbs @@ -1,4 +1,4 @@ -
+
@@ -36,6 +36,43 @@

✓ Fix Analysis

{{{markdown ruleiddesc.help.markdown}}}
+ {{#if suppression}} +
+
+
    +
  • +
    Ignored at {{formatDate suppression.ignoredOn}} by
    +
    + {{firstInitial suppression.ignoredBy.name}} + {{#if suppression.ignoredBy.name}} {{ suppression.ignoredBy.name }} {{/if}} {{#if suppression.ignoredBy.email}} <{{suppression.ignoredBy.email}}>{{/if}} +
    +
  • +
  • +
    Type
    +
    + {{suppression.category}} +
    +
  • +
  • +
    Reason
    +
    + {{suppression.justification}} +
    +
  • +
+
    +
  • +
  • +
  • +
    Expires
    +
    + {{#if suppression.expiration}}{{formatDate suppression.expiration}}{{else}}Never{{/if}} +
    +
  • +
+
+
+ {{/if}} {{/unless}}
diff --git a/template/code/test-report.hbs b/template/code/test-report.hbs index 7eda63d..bc330a8 100644 --- a/template/code/test-report.hbs +++ b/template/code/test-report.hbs @@ -69,4 +69,4 @@ {{> inline-js }} - \ No newline at end of file + diff --git a/template/code/test-report.inline-css.hbs b/template/code/test-report.inline-css.hbs index 1a6a0e1..02d5d33 100644 --- a/template/code/test-report.inline-css.hbs +++ b/template/code/test-report.inline-css.hbs @@ -94,6 +94,72 @@ } + .suppressed { + opacity: 0.7; + border-left: 5px solid #888; + } + + .suppression-card { + border: 1px solid #e0e0e0; + border-radius: 4px; + padding: 10px; + margin-bottom: 20px; + background-color: #fff7e6; + } + + .suppression-card__container { + display: flex; + flex-wrap: wrap; + } + + .suppression-card__items { + flex: 1 1 50%; + list-style: none; + padding: 0; + margin: 0; + } + + .suppression-card__item { + margin-bottom: 10px; + } + + .suppression-card__item__key { + font-weight: bold; + color: #b35900; + margin-bottom: 2px; + } + + .suppression-card__item__value { + color: #333; + } + + .supression-card__user-initial { + display: inline-block; + width: 24px; + height: 24px; + border-radius: 50%; + background-color: #6666cc; + color: white; + text-align: center; + line-height: 24px; + margin-right: 5px; + font-weight: bold; + } + + .suppression-card table { + width: 100%; + border-collapse: collapse; + } + + .suppression-card td { + padding: 5px; + vertical-align: top; + } + + .suppression-card strong { + color: #b35900; + } + /* Layout */ [class*=layout-container] { @@ -358,4 +424,11 @@ .marker { border:1px solid #555; margin:-1px 0; background: transparent } } +.suppression-card__path { + word-break: break-all; +} + + + + diff --git a/test/fixtures/test-code-consistent-ignores.json b/test/fixtures/test-code-consistent-ignores.json new file mode 100644 index 0000000..d03e9ec --- /dev/null +++ b/test/fixtures/test-code-consistent-ignores.json @@ -0,0 +1,6745 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "go/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "go", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/citrix/terraform-provider-citrixadc/commit/a4c0975006ef2020c0db505d69bdcec13f10915b?diff=split#diff-a9109e20e39687dfe49012120251229e209c76557bfef1ac646718448d8ca653L-1", + "lines": [ + { + "line": "b, err := ioutil.ReadFile(inputFile)\n", + "lineNumber": 40, + "lineChange": "removed" + }, + { + "line": "b, err := ioutil.ReadFile(filepath.Clean(inputFile))\n", + "lineNumber": 40, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/MohawkTSDB/mohawk/commit/e4a68407d6e1f9a3ccfa1f0a320c04d693afe2a6?diff=split#diff-ffb4b68b82d9234bcba450c7ca14d76b3ea0eed74198d1811d802889c58252e5L-1", + "lines": [ + { + "line": "\t// Check for \"..\" in the url path,\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t// if we find \"..\" in the path we will not serve static files\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\tif strings.Contains(path, \"..\") {\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\ts.next.ServeHTTP(w, r)\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\treturn\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t}\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 48, + "lineChange": "added" + }, + { + "line": "\t// Add index.html to path if it ends with /\n", + "lineNumber": 49, + "lineChange": "none" + }, + { + "line": "\tif path[len(path)-1:] == \"/\" {\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"index.html\"\n", + "lineNumber": 51, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 52, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 53, + "lineChange": "none" + }, + { + "line": "\t// Add /index.html to path if a directory\n", + "lineNumber": 54, + "lineChange": "none" + }, + { + "line": "\tif fi, err := os.Stat(path); err == nil && fi.IsDir() {\n", + "lineNumber": 55, + "lineChange": "none" + }, + { + "line": "\t\tpath = path + \"/index.html\"\n", + "lineNumber": 56, + "lineChange": "none" + }, + { + "line": "\t}\n", + "lineNumber": 57, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 58, + "lineChange": "none" + }, + { + "line": "\t// If file exist serve it\n", + "lineNumber": 59, + "lineChange": "none" + }, + { + "line": "\tif file, err := ioutil.ReadFile(path); err == nil {\n", + "lineNumber": 60, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/u-root/u-root/commit/?diff=split#diff-b2964e352f657fd0dbf5b5dc2f11b034b389e3ad9d60ef315dca58778612d468L-1", + "lines": [ + { + "line": "\tpath := filepath.Join(*directory, filepath.Clean(w.Name()))\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\tpath := filepath.Join(*directory, filepath.Join(\"/\", w.Name()))\n", + "lineNumber": 27, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\tfile, err := os.Open(path)\n", + "lineNumber": 29, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 28, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "javascript/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "PT", + "Security", + "SourceNonServer", + "SourceResourceAccess", + "SourceFile", + "", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/eclipse-vertx/vert.x/commit/d1183271de193b6bef158e2b1dfb5ba65a15cbc9?diff=split#diff-fa3b44a1f7fa945e9aedd043ef316ad52d191aef30871789663bea3426ba14baL-1", + "lines": [ + { + "line": "} else if (req.path.indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": " req.response.sendFile(\".\" + req.path);\n", + "lineNumber": 9, + "lineChange": "removed" + }, + { + "line": "} else if (req.path().indexOf('..') == -1) {\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": " req.response.sendFile(\".\" + req.path());\n", + "lineNumber": 9, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/iamfrntdv/adm-dev-kit/commit/8edeb067e703a642cb7ac7c88fb95fce8dd9c248?diff=split#diff-52baeef6a12dda5ae6078825eeb32958966ba6cbdd56792899f6273fecd26eabL-1", + "lines": [ + { + "line": "const img = fs.readFileSync(filePath);\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "res.end(img);\n", + "lineNumber": 8, + "lineChange": "removed" + }, + { + "line": "res.sendFile(filePath, {root: './'});\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/substack/shipboard/commit/e2722480410eea3f3d7b51730dcdea49df649cd2?diff=split#diff-e727e4bdf3657fd1d798edcd6b099d6e092f8573cba266154583a746bba0f346L-1", + "lines": [ + { + "line": " if (has(pages, req.url)) {\n", + "lineNumber": 14, + "lineChange": "removed" + }, + { + "line": " var p = req.url.split(/[#?]/)[0];\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": " if (p === '/') {\n", + "lineNumber": 10, + "lineChange": "added" + }, + { + "line": " html('layout.html').pipe(hyperstream({\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " '#content': html(pages[req.url])\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": " '[page=create]': html('create.html'),\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": " '[page=view]': html('view.html'),\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": " '[page=edit]': html('edit.html')\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": " })).pipe(res);\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " }\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " else st(req, res);\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "};\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "function html (file) {\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " return fs.createReadStream(path.join(__dirname, 'html', file));\n", + "lineNumber": 23, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 40, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "python/Ssrf", + "name": "Ssrf", + "shortDescription": { + "text": "Server-Side Request Forgery (SSRF)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "\n## Details\nIn a server-side request forgery attack, a malicious user supplies a URL (an external URL or a network IP address such as 127.0.0.1) to the application's back end. The server then accesses the URL and shares its results, which may include sensitive information such as AWS metadata, internal configuration information, or database contents with the attacker. Because the request comes from the back end, it bypasses access controls, potentially exposing information the user does not have sufficient privileges to receive. The attacker can then exploit this information to gain access, modify the web application, or demand a ransom payment.\n\n## Best practices for prevention\n* Blacklists are problematic and attackers have numerous ways to bypass them; ideally, use a whitelist of all permitted domains and IP addresses.\n* Use authentication even within your own network to prevent exploitation of server-side requests.\n* Implement zero trust and sanitize and validate all URL and header data returning to the server from the user. Strip invalid or suspect characters, then inspect to be certain it contains a valid and expected value.\n* Ideally, avoid sending server requests based on user-provided data altogether.\n* Ensure that you are not sending raw response bodies from the server directly to the client. Only deliver expected responses.\n* Disable suspect and exploitable URL schemas. Common culprits include obscure and little-used schemas such as `file://`, `dict://`, `ftp://`, and `gopher://`.", + "text": "" + }, + "properties": { + "tags": [ + "python", + "Ssrf", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/rowanlupton/pylodon/commit/6d2e152f41f5073d6b224307690087ebdce3df12?diff=split#diff-0c2bad94cd303c5944a38a94f62a63355b8bed2e102dc87c0f44de95cf135b8aL-1", + "lines": [ + { + "line": "import json, requests\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "from flask_pymongo import PyMongo\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "from activipy import vocab\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "from .forms import userLogin, userRegister, composePost\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from .users import User\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "# from .emails import lostPassword, checkToken\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "mongo = PyMongo(app)\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "SERVER_URL = 'http://populator.smilodon.social/'\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "API_HEADERS = {'Content-Type': 'application/ld+json', 'profile': 'https://www.w3.org/ns/activitystreams'}\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "@lm.user_loader\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": "def load_user(handle):\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " u = mongo.db.users.find_one({\"id\": handle})\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " if not u:\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return None\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": " return User(u['id'])\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "@login_required\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\tuser = mongo.db.users.find_one({'id': current_user.get_id()})\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\tr = requests.get(user['inbox'], headers=API_HEADERS)\n", + "lineNumber": 29, + "lineChange": "removed" + }, + { + "line": "\tr = requests.get('http://localhost:5000/api/roo/inbox', headers=API_HEADERS)\n", + "lineNumber": 30, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/commit/23ad832af741f0354949a72e6c6f799eb9d2bace?diff=split#diff-7efee2ee97af01f846ed5818e84c955c51bd8efe06588e0dfa341c68966d945fL-1", + "lines": [ + { + "line": " parser = argparse.ArgumentParser(formatter_class=argparse.ArgumentDefaultsHelpFormatter, description=\"Downloads and unpacks assets\")\n", + "lineNumber": 31, + "lineChange": "removed" + }, + { + "line": " parser.add_argument(\"zip_url\", action=\"store\", type=str, help=\"URL of the assets package\")\n", + "lineNumber": 32, + "lineChange": "removed" + }, + { + "line": " args = parser.parse_args()\n", + "lineNumber": 33, + "lineChange": "removed" + }, + { + "line": " url = \"https://github.com/ARM-software/vulkan_best_practice_for_mobile_developers/releases/download/v1.1.2/scenes.zip\"\n", + "lineNumber": 31, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " try:\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " request = requests.get(args.zip_url, stream=True)\n", + "lineNumber": 36, + "lineChange": "removed" + }, + { + "line": " request = requests.get(url, stream=True)\n", + "lineNumber": 34, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/schlosser/eventum/commit/?diff=split#diff-f4729fea0d9ecf9950ff3b36ce5dfba2ab27cf3fffa642b9e0d176234cdfc8a1L-1", + "lines": [ + { + "line": "old_site_url = 'http://adicu.github.com' + request.path\n", + "lineNumber": 11, + "lineChange": "removed" + }, + { + "line": "old_site_url = 'http://adicu.github.com/' + request.path\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "response = requests.get(old_site_url)\n", + "lineNumber": 12, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 25, + "cwe": [ + "CWE-918" + ] + } + }, + { + "id": "javascript/InsecureHash", + "name": "InsecureHash", + "shortDescription": { + "text": "Use of Password Hash With Insufficient Computational Effort" + }, + "defaultConfiguration": { + "level": "note" + }, + "help": { + "markdown": "\n## Details\n\nSensitive information should never be stored in plain text, since this makes it very easy for unauthorized users, whether malicious insiders or outside attackers, to access. Hashing methods are used to make stored passwords and other sensitive data unreadable to users. For example, when a password is defined for the first time, it is hashed and then stored. The next time that user attempts to log on, the password they enter is hashed following the same procedure and compared with the stored value. In this way, the original password never needs to be stored in the system.\n\nHashing is a one-way scheme, meaning a hashed password cannot be reverse engineered. However, if an outdated or custom programmed hashing scheme is used, it becomes simple for an attacker with powerful modern computing power to gain access to the hashes used. This opens up access to all stored password information, leading to breached security. Therefore, it is essential for developers to understand modern, secure password hashing techniques.\n\n## Best practices for prevention\n* Use strong standard algorithms for hashing rather than simpler but outdated methods or DIY hashing schemes, which may have inherent weaknesses.\n* Use modular design for all code dealing with hashing so it can be swapped out as security standards change over time.\n* Use salting in combination with hashing (While this places more demands on resources, it is an essential step for tighter security.).\n* Implement zero-trust architecture to ensure that access to password data is granted only for legitimate business purposes.\n* Increase developer awareness of current standards in data security and cryptography.", + "text": "" + }, + "properties": { + "tags": [ + "javascript", + "InsecureHash", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/steilerDev/homebridge-openhab2-complete/commit/6e92ef40f991cc372b701390945e0e5bbeb71016?diff=split#diff-34bbd467b1ab0e3497ce244b09d2bfbc4ab192303dd90b13603baf6711b522dfL-1", + "lines": [ + { + "line": "function generate(name) {\n", + "lineNumber": 4, + "lineChange": "removed" + }, + { + "line": " const sha1sum = crypto.createHash('sha1');\n", + "lineNumber": 5, + "lineChange": "removed" + }, + { + "line": " sha1sum.update(name);\n", + "lineNumber": 6, + "lineChange": "removed" + }, + { + "line": "function generate(name, type) {\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": " const hash = crypto.createHash('sha512');\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": " hash.update(name);\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": " hash.update(type);\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/raphael-group/magi/commit/1e1ed6435a97858e38d0cab962d7e248710f60e1?diff=split#diff-a4bd8e7c606b00ad2f2d6eeb95ba96714ece5c8b1266c2b503f3531b12d46257L-1", + "lines": [ + { + "line": "hasher = crypto.createHash('md5').update(url),\n", + "lineNumber": 7, + "lineChange": "removed" + }, + { + "line": "hasher = crypto.createHash('RIPEMD-64').update(url),\n", + "lineNumber": 7, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/mafintosh/hyperlog/commit/d93cc65e485d740face1dacffa66dbcf03bcc7c3?diff=split#diff-b29a862e995b5e16d1763a35604cec4f13f3ca08bb9318d8f7ccfa24b757f7e0L-1", + "lines": [ + { + "line": "return crypto.createHash('sha1')\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "return crypto.createHash('sha256')\n", + "lineNumber": 3, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 52, + "cwe": [ + "CWE-916" + ] + } + }, + { + "id": "python/PT", + "name": "PT", + "shortDescription": { + "text": "Path Traversal" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nBeing able to access and manipulate an arbitrary path leads to vulnerabilities when a program is being run with privileges that the user providing the path should not have. A website with a path traversal vulnerability would allow users access to sensitive files on the server hosting it. CLI programs may also be vulnerable to path traversal if they are being ran with elevated privileges (such as with the setuid or setgid flags in Unix systems).\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`.\n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "PT", + "Security", + "SourceNonServer", + "SourceLocalEnv", + "SourceCLI", + "Taint" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/Guad/fuwa/commit/955baf1c0e8824f08a96e48a350ee3cd0e3c5493?diff=split#diff-568470d013cd12e4f388206520da39ab9a4e4c3c6b95846cbc281abc1ba3c959L-1", + "lines": [ + { + "line": "import string, random\n", + "lineNumber": 1, + "lineChange": "removed" + }, + { + "line": "import string, random, hashlib, os\n", + "lineNumber": 1, + "lineChange": "added" + }, + { + "line": "from werkzeug import secure_filename\n", + "lineNumber": 2, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "#Load config file\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "config = {}\n", + "lineNumber": 5, + "lineChange": "added" + }, + { + "line": "with open('config.ini', 'r') as file:\n", + "lineNumber": 6, + "lineChange": "added" + }, + { + "line": "\tfor line in file.read().splitlines():\n", + "lineNumber": 7, + "lineChange": "added" + }, + { + "line": "\t\tline = line.split('==')\n", + "lineNumber": 8, + "lineChange": "added" + }, + { + "line": "\t\tconfig[line[0]] = line[1]\n", + "lineNumber": 9, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "app = flask.Flask(__name__) #Initialize our application\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "app.config['MAX_CONTENT_LENGTH'] = 10 * 1024 * 1024 #Set the upload limit to 10MiB\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "def genHash(seed): #Generate five letter filenames for our files\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " base = string.ascii_lowercase+string.digits \n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " random.seed(seed)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " hash_value = \"\"\n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " for i in range(5):\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": " hash_value += random.choice(base)\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": " return hash_value\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "@app.route('/', methods=['GET', 'POST'])\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": "def index():\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": "\tif flask.request.method == 'POST':\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": "\t\t\tFile upload happens here.\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "\t\t\tWe get your filename and convert it to our hash with your extension.\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "\t\t\tThen we redirect to the file itself.\n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": "\t\t\"\"\"\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "\t\tf = flask.request.files['file']\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": "\t\textension = f.filename.split('.')[-1]\n", + "lineNumber": 24, + "lineChange": "removed" + }, + { + "line": "\t\tfilename = genHash(f.filename) + '.' + extension\n", + "lineNumber": 25, + "lineChange": "removed" + }, + { + "line": "\t\tf.save('static/files/%s' % filename)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\t\tprint 'Uploaded file \\'%s\\'' % filename #Log what file was uploaded\n", + "lineNumber": 27, + "lineChange": "removed" + }, + { + "line": "\t\treturn flask.redirect(flask.url_for('getFile', filename=filename))\n", + "lineNumber": 28, + "lineChange": "removed" + }, + { + "line": "\t\t\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\t\thasher = hashlib.md5() \t\t\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\t\tbuf = f.read()\t\t \t\t\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\t\tf.seek(0) #Set cursor back to position 0 so we can read it again in the save function.\n", + "lineNumber": 36, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# We hash the file to get its filename.\t \t\t\n", + "lineNumber": 37, + "lineChange": "added" + }, + { + "line": "\t\t\t\t\t\t\t\t\t# So that we can upload two different images with the same filename,\n", + "lineNumber": 38, + "lineChange": "added" + }, + { + "line": "\t\thasher.update(buf)\t \t\t# But not two same images with different filenames.\n", + "lineNumber": 39, + "lineChange": "added" + }, + { + "line": "\t\tdirname = genHash(hasher.hexdigest())\n", + "lineNumber": 40, + "lineChange": "added" + }, + { + "line": "\t\tif not os.path.exists(\"static/files/%s\" % dirname): # Check if the folder already exists\n", + "lineNumber": 41, + "lineChange": "added" + }, + { + "line": "\t\t\tos.mkdir('static/files/%s' % dirname) #Make it\n", + "lineNumber": 42, + "lineChange": "added" + }, + { + "line": "\t\t\tf.save('static/files/%s/%s' % (dirname, secure_filename(f.filename)))\n", + "lineNumber": 43, + "lineChange": "added" + }, + { + "line": "\t\t\tprint 'Uploaded file \\'%s\\'' % secure_filename(f.filename) #Log what file was uploaded\n", + "lineNumber": 44, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('getFile', dirname=dirname,filename=secure_filename(f.filename)))\n", + "lineNumber": 45, + "lineChange": "added" + }, + { + "line": "\t\telse:\n", + "lineNumber": 46, + "lineChange": "added" + }, + { + "line": "\t\t\tflask.flash('File already exists in %s!' % dirname) #Display a message for the user.\n", + "lineNumber": 47, + "lineChange": "added" + }, + { + "line": "\t\t\treturn flask.redirect(flask.url_for('index'))\n", + "lineNumber": 48, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/fonttools/fonttools/commit/0b99c8968e04e2e36c6c46ad8bb1a550d25969b4?diff=split#diff-e8b6161353c7ce5b13e62df1da329a85de0ef80ce8f039d283c25bf892b2b600L-1", + "lines": [ + { + "line": "os.system('gzip -9v %s' % tar)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": "os.rename(gz, tgz)\n", + "lineNumber": 26, + "lineChange": "removed" + }, + { + "line": "\n", + "lineNumber": 32, + "lineChange": "added" + }, + { + "line": "if destdir:\n", + "lineNumber": 33, + "lineChange": "added" + }, + { + "line": "\tprint \"destination directory:\", destdir\n", + "lineNumber": 34, + "lineChange": "added" + }, + { + "line": "\tos.system('mv %s %s' % (gz, destdir))\n", + "lineNumber": 35, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 36, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Chenwe-i-lin/KnowledgeFruits/commit/?diff=split#diff-ab8c675e5b4b07c550455b0884835f1df471bb69ad7142f6ad43b26cf33eb4e6L-1", + "lines": [ + { + "line": "base_path = os.path.abspath(os.path.dirname(__file__))\n", + "lineNumber": 11, + "lineChange": "added" + }, + { + "line": "base_path_for_data = os.path.join(base_path,'data/texture')\n", + "lineNumber": 12, + "lineChange": "added" + }, + { + "line": "file = os.path.join(base_path_for_data, image + '.png')\n", + "lineNumber": 13, + "lineChange": "added" + }, + { + "line": "if os.path.abspath(file).startswith(base_path_for_data):\n", + "lineNumber": 14, + "lineChange": "added" + }, + { + "line": "with open(os.getcwd() + \"/data/texture/\" + image + '.png', \"rb\") as f:\n", + "lineNumber": 15, + "lineChange": "none" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 36, + "cwe": [ + "CWE-23" + ] + } + }, + { + "id": "python/TarSlip", + "name": "TarSlip", + "shortDescription": { + "text": "Arbitrary File Write via Archive Extraction (Tar Slip)" + }, + "defaultConfiguration": { + "level": "warning" + }, + "help": { + "markdown": "## Details\n\nZip Slip is a form of directory traversal that can be exploited by extracting files from an archive. The premise of the directory traversal vulnerability is that an attacker can gain access to parts of the file system outside of the target folder in which they should reside. The attacker can then overwrite executable files and either invoke them remotely or wait for the system or user to call them, thus achieving remote command execution on the victim’s machine. The vulnerability can also cause damage by overwriting configuration files or other sensitive resources, and can be exploited on both client (user) machines and servers.\n\n## Example\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```", + "text": "" + }, + "properties": { + "tags": [ + "python", + "TarSlip", + "Security" + ], + "categories": [ + "Security" + ], + "exampleCommitFixes": [ + { + "commitURL": "https://github.com/AlexKuhnle/ShapeWorld/commit/798a52fa5a7e01e6822dcf157600ec9b9b3e1350?diff=split#diff-be0584efe894029a1b0526edab5d2e8f7c2888ce3648e9ef4287200f61b6ac32L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 16, + "lineChange": "removed" + }, + { + "line": "with tarfile.open(os.path.join(directory, 'resources', language + '.dat.tar.gz'), 'r:gz') as filehandle:\n", + "lineNumber": 17, + "lineChange": "removed" + }, + { + "line": " try:\n", + "lineNumber": 18, + "lineChange": "removed" + }, + { + "line": " fileinfo = filehandle.getmember(language + '.dat')\n", + "lineNumber": 19, + "lineChange": "removed" + }, + { + "line": " except KeyError:\n", + "lineNumber": 20, + "lineChange": "removed" + }, + { + "line": " assert False\n", + "lineNumber": 21, + "lineChange": "removed" + }, + { + "line": " filehandle.extract(member=fileinfo)\n", + "lineNumber": 22, + "lineChange": "removed" + }, + { + "line": "import gzip\n", + "lineNumber": 16, + "lineChange": "added" + }, + { + "line": "with gzip.open(os.path.join(directory, 'resources', language + '.dat.gz'), 'rb') as gzip_filehandle:\n", + "lineNumber": 17, + "lineChange": "added" + }, + { + "line": " with open(os.path.join(directory, 'resources', language + '.dat'), 'wb') as filehandle:\n", + "lineNumber": 18, + "lineChange": "added" + }, + { + "line": " filehandle.write(gzip_filehandle.read())\n", + "lineNumber": 19, + "lineChange": "added" + } + ] + }, + { + "commitURL": "https://github.com/Hydrospheredata/kubeflow-workshop/commit/754457fccfe919cde60d4ca240f28b374f593334?diff=split#diff-8ac076fbde9e80ce02018a52a6ad9e873aa9be704e8dac4b8abc44b314b588b9L-1", + "lines": [ + { + "line": "import os, gzip, tarfile, shutil, glob\n", + "lineNumber": 2, + "lineChange": "none" + }, + { + "line": "import urllib, urllib.parse, urllib.request\n", + "lineNumber": 3, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 4, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "def download_files(base_url, base_dir, files):\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": " \"\"\" Download required data \"\"\"\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": " downloaded = []\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": " os.makedirs(base_dir, exist_ok=True)\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": " for file in files:\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": " print(f\"Started downloading {file}\", flush=True)\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": " download_url = urllib.parse.urljoin(base_url, file)\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": " download_path = os.path.join(base_dir, file)\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": " local_file, _ = urllib.request.urlretrieve(download_url, download_path)\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": " unpack_file(local_file, base_dir)\n", + "lineNumber": 17, + "lineChange": "none" + }, + { + "line": " \n", + "lineNumber": 18, + "lineChange": "none" + }, + { + "line": " return downloaded\n", + "lineNumber": 19, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 20, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 21, + "lineChange": "none" + }, + { + "line": "def unpack_file(file, base_dir):\n", + "lineNumber": 22, + "lineChange": "none" + }, + { + "line": " \"\"\" Unpacking all compressed files. \"\"\"\n", + "lineNumber": 23, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 24, + "lineChange": "none" + }, + { + "line": " print(f\"Unpacking {file}\", flush=True)\n", + "lineNumber": 25, + "lineChange": "none" + }, + { + "line": " if os.path.split(base_dir)[-1] == \"mnist\":\n", + "lineNumber": 26, + "lineChange": "none" + }, + { + "line": "with gzip.open(file, 'rb') as f_in, open(file[:-3],'wb') as f_out:\n", + "lineNumber": 27, + "lineChange": "none" + }, + { + "line": " shutil.copyfileobj(f_in, f_out)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": "if os.path.split(base_dir)[-1] == \"notmnist\":\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": " with tarfile.open(file) as f_tar: \n", + "lineNumber": 30, + "lineChange": "none" + }, + { + "line": " f_tar.extractall(base_dir)\n", + "lineNumber": 31, + "lineChange": "none" + } + ] + }, + { + "commitURL": "https://github.com/lpcinelli/foreground-segmentation/commit/17489eb13e3d50a2b2c373258d05a6c0160fd4f5?diff=split#diff-0127893470062e012505a30a335e174e59d3db3e164684944b6a83e57cdb6cb2L-1", + "lines": [ + { + "line": "import tarfile\n", + "lineNumber": 3, + "lineChange": "removed" + }, + { + "line": "import urllib\n", + "lineNumber": 3, + "lineChange": "added" + }, + { + "line": "from zipfile import ZipFile\n", + "lineNumber": 4, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 5, + "lineChange": "none" + }, + { + "line": "import glob2 as glob\n", + "lineNumber": 6, + "lineChange": "none" + }, + { + "line": "import numpy as np\n", + "lineNumber": 7, + "lineChange": "none" + }, + { + "line": "import pandas as pd\n", + "lineNumber": 8, + "lineChange": "none" + }, + { + "line": "from PIL import Image\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 9, + "lineChange": "none" + }, + { + "line": "from tqdm import tqdm\n", + "lineNumber": 10, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 11, + "lineChange": "none" + }, + { + "line": "URL = \"http://wordpress-jodoin.dmi.usherb.ca/static/dataset/dataset2014.zip\"\n", + "lineNumber": 12, + "lineChange": "none" + }, + { + "line": "MD5 = \"d86332547edbc25f4ddbcd49f92413cf\"\n", + "lineNumber": 13, + "lineChange": "none" + }, + { + "line": "BASE_PATH = os.path.dirname(os.path.abspath(__file__))\n", + "lineNumber": 14, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 15, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 16, + "lineChange": "none" + }, + { + "line": "def md5file(fname):\n", + "lineNumber": 34, + "lineChange": "none" + }, + { + "line": " hash_md5 = hashlib.md5()\n", + "lineNumber": 35, + "lineChange": "none" + }, + { + "line": " with open(fname, \"rb\") as f:\n", + "lineNumber": 36, + "lineChange": "none" + }, + { + "line": " for chunk in iter(lambda: f.read(4096), b\"\"):\n", + "lineNumber": 37, + "lineChange": "none" + }, + { + "line": " hash_md5.update(chunk)\n", + "lineNumber": 38, + "lineChange": "none" + }, + { + "line": " return hash_md5.hexdigest()\n", + "lineNumber": 39, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 40, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": "def download(url, md5sum, target_dir):\n", + "lineNumber": 42, + "lineChange": "none" + }, + { + "line": " \"\"\"Download file from url to target_dir, and check md5sum.\n", + "lineNumber": 43, + "lineChange": "none" + }, + { + "line": " Adapted from PaddlePaddle/DeepSpeech repo\"\"\"\n", + "lineNumber": 44, + "lineChange": "none" + }, + { + "line": " if not os.path.exists(target_dir): os.makedirs(target_dir)\n", + "lineNumber": 28, + "lineChange": "none" + }, + { + "line": " filepath = os.path.join(target_dir, url.split(\"/\")[-1])\n", + "lineNumber": 29, + "lineChange": "none" + }, + { + "line": "if not (os.path.exists(filepath) and md5file(filepath) == md5sum):\n", + "lineNumber": 50, + "lineChange": "none" + }, + { + "line": " print(\"Downloading %s ...\" % url)\n", + "lineNumber": 31, + "lineChange": "none" + }, + { + "line": " os.system(\"wget -c \" + url + \" -P \" + target_dir)\n", + "lineNumber": 32, + "lineChange": "none" + }, + { + "line": " print(\"\\nMD5 Chesksum %s ...\" % filepath)\n", + "lineNumber": 33, + "lineChange": "none" + }, + { + "line": " if not md5file(filepath) == md5sum:\n", + "lineNumber": 60, + "lineChange": "none" + }, + { + "line": " raise RuntimeError(\"MD5 checksum failed.\")\n", + "lineNumber": 61, + "lineChange": "none" + }, + { + "line": " else:\n", + "lineNumber": 62, + "lineChange": "none" + }, + { + "line": " print(\"File exists, skip downloading. (%s)\" % filepath)\n", + "lineNumber": 63, + "lineChange": "none" + }, + { + "line": " return filepath\n", + "lineNumber": 64, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 65, + "lineChange": "none" + }, + { + "line": "\n", + "lineNumber": 66, + "lineChange": "none" + }, + { + "line": "def unpack(filepath, target_dir, rm_tar=False):\n", + "lineNumber": 41, + "lineChange": "none" + }, + { + "line": " \"\"\"Unpack the file to the target_dir.\"\"\"\n", + "lineNumber": 68, + "lineChange": "none" + }, + { + "line": " print(\"Unpacking %s ...\" % filepath)\n", + "lineNumber": 43, + "lineChange": "removed" + }, + { + "line": " tar = tarfile.open(filepath)\n", + "lineNumber": 44, + "lineChange": "removed" + }, + { + "line": " tar.extractall(target_dir)\n", + "lineNumber": 45, + "lineChange": "removed" + }, + { + "line": " tar.close()\n", + "lineNumber": 46, + "lineChange": "removed" + }, + { + "line": " if rm_tar == True:\n", + "lineNumber": 47, + "lineChange": "removed" + }, + { + "line": " if os.path.exists(os.path.join(target_dir, 'dataset')):\n", + "lineNumber": 69, + "lineChange": "added" + }, + { + "line": " print(\"Skip unpacking. Data already extracted at %s.\" % os.path.join(\n", + "lineNumber": 70, + "lineChange": "added" + }, + { + "line": " target_dir, 'dataset'))\n", + "lineNumber": 71, + "lineChange": "added" + }, + { + "line": " return\n", + "lineNumber": 72, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 73, + "lineChange": "added" + }, + { + "line": " print(\"Unpacking {}...\".format(filepath))\n", + "lineNumber": 74, + "lineChange": "added" + }, + { + "line": " with ZipFile(filepath) as fzip:\n", + "lineNumber": 75, + "lineChange": "added" + }, + { + "line": " fzip.extractall(target_dir)\n", + "lineNumber": 76, + "lineChange": "added" + }, + { + "line": "\n", + "lineNumber": 77, + "lineChange": "added" + }, + { + "line": " if remove:\n", + "lineNumber": 78, + "lineChange": "added" + } + ] + } + ], + "exampleCommitDescriptions": [], + "precision": "very-high", + "repoDatasetSize": 49, + "cwe": [ + "CWE-22" + ] + } + } + ] + } + }, + "results": [ + { + "ruleId": "go/PT", + "ruleIndex": 0, + "level": "warning", + "message": { + "text": "Unsanitized input from file name flows into os.RemoveAll, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to delete arbitrary files.", + "arguments": [ + "[file name](0)", + "[flows](1),(2),(3),(4),(5),(6)", + "[os.RemoveAll](7)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + ], + "fingerprints": { + "0": "998e99d008f4ed509ec6ea9ca36a6e5937d20273899c2f657a7aca2622dd2916", + "1": "35b36391.287901c3.45df3e14.0c66bee6.84c49f13.67ab4541.860c51ff.d84e5c6a.fad7f6c7.73eb5804.45df3e14.e22980a8.e8c00e77.9383b6fc.c2cfdcd9.d84e5c6a", + "identity": "d6a92302-1515-479e-b119-2768df2d0261" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 46, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 18, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 152, + "endLine": 152, + "startColumn": 3, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 6, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 153, + "endLine": 153, + "startColumn": 55, + "endColumn": 66 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 23, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "cliv2/internal/cliv2/cliv2.go", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 155, + "endLine": 155, + "startColumn": 10, + "endColumn": 22 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 508, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.readdir, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to list arbitrary directories.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31)", + "[fs.readdir](32)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + ], + "fingerprints": { + "0": "40dcd0ff18dad04e05324109ba598808175487b8303c1d0f095e33154f35becc", + "1": "227ff053.93dc32e3.126beb45.f22d421d.ef9f7d82.8020cfdf.83265159.43a0f1fe.6bb676bb.277c621c.c9330245.8a2e0395.acf24367.5fce695c.55818220.ef6bffc1", + "identity": "7b341903-0e0b-4e39-90e4-ef6fa2ce58d4" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 114, + "endLine": 114, + "startColumn": 62, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 156, + "endLine": 156, + "startColumn": 3, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 158, + "endLine": 158, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 23, + "endLine": 23, + "startColumn": 37, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 16, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 5, + "endColumn": 15 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/PT", + "ruleIndex": 1, + "level": "warning", + "message": { + "text": "Unsanitized input from a local file flows into fs.stat, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to change current directory.", + "arguments": [ + "[a local file](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25)", + "[fs.stat](26)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + ], + "fingerprints": { + "0": "5e0b622c51f8c9f1cdbc7e767b9258c4c32f4122c85c5887b603e62d7ba03b5f", + "1": "227ff053.93dc32e3.126beb45.ed202363.c2cde80a.2da1a176.83265159.43a0f1fe.6bb676bb.c4f12ae6.97923ac6.df3c423f.601e4ccc.1d3def36.3e0616cf.ef6bffc1", + "identity": "7d9ef9cb-339e-4241-b820-5ddabcfdd259" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 28, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 15, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 159, + "endLine": 159, + "startColumn": 9, + "endColumn": 14 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 160, + "endLine": 160, + "startColumn": 18, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 161, + "endLine": 161, + "startColumn": 6, + "endColumn": 12 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 162, + "endLine": 162, + "startColumn": 11, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 57, + "endColumn": 61 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 28, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 163, + "endLine": 163, + "startColumn": 13, + "endColumn": 25 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 164, + "endLine": 164, + "startColumn": 26, + "endColumn": 38 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 15, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 170, + "startColumn": 9, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 168, + "endLine": 168, + "startColumn": 13, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 172, + "endLine": 172, + "startColumn": 19, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 89, + "endLine": 89, + "startColumn": 28, + "endColumn": 55 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 67, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 37, + "endColumn": 43 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 90, + "endLine": 90, + "startColumn": 9, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 95, + "endLine": 95, + "startColumn": 47, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 9, + "endColumn": 15 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 7, + "endColumn": 13 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 112, + "endLine": 112, + "startColumn": 38, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 32, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 13, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/find-files.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 5, + "endColumn": 12 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 566, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18)", + "[requests.get](19)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + ], + "fingerprints": { + "0": "1ac4c999d9f9c976efa5283a07e8d070ea9c476bd0b67cc95af2f19f60486d46", + "1": "2b627c13.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.75d4ed92.8794408a.e06468b8.2da3d253.16f66073.3beeacb6.25ac000c.73cfdf26.cc914b1e.f46ed94e", + "identity": "c3c7608f-9d2f-4597-8e50-42e7eaa3cb95" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20)", + "[requests.get](21)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + ], + "fingerprints": { + "0": "9a3787f3591d8ec7fbba72d1451e02cb5788ecdde35dea680749d037c3222282", + "1": "befed5bc.4e7b2cf3.ef7ad415.139c59a8.25ac000c.ba14daf2.081ac3f4.ebed174f.129db901.2da3d253.ef7ad415.139c59a8.25ac000c.786f7372.cc914b1e.36100b92", + "identity": "6657f475-9800-4c42-971a-52233cae9260" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 59, + "endLine": 59, + "startColumn": 12, + "endColumn": 28 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 36, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 32, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 60, + "endLine": 60, + "startColumn": 13, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 41, + "endColumn": 56 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 70, + "endLine": 70, + "startColumn": 28, + "endColumn": 40 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/Ssrf", + "ruleIndex": 2, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into requests.get, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as an URL to perform a request. This may result in a Server Side Request Forgery vulnerability.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14)", + "[requests.get](15)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 27, + "endColumn": 44 + } + } + } + ], + "fingerprints": { + "0": "5e83a48b58134323a3afdec34bce3b5f67930ae86ccd334485fa819643306a19", + "1": "8a30cfc6.2fab3ddd.79e62dc9.3beeacb6.1a0abf6d.f7316481.0a7337bb.8794408a.8a30cfc6.2fab3ddd.7dc6970d.3beeacb6.25ac000c.73cfdf26.51b4c2f8.247d501d", + "identity": "a3f8fce9-55d2-4081-8d8e-a073f243152d" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 12, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 188, + "endLine": 188, + "startColumn": 5, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 191, + "endLine": 191, + "startColumn": 30, + "endColumn": 34 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 199, + "endLine": 199, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 115, + "endLine": 115, + "startColumn": 19, + "endColumn": 31 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 121, + "endLine": 121, + "startColumn": 45, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 45, + "endLine": 45, + "startColumn": 23, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 57, + "endLine": 57, + "startColumn": 31, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 29, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 11, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 62, + "endLine": 62, + "startColumn": 5, + "endColumn": 58 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 45, + "endColumn": 48 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 33, + "endColumn": 36 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/install-snyk.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 67, + "endLine": 67, + "startColumn": 20, + "endColumn": 32 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 574, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "this is a temporary ignore until the year 2099", + "properties": { + "category": "temporary-ignore", + "expiration": "2099-01-05T06:00:00Z", + "ignoredOn": "2024-11-07T22:24:42.223Z", + "ignoredBy": { + "name": "Ian Zink", + "email": "ian.zink@snyk.io" + } + } + } + ] + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "md5 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[md5](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + ], + "fingerprints": { + "0": "479642e07aa12fee9dc1506f4eda082c7e69a5328eac0d4d0fd51927b86eaccf", + "1": "37bc1bfe.4773f344.191eaf2b.5e127924.ef9f7d82.8020cfdf.7a8c7288.71520ffe.9ff0579e.706318d0.191eaf2b.5e127924.ef9f7d82.5fce695c.04f551bd.71520ffe", + "identity": "9587a91d-4df4-49bd-bca8-9218d6d56cbd" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 171, + "endLine": 171, + "startColumn": 17, + "endColumn": 22 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/cli/commands/log4shell.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 170, + "endLine": 171, + "startColumn": 10, + "endColumn": 16 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "javascript/InsecureHash", + "ruleIndex": 3, + "level": "note", + "message": { + "text": "sha1 hash (used in crypto.createHash) is insecure. Consider changing it to a secure hashing algorithm.", + "markdown": "{0} hash (used in {1}) is insecure. Consider changing it to a secure hashing algorithm.", + "arguments": [ + "[sha1](0)", + "[crypto.createHash](1)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "5402b52f3d79f78a64fbffbae9bb024a432ccf8e514f3db9371538a89377ae99", + "1": "37bc1bfe.ef45cec4.191eaf2b.d7919eeb.ef9f7d82.82ca542b.cd61fc56.71520ffe.9ff0579e.706318d0.191eaf2b.d7919eeb.ef9f7d82.5fce695c.cd61fc56.71520ffe", + "identity": "96ea0b3c-f347-436c-967d-c9795a5fbec8" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 36, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "src/lib/analytics/getStandardData.ts", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 37, + "endLine": 37, + "startColumn": 18, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 366, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileCodeFlow" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33)", + "[open](34)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + ], + "fingerprints": { + "0": "245fb45dffe940840d9bb382473ed5c68c335cf2ba9061d480909dc4b38f3980", + "1": "2e8ddaeb.09b47a5b.187bf175.e8753240.f3eda546.addfbd48.081ac3f4.a4830b9a.a756d36d.04ad2656.184a673a.e8753240.25ac000c.526495d1.e21874cf.0405b305", + "identity": "5b3fe9c9-a3c5-4aed-9c0a-32902e91a829" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 5, + "endColumn": 75 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 127, + "endLine": 127, + "startColumn": 46, + "endColumn": 57 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 25, + "endLine": 25, + "startColumn": 25, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 26, + "endLine": 26, + "startColumn": 47, + "endColumn": 51 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 19, + "endColumn": 23 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 29, + "endLine": 29, + "startColumn": 14, + "endColumn": 18 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into open, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35)", + "[open](36)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + ], + "fingerprints": { + "0": "61f31832f7551d38760fdd29e60545da5145a358b4d6b62bdf22df5f695544b1", + "1": "2e8ddaeb.0305cef3.187bf175.2c554a8d.f3eda546.c553eccf.081ac3f4.0405b305.da9cf85a.04ad2656.184a673a.3beeacb6.25ac000c.c84fb153.2701234b.163a4e7f", + "identity": "dbeeb6a3-52aa-4a39-9b84-7c4c3dcdf79b" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 62 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 51, + "endColumn": 74 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 29, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 30, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 61, + "endLine": 61, + "startColumn": 12, + "endColumn": 21 + } + } + } + }, + { + "location": { + "id": 31, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 5, + "endColumn": 90 + } + } + } + }, + { + "location": { + "id": 32, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 133, + "endLine": 133, + "startColumn": 54, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 33, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 38, + "endLine": 38, + "startColumn": 33, + "endColumn": 37 + } + } + } + }, + { + "location": { + "id": 34, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 39, + "endLine": 39, + "startColumn": 48, + "endColumn": 52 + } + } + } + }, + { + "location": { + "id": 35, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 15, + "endColumn": 19 + } + } + } + }, + { + "location": { + "id": 36, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 41, + "endLine": 41, + "startColumn": 10, + "endColumn": 14 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into urllib.request.urlretrieve, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27)", + "[urllib.request.urlretrieve](28)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + ], + "fingerprints": { + "0": "0282674d572f7f297cd1aa78d33f45124c60e98e37f6259e7e562ff742f2dffe", + "1": "5ca5064a.b9c753f4.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305.ebdf5327.04ad2656.184a673a.139c59a8.25ac000c.c553eccf.0a7337bb.0405b305", + "identity": "26a7896d-933e-4c5d-af1e-872a99139bdb" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 76 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 12, + "endLine": 12, + "startColumn": 40, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 23, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 33 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 39 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 47 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 16, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 13, + "endLine": 13, + "startColumn": 5, + "endColumn": 63 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 17, + "endLine": 17, + "startColumn": 9, + "endColumn": 17 + } + } + } + }, + { + "location": { + "id": 17, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 21, + "endLine": 21, + "startColumn": 36, + "endColumn": 44 + } + } + } + }, + { + "location": { + "id": 18, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 22, + "endLine": 22, + "startColumn": 12, + "endColumn": 20 + } + } + } + }, + { + "location": { + "id": 19, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 5, + "endColumn": 77 + } + } + } + }, + { + "location": { + "id": 20, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 48, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 21, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 48, + "endLine": 48, + "startColumn": 34, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 22, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 49, + "endLine": 49, + "startColumn": 22, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 23, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 45, + "endColumn": 53 + } + } + } + }, + { + "location": { + "id": 24, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 17, + "endColumn": 29 + } + } + } + }, + { + "location": { + "id": 25, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 50, + "endLine": 50, + "startColumn": 5, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 26, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 52, + "endLine": 52, + "startColumn": 50, + "endColumn": 59 + } + } + } + }, + { + "location": { + "id": 27, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 41, + "endColumn": 50 + } + } + } + }, + { + "location": { + "id": 28, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 55, + "endLine": 55, + "startColumn": 9, + "endColumn": 35 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + }, + { + "ruleId": "python/PT", + "ruleIndex": 4, + "level": "warning", + "message": { + "text": "Unsanitized input from a command line argument flows into extractall, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "markdown": "Unsanitized input from {0} {1} into {2}, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to write arbitrary files.", + "arguments": [ + "[a command line argument](0)", + "[flows](1),(2),(3),(4),(5),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15)", + "[extractall](16)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "1fe02d7432ce63d25cde1d07567918e0db228ef216fdfd91b82d3f17d235cdbe", + "1": "ac3946d7.794dc90c.2683ade8.139c59a8.056de048.ba14daf2.081ac3f4.8794408a.ac3946d7.04ad2656.187bf175.3beeacb6.aa4d77a8.526495d1.9280a36a.163a4e7f", + "identity": "d004df0d-e867-4493-a0d9-6f432197c7d4" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 1, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 107, + "endLine": 107, + "startColumn": 13, + "endColumn": 30 + } + } + } + }, + { + "location": { + "id": 2, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 110, + "endLine": 110, + "startColumn": 5, + "endColumn": 27 + } + } + } + }, + { + "location": { + "id": 3, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 113, + "endLine": 113, + "startColumn": 45, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 4, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 38, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 5, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 6, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 122, + "endLine": 122, + "startColumn": 64, + "endColumn": 68 + } + } + } + }, + { + "location": { + "id": 7, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 125, + "endLine": 125, + "startColumn": 61, + "endColumn": 65 + } + } + } + }, + { + "location": { + "id": 8, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 130, + "endLine": 130, + "startColumn": 76, + "endColumn": 80 + } + } + } + }, + { + "location": { + "id": 9, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 54 + } + } + } + }, + { + "location": { + "id": 10, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 50, + "endColumn": 70 + } + } + } + }, + { + "location": { + "id": 11, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 150, + "endLine": 150, + "startColumn": 34, + "endColumn": 49 + } + } + } + }, + { + "location": { + "id": 12, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 64, + "endLine": 64, + "startColumn": 30, + "endColumn": 42 + } + } + } + }, + { + "location": { + "id": 13, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 65, + "endLine": 65, + "startColumn": 52, + "endColumn": 64 + } + } + } + }, + { + "location": { + "id": 14, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 33, + "endColumn": 45 + } + } + } + }, + { + "location": { + "id": 15, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 28, + "endColumn": 32 + } + } + } + }, + { + "location": { + "id": 16, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 581, + "priorityScoreFactors": [ + { + "label": true, + "type": "multipleOccurrence" + }, + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": [ + { + "justification": "this is by design", + "properties": { + "category": "not-vulnerable", + "expiration": null, + "ignoredOn": "2024-11-07T22:29:45.657Z", + "ignoredBy": { + "name": "Ian Zink", + "email": "ian.zink@snyk.io" + } + } + } + ] + }, + { + "ruleId": "python/TarSlip", + "ruleIndex": 5, + "level": "warning", + "message": { + "text": "Calling extractall to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "markdown": "Calling {0} to extract all files from a tar file without sanitization. This may result files outside destination directory to be overwritten, resulting in an arbitrary file write.", + "arguments": [ + "[extractall](0)" + ] + }, + "locations": [ + { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + ], + "fingerprints": { + "0": "660533bad4614fc5e6d0a8f09aac6f01fba6015567fadfe0e81a506f14f52d56", + "1": "560a52d0.755ecede.187bf175.8a4e3f10.64ffc8ed.fb8cc529.28caaf2d.fa07e0a8.66f0b7f9.755ecede.187bf175.8a4e3f10.64ffc8ed.c7570064.292a8005.d53c5b6c", + "identity": "32200593-2fe9-40f1-bf2c-587b822f0ae5" + }, + "codeFlows": [ + { + "threadFlows": [ + { + "locations": [ + { + "location": { + "id": 0, + "physicalLocation": { + "artifactLocation": { + "uri": "scripts/download_go.py", + "uriBaseId": "%SRCROOT%" + }, + "region": { + "startLine": 68, + "endLine": 68, + "startColumn": 13, + "endColumn": 27 + } + } + } + } + ] + } + ] + } + ], + "properties": { + "priorityScore": 558, + "priorityScoreFactors": [ + { + "label": true, + "type": "hotFileSource" + }, + { + "label": true, + "type": "fixExamples" + } + ], + "isAutofixable": false + }, + "suppressions": null + } + ], + "properties": { + "coverage": [ + { + "files": 15, + "isSupported": true, + "lang": "JavaScript", + "type": "SUPPORTED" + }, + { + "files": 340, + "isSupported": true, + "lang": "TypeScript", + "type": "SUPPORTED" + }, + { + "files": 29, + "isSupported": true, + "lang": "Go", + "type": "SUPPORTED" + }, + { + "files": 1, + "isSupported": true, + "lang": ".config", + "type": "SUPPORTED" + }, + { + "files": 1, + "isSupported": true, + "lang": "XML", + "type": "SUPPORTED" + }, + { + "files": 3, + "isSupported": true, + "lang": "Python", + "type": "SUPPORTED" + } + ] + } + } + ] +} diff --git a/test/snyk-to-html.test.ts b/test/snyk-to-html.test.ts index 4b2f58c..6a89fd5 100644 --- a/test/snyk-to-html.test.ts +++ b/test/snyk-to-html.test.ts @@ -937,6 +937,30 @@ test('test snyk-to-html container app vulnerabilities', (t) => { ); }); +test('test snyk-to-html consistent ignores suppressions', (t) => { + t.plan(2); + // report generated with "snyk code test --json" against snyk cli + // with issues suppressed + SnykToHtml.run( + path.join(__dirname, 'fixtures', 'test-code-consistent-ignores.json'), + noRemediation, + path.join(__dirname, '..', 'template', 'test-report.hbs'), + noSummary, + (report) => { + t.contains( + report, + '
', + 'should contain a supression card', + ); + t.contains( + report, + '9 medium issues', + 'should contain a count of 9 medium issues (2 are suppressed)', + ); + }, + ); +}); + test('test snyk-to-html with custom path descriptors', (t) => { t.plan(1); // report generated with "snyk container test --all-projects --json" on a nuget multi-project with more than one path