Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACS-6304 Investigate SAST Pipeline Scan #2488

Closed
wants to merge 7 commits into from
Closed

ACS-6304 Investigate SAST Pipeline Scan #2488

wants to merge 7 commits into from

Conversation

mikolajbrzezinski
Copy link
Contributor

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 5, 2024



Scan Summary:
PIPELINE_SCAN_VERSION: 23.11.0-0
DEV-STAGE: DEVELOPMENT
PROJECT-NAME: alfresco-community-repo
SCAN_ID: 8e5a468c-1d79-4bb6-b8a7-868ed1d44a47
SCAN_STATUS: SUCCESS
SCAN_MESSAGE: Scan successful. Results size: 10257 bytes
====================
Analysis Successful.
====================

==========================
Found 1 Scannable modules.
==========================
alfresco-classes.jar

===================
Analyzed 1 modules.
===================
alfresco-classes.jar

==================
Analyzed 4 issues.
==================

details


----------------------------------
Found 2 issues of Medium severity.
----------------------------------
CWE-601: URL Redirection to Untrusted Site ('Open Redirect'): org/alfresco/web/app/servlet/DownloadContentServlet.java:126
Details: This call to jakarta.servlet.http.HttpServletResponse.sendRedirect() contains a URL redirection to untrusted site flaw. Writing untrusted input into a URL value could cause the web application to redirect the request to the specified URL, leading to phishing attempts to steal user credentials. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP
https://downloads.veracode.com/securityscan/cwe/v4/java/601.html
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting'): org/alfresco/web/app/servlet/DownloadContentServlet.java:126
Details: This call to jakarta.servlet.http.HttpServletResponse.sendRedirect() contains an HTTP response splitting flaw. Writing untrusted input into an HTTP header allows an attacker to manipulate the HTTP response rendered by the browser, to inject additional headers or an entire response body into the response stream. Injecting headers can be used to trick various security mechanisms in browsers into allowing XSS style attacks. Injecting entire response bodies can not only cause XSS attacks to succeed but may even poison the cache of any intermediary proxies between the clients and the application server. Escape, encode, or remove carriage return and line feed characters from untrusted data before inclusion in HTTP response headers. Whenever possible, use a security library such as ESAPI that provides safe versions of addHeader(), etc. that will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. References: CWE OWASP Supported Cleansers
https://downloads.veracode.com/securityscan/cwe/v4/java/113.html
----------------------------------
Skipping 2 issues of Low severity.
----------------------------------

Total flaws found: 4, New flaws found: 2 as compared to baseline


========================
FAILURE: Found 2 issues!
========================

[05 Mar 2024 12:27:30,0040] PIPELINE-SCAN INFO: Writing Scan Summary to file '/home/runner/work/alfresco-community-repo/alfresco-community-repo/results.json'.

@mikolajbrzezinski
ACS-6304 Try alfresco.war again
59f1214
@mikolajbrzezinski
ACS-6304 Try alfresco.war again
d37d394
@mikolajbrzezinski
ACS-6304 Turn off CI
59f6845
@mikolajbrzezinski
Merge remote-tracking branch 'origin/fix/ACS-6304_investigate_pipelin…
2aeb444 
…e_sast_scan_timeout' into fix/ACS-6304_investigate_pipeline_sast_scan_timeout

# Conflicts:
#	.github/workflows/ci.yml
#	amps/ags/pom.xml
#	amps/ags/rm-automation/pom.xml
#	amps/ags/rm-automation/rm-automation-community-rest-api/pom.xml
#	amps/ags/rm-community/pom.xml
#	amps/ags/rm-community/rm-community-repo/pom.xml
#	amps/ags/rm-community/rm-community-rest-api-explorer/pom.xml
#	amps/pom.xml
#	amps/share-services/pom.xml
#	core/pom.xml
#	data-model/pom.xml
#	mmt/pom.xml
#	packaging/distribution/pom.xml
#	packaging/docker-alfresco/pom.xml
#	packaging/pom.xml
#	packaging/tests/pom.xml
#	packaging/tests/tas-cmis/pom.xml
#	packaging/tests/tas-email/pom.xml
#	packaging/tests/tas-integration/pom.xml
#	packaging/tests/tas-restapi/pom.xml
#	packaging/tests/tas-webdav/pom.xml
#	packaging/war/pom.xml
#	pom.xml
#	remote-api/pom.xml
#	repository/pom.xml
@mikolajbrzezinski
ACS-6304 Try with v1.0.14
0531624
@mikolajbrzezinski mikolajbrzezinski deleted the fix/ACS-6304_investigate_pipeline_sast_scan_timeout branch September 27, 2024 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mikolajbrzezinski