diff --git a/src/lib/plugins/sast/analysis.ts b/src/lib/plugins/sast/analysis.ts index ace06787926..4fb02e90a28 100644 --- a/src/lib/plugins/sast/analysis.ts +++ b/src/lib/plugins/sast/analysis.ts @@ -49,17 +49,14 @@ async function getCodeAnalysis(root: string, options: Options): Promise { const severity = options.severityThreshold ? severityToAnalysisSeverity(options.severityThreshold) : AnalysisSeverity.info; - const paths: string[] = [root]; - const sarif = true; + const result = await analyzeFolders({ - baseURL, - sessionToken, - severity, - paths, - sarif, + connection: { baseURL, sessionToken, source: 'snyk-cli' }, + analysisOptions: { severity }, + fileOptions: { paths: [root] }, }); - return result.sarifResults!; + return result?.analysisResults.sarif!; } function severityToAnalysisSeverity(severity: SEVERITY): AnalysisSeverity { diff --git a/test/fixtures/sast/sample-analyze-folders-response.json b/test/fixtures/sast/sample-analyze-folders-response.json index 622958f5a84..12ecc067c69 100644 --- a/test/fixtures/sast/sample-analyze-folders-response.json +++ b/test/fixtures/sast/sample-analyze-folders-response.json @@ -1,4573 +1,1735 @@ { - "baseURL": "http://proxy.acme--snyk-url.io", - "sessionToken": "912D0461-5CCD-417B-8073-1305D1D896C2", - "includeLint": false, - "severity": 1, - "supportedFiles": { - "extensions": [ - ".java", - ".es", - ".es6", - ".htm", - ".html", - ".js", - ".jsx", - ".ts", - ".tsx", - ".vue" - ], - "configFiles": [ - ".dcignore", - ".gitignore" + "connection": { + "baseURL": "http://proxy.acme--snyk-url.io", + "sessionToken": "912D0461-5CCD-417B-8073-1305D1D896C2", + "source": "snyk-cli" + }, + "analysisOptions": { "severity": 1 }, + "fileOptions": { + "paths": ["../goof"], + "symlinksEnabled": false + }, + "fileBundle": { + "bundleHash": "FFD4CE2E-74CE-4FC8-B868-CC707FD31389", + "baseDir": "../goof", + "supportedFiles": { + "extensions": [ + ".java", + ".es", + ".es6", + ".htm", + ".html", + ".js", + ".jsx", + ".ts", + ".tsx", + ".vue" + ], + "configFiles": [ + ".dcignore", + ".gitignore" + ] + }, + "fileIgnores": [ + "**/.git", + "sample-project/goof/**/.DS_Store", + "sample-project/goof/**/node_modules", + "sample-project/goof/**/*.sock", + "sample-project/goof/**/.sass-cache", + "sample-project/goof/**/sass", + "sample-project/goof/**/config.rb", + "sample-project/goof/**/npm-debug.log" ] }, - "baseDir": "../goof", - "paths": [ - "../goof" - ], - "fileIgnores": [ - "**/.git", - "sample-project/goof/**/.DS_Store", - "sample-project/goof/**/node_modules", - "sample-project/goof/**/*.sock", - "sample-project/goof/**/.sass-cache", - "sample-project/goof/**/sass", - "sample-project/goof/**/config.rb", - "sample-project/goof/**/npm-debug.log" - ], - "symlinksEnabled": false, - "bundleId": "gh/snykcode/FFD4CE2E-74CE-4FC8-B868-CC707FD31389", "analysisResults": { - "files": { - "sample-project/goof/app.js": { - "0": [ - { - "rows": [ - 12, - 12 - ], - "cols": [ - 12, - 26 - ], - "markers": [ - { - "msg": [ - 0, - 3 - ], - "pos": [ - { - "rows": [ - 12, - 12 - ], - "cols": [ - 20, - 25 - ], - "file": "/app.js" - } - ] - }, - { - "msg": [ - 14, - 20 - ], - "pos": [ - { - "rows": [ - 12, - 12 - ], - "cols": [ - 12, - 26 - ], - "file": "/app.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "1": [ - { - "rows": [ - 27, - 27 - ], - "cols": [ - 11, - 19 - ], - "markers": [ - { - "msg": [ - 37, - 47 - ], - "pos": [ - { - "rows": [ - 27, - 27 - ], - "cols": [ - 11, - 19 - ], - "file": "/app.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ] - }, - "sample-project/goof/routes/index.js": { - "2": [ - { - "rows": [ - 186, - 186 - ], - "cols": [ - 9, - 19 - ], - "markers": [], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "3": [ - { - "rows": [ - 39, - 39 - ], - "cols": [ - 3, - 11 - ], - "markers": [ - { - "msg": [ - 23, - 43 - ], - "pos": [ - { - "rows": [ - 38, - 38 - ], - "cols": [ - 15, - 22 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 45, - 49 - ], - "pos": [ - { - "rows": [ - 38, - 38 - ], - "cols": [ - 15, - 22 - ], - "file": "/routes/index.js" + "sarif": { + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "SnykCode", + "semanticVersion": "1.0.0", + "version": "1.0.0", + "rules": [ + { + "id": "javascript/HttpToHttps", + "name": "HttpToHttps", + "shortDescription": { + "text": "Cleartext Transmission of Sensitive Information" }, - { - "rows": [ - 39, - 39 - ], - "cols": [ - 25, - 32 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "warning" }, - { - "rows": [ - 39, - 39 - ], - "cols": [ - 15, - 22 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 39, - 39 - ], - "cols": [ - 13, - 72 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 56, - 59 - ], - "pos": [ - { - "rows": [ - 39, - 39 - ], - "cols": [ - 3, - 11 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "4": [ - { - "rows": [ - 62, - 62 - ], - "cols": [ - 12, - 23 - ], - "markers": [ - { - "msg": [ - 12, - 16 - ], - "pos": [ - { - "rows": [ - 62, - 62 - ], - "cols": [ - 25, - 29 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 21, - 27 - ], - "pos": [ - { - "rows": [ - 62, - 62 - ], - "cols": [ - 12, - 23 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 48, - 55 - ], - "pos": [ - { - "rows": [ - 62, - 62 - ], - "cols": [ - 25, - 29 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 56, - 84 - ], - "pos": [ - { - "rows": [ - 62, - 62 - ], - "cols": [ - 25, - 29 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "5": [ - { - "rows": [ - 77, - 113 - ], - "cols": [ - 18, - 1 - ], - "markers": [ - { - "msg": [ - 5, - 20 - ], - "pos": [ - { - "rows": [ - 77, - 113 - ], - "cols": [ - 18, - 1 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 31, - 56 - ], - "pos": [ - { - "rows": [ - 86, - 86 - ], - "cols": [ - 10, - 26 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "6": [ - { - "rows": [ - 166, - 221 - ], - "cols": [ - 18, - 1 - ], - "markers": [ - { - "msg": [ - 5, - 20 - ], - "pos": [ - { - "rows": [ - 166, - 221 - ], - "cols": [ - 18, - 1 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 31, - 53 - ], - "pos": [ - { - "rows": [ - 184, - 184 - ], - "cols": [ - 17, - 28 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "7": [ - { - "rows": [ - 86, - 86 - ], - "cols": [ - 5, - 26 - ], - "markers": [ - { - "msg": [ - 23, - 43 - ], - "pos": [ - { - "rows": [ - 80, - 80 - ], - "cols": [ - 14, - 21 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "http", + "server" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-319" + ] } - ] - }, - { - "msg": [ - 45, - 49 - ], - "pos": [ - { - "rows": [ - 80, - 80 - ], - "cols": [ - 14, - 21 - ], - "file": "/routes/index.js" - }, - { - "rows": [ - 80, - 80 - ], - "cols": [ - 7, - 10 - ], - "file": "/routes/index.js" - }, - { - "rows": [ - 82, - 82 - ], - "cols": [ - 36, - 39 - ], - "file": "/routes/index.js" - }, - { - "rows": [ - 83, - 83 - ], - "cols": [ - 15, - 18 - ], - "file": "/routes/index.js" - }, - { - "rows": [ - 83, - 83 - ], - "cols": [ - 15, - 24 - ], - "file": "/routes/index.js" + }, + { + "id": "javascript/DisablePoweredBy", + "name": "DisablePoweredBy", + "shortDescription": { + "text": "Information Exposure" }, - { - "rows": [ - 83, - 83 - ], - "cols": [ - 15, - 34 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "warning" }, - { - "rows": [ - 83, - 83 - ], - "cols": [ - 9, - 11 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 86, - 86 - ], - "cols": [ - 10, - 26 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 56, - 73 - ], - "pos": [ - { - "rows": [ - 86, - 86 - ], - "cols": [ - 5, - 26 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "8": [ - { - "rows": [ - 109, - 109 - ], - "cols": [ - 5, - 24 - ], - "markers": [ - { - "msg": [ - 23, - 43 - ], - "pos": [ - { - "rows": [ - 80, - 80 - ], - "cols": [ - 14, - 21 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "express", + "server", + "helmet" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-200" + ] } - ] - }, - { - "msg": [ - 45, - 49 - ], - "pos": [ - { - "rows": [ - 80, - 80 - ], - "cols": [ - 14, - 21 - ], - "file": "/routes/index.js" + }, + { + "id": "javascript/JavascriptSelfAssignment", + "name": "JavascriptSelfAssignment", + "shortDescription": { + "text": "JavascriptSelfAssignment" }, - { - "rows": [ - 80, - 80 - ], - "cols": [ - 7, - 10 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "note" }, - { - "rows": [ - 82, - 82 - ], - "cols": [ - 36, - 39 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 94, - 94 - ], - "cols": [ - 18, - 21 + "properties": { + "tags": [ + "javascript" ], - "file": "/routes/index.js" + "categories":["Check"], + "precision": "very-high" + } + }, + { + "id": "javascript/Sqli", + "name": "Sqli", + "shortDescription": { + "text": "SQL Injection" }, - { - "rows": [ - 55, - 55 - ], - "cols": [ - 16, - 19 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "error" }, - { - "rows": [ - 56, - 56 - ], - "cols": [ - 11, - 14 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 56, - 56 - ], - "cols": [ - 7, - 7 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "tests", + "adapter", + "database" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-89" + ] + } + }, + { + "id": "javascript/ReplacementRegex", + "name": "ReplacementRegex", + "shortDescription": { + "text": "ReplacementRegex" }, - { - "rows": [ - 59, - 59 - ], - "cols": [ - 18, - 18 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "warning" }, - { - "rows": [ - 61, - 61 - ], - "cols": [ - 16, - 16 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 69, - 69 - ], - "cols": [ - 9, - 9 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "upgrade", + "maintenance", + "bug", + "newline", + "favicon", + "auth" + ], + "categories":["Defect"], + "precision": "very-high" + } + }, + { + "id": "javascript/NoRateLimitingForExpensiveWebOperation", + "name": "NoRateLimitingForExpensiveWebOperation", + "shortDescription": { + "text": "Allocation of Resources Without Limits or Throttling" }, - { - "rows": [ - 69, - 69 - ], - "cols": [ - 9, - 15 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "warning" }, - { - "rows": [ - 74, - 74 - ], - "cols": [ - 10, - 10 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 98, - 98 - ], - "cols": [ - 14, - 17 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "file", + "server" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-770" + ] + } + }, + { + "id": "javascript/NoRateLimitingForExpensiveWebOperation", + "name": "NoRateLimitingForExpensiveWebOperation", + "shortDescription": { + "text": "Allocation of Resources Without Limits or Throttling" }, - { - "rows": [ - 98, - 98 - ], - "cols": [ - 5, - 11 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "warning" }, - { - "rows": [ - 100, - 100 - ], - "cols": [ - 26, - 29 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 109, - 109 - ], - "cols": [ - 26, - 29 - ], - "file": "/routes/index.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "file", + "server" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-770" + ] + } + }, + { + "id": "javascript/CommandInjection", + "name": "CommandInjection", + "shortDescription": { + "text": "Command Injection" }, - { - "rows": [ - 109, - 109 - ], - "cols": [ - 26, - 37 - ], - "file": "/routes/index.js" + "defaultConfiguration": { + "level": "error" }, - { - "rows": [ - 109, - 109 - ], - "cols": [ - 26, - 46 - ], - "file": "/routes/index.js" + "help": { + "markdown": "", + "text": "" }, - { - "rows": [ - 109, - 109 - ], - "cols": [ - 26, - 56 - ], - "file": "/routes/index.js" - } - ] - }, - { - "msg": [ - 56, - 59 - ], - "pos": [ - { - "rows": [ - 109, - 109 - ], - "cols": [ - 5, - 24 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ], - "9": [ - { - "rows": [ - 186, - 186 - ], - "cols": [ - 9, - 19 - ], - "markers": [ - { - "msg": [ - 39, - 51 - ], - "pos": [ - { - "rows": [ - 186, - 186 - ], - "cols": [ - 9, - 19 - ], - "file": "/routes/index.js" - } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ] - }, - "sample-project/goof/utils.js": { - "10": [ - { - "rows": [ - 25, - 25 - ], - "cols": [ - 5, - 17 - ], - "markers": [ - { - "msg": [ - 4, - 17 - ], - "pos": [ - { - "rows": [ - 25, - 25 - ], - "cols": [ - 20, - 35 - ], - "file": "/utils.js" - } - ] - }, - { - "msg": [ - 72, - 80 - ], - "pos": [ - { - "rows": [ - 25, - 25 - ], - "cols": [ - 5, - 17 - ], - "file": "/utils.js" + "properties": { + "tags": [ + "javascript", + "maintenance", + "usability", + "knot", + "tests", + "tap" + ], + "categories":["Security"], + "precision": "very-high", + "cwe": [ + "CWE-78" + ] } - ] - } - ], - "fingerprints": [ - { - "version": 0, - "fingerprint": "8ecbfa60577a4d25a3c18f790761ea95" - } - ] - } - ] - } - }, - "suggestions": { - "0": { - "id": "javascript%2Fdc_interfile_project%2FHttpToHttps", - "rule": "HttpToHttps", - "message": "http (used in require) is an insecure protocol and should not be used in new code.", - "severity": 2, - "lead_url": "", - "leadURL": "", - "categories": [ - "Security" - ], - "tags": [ - "maintenance", - "http", - "server" - ], - "title": "Cleartext Transmission of Sensitive Information", - "cwe": [ - "CWE-319" - ], - "text": "", - "repoDatasetSize": 650, - "exampleCommitDescriptions": [ - "Added https imposter tests;", - "Isolate config/server code and add tests ()" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/Rocket1184/qq-bot-rebown/commit/5255a8398cf1d80f60e182c53e8532c7562e76c2?diff=split#diff-62a4be7247c4abe75f2cc11746422b86L12", - "lines": [ - { - "line": "'use strict';", - "lineNumber": 9, - "lineChange": "none" - }, - { - "line": "const http = require('http');", - "lineNumber": 11, - "lineChange": "removed" - }, - { - "line": "const https = require('https');", - "lineNumber": 11, - "lineChange": "added" - }, - { - "line": "function http2https(link) {", - "lineNumber": 13, - "lineChange": "added" - }, - { - "line": " ", - "lineNumber": 20, - "lineChange": "none" - }, - { - "line": "function shortenUrl(url) {", - "lineNumber": 21, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/qmachine/qmachine/commit/1f9f08b5b1f9be78dd6625d93ec934befb255df7?diff=split#diff-54387be96a26d96583a0c7585e8607c5L56", - "lines": [ - { - "line": "};", - "lineNumber": 57, - "lineChange": "none" - }, - { - "line": "http = require('http');", - "lineNumber": 55, - "lineChange": "removed" - }, - { - "line": "https = require('https');", - "lineNumber": 59, - "lineChange": "added" - }, - { - "line": "http_GET = function (x) {", - "lineNumber": 57, - "lineChange": "removed" - }, - { - "line": "https_GET = function (x) {", - "lineNumber": 61, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/vmware-samples/vmware-blockchain-samples/commit/92bf99244de7b145eb4b22e36575d9fef376600b?diff=split#diff-21a000feb5ae912714215842b628c63cL3", - "lines": [ - { - "line": "const fs = require(\"fs\");", - "lineNumber": 7, - "lineChange": "none" - }, - { - "line": "const http = require(\"http\");", - "lineNumber": 2, - "lineChange": "removed" - }, - { - "line": "const https = require(\"https\");", - "lineNumber": 8, - "lineChange": "added" - }, - { - "line": "verifyMigrations();", - "lineNumber": 10, - "lineChange": "none" - } - ] - } - ] - }, - "1": { - "id": "javascript%2Fdc_interfile_project%2FDisablePoweredBy", - "rule": "DisablePoweredBy", - "message": "Disable X-Powered-By header for your Express app (consider using Helmet middleware), because it exposes information about the used framework to potential attackers.", - "severity": 2, - "lead_url": "http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header", - "leadURL": "http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header", - "categories": [ - "Security" - ], - "tags": [ - "maintenance", - "express", - "server", - "helmet" - ], - "title": "Information Exposure", - "cwe": [ - "CWE-200" - ], - "text": "", - "repoDatasetSize": 874, - "exampleCommitDescriptions": [ - "Test without express", - "/server tests ()", - "secure the api with helmet" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/eclipse/orion.client/commit/ad8f3bce33a1ea9d1e2144e6c42f075ad25829d6?diff=split#diff-16594450dc1f06f7d9cf4a47859cfa52L175", - "lines": [ - { - "line": "}", - "lineNumber": 172, - "lineChange": "none" - }, - { - "line": "return express()", - "lineNumber": 174, - "lineChange": "removed" - }, - { - "line": "return express.Router()", - "lineNumber": 174, - "lineChange": "added" - }, - { - "line": ".use(bodyParser.json())", - "lineNumber": 175, - "lineChange": "none" - }, - { - "line": ".use(resource(workspaceRoot, {", - "lineNumber": 176, - "lineChange": "removed" - }, - { - "line": ".use(apiPath(root))", - "lineNumber": 176, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/flowgrammable/flowsim/commit/1681245625230c6d71e1e74b0ada6551cbf2d935?diff=split#diff-4cb60403ef79ea471c0c046e9873a1e2L6", - "lines": [ - { - "line": "var cookieSession = require('cookie-session');", - "lineNumber": 3, - "lineChange": "none" - }, - { - "line": "express()", - "lineNumber": 5, - "lineChange": "removed" - }, - { - "line": "connect()", - "lineNumber": 5, - "lineChange": "added" - }, - { - "line": " .use(cookieParser())", - "lineNumber": 6, - "lineChange": "none" - }, - { - "line": " .use(cookieSession({ secret: 'testsecret' }))", - "lineNumber": 7, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/ajmueller/express-auth-session/commit/74209d7901e8b3cf4cf0e6f532d03f8e54e97381?diff=split#diff-0364f57fbff2fabbe941ed20c328ef1aL22", - "lines": [ - { - "line": "var authentication = require('./authentication');", - "lineNumber": 20, - "lineChange": "none" - }, - { - "line": "var app = express();", - "lineNumber": 22, - "lineChange": "none" - }, - { - "line": "app.use(sslRedirect());", - "lineNumber": 24, - "lineChange": "none" - }, - { - "line": "app.use(helmet());", - "lineNumber": 25, - "lineChange": "added" - }, - { - "line": "mongoose.connect(config.db.uri);", - "lineNumber": 27, - "lineChange": "none" - } - ] - } - ] - }, - "2": { - "id": "javascript%2Fdc_interfile_project%2FJavascriptSelfAssignment", - "rule": "JavascriptSelfAssignment", - "message": "This self assignment has no impact, consider removing it.", - "severity": 1, - "lead_url": "", - "leadURL": "", - "categories": [ - "Check" - ], - "tags": [], - "title": "", - "cwe": [], - "text": "", - "repoDatasetSize": 0, - "exampleCommitDescriptions": [], - "exampleCommitFixes": [] - }, - "3": { - "id": "javascript%2Fdc_interfile_project%2FSqli", - "rule": "Sqli", - "message": "Unsanitized input from the HTTP request body flows into find, where it is used in an SQL query. This may result in an SQL Injection vulnerability.", - "severity": 3, - "lead_url": "https://www.owasp.org/index.php/SQL_Injection", - "leadURL": "https://www.owasp.org/index.php/SQL_Injection", - "categories": [ - "Security" - ], - "tags": [ - "maintenance", - "tests", - "adapter", - "database" - ], - "title": "SQL Injection", - "cwe": [ - "CWE-89" - ], - "text": "", - "repoDatasetSize": 91, - "exampleCommitDescriptions": [ - "* Tests to TypeScript", - "* Adapt deletion + fix dependencies errors from yarn control", - "update config and database modules" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/mozilla/napkin/commit/b48aa5071e69bfe5fb22a7955514ff1fa0d9ca75?diff=split#diff-8c3093706848cad6938fd91248441eafL53", - "lines": [ - { - "line": " * Returns: A screen object if found, error if not found", - "lineNumber": 50, - "lineChange": "none" - }, - { - "line": " */", - "lineNumber": 51, - "lineChange": "none" - }, - { - "line": "exports.get = function(req, db, identifier, callback) {", - "lineNumber": 52, - "lineChange": "none" - }, - { - "line": " db.get('project:' + req.params.id + ':screen:' + identifier, function(err, screen) {", - "lineNumber": 53, - "lineChange": "removed" - }, - { - "line": " crud.get(req, 'project:' + req.params.id + ':screen:' + identifier, db, function(err, screen) {", - "lineNumber": 28, - "lineChange": "added" - }, - { - "line": " if (err) {", - "lineNumber": 54, - "lineChange": "none" - }, - { - "line": " return callback(err);", - "lineNumber": 55, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/handshake-org/hsd/commit/582a8fe66c44d4d16f1be2807f26c7a10b2722e8?diff=split#diff-33f90a5fbfb7686a58bcad311bb49997L283", - "lines": [ - { - "line": "async function updateWallet(wid) {", - "lineNumber": 284, - "lineChange": "none" - }, - { - "line": " const raw = await db.get(layout.w(wid));", - "lineNumber": 285, - "lineChange": "none" - }, - { - "line": " assert(raw);", - "lineNumber": 286, - "lineChange": "none" - }, - { - "line": " const br = bio.read(raw, true);", - "lineNumber": 288, - "lineChange": "none" - }, - { - "line": " br.readU32(); // Skip network.", - "lineNumber": 290, - "lineChange": "none" - }, - { - "line": " const wid = br.readU32();", - "lineNumber": 288, - "lineChange": "removed" - }, - { - "line": " br.readU32(); // Skip wid.", - "lineNumber": 291, - "lineChange": "added" - }, - { - "line": " const id = br.readVarString('ascii');", - "lineNumber": 292, - "lineChange": "none" - }, - { - "line": " const initialized = br.readU8() === 1;", - "lineNumber": 293, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/ireapps/census/commit/18ec433f5bfb9356b6dac3b70ccdb17650963ca8?diff=split#diff-5933928215d2295a1a08721bd88a70f2L95", - "lines": [ - { - "line": "success: function(states) {", - "lineNumber": 94, - "lineChange": "none" - }, - { - "line": " _.each(states, function(state) {", - "lineNumber": 95, - "lineChange": "none" - }, - { - "line": " query.mappings.states.push([state, STATES[state]]);", - "lineNumber": 96, - "lineChange": "none" - }, - { - "line": " });", - "lineNumber": 97, - "lineChange": "none" - }, - { - "line": "}", - "lineNumber": 98, - "lineChange": "none" - }, - { - "line": "// Remove this section to enable \"go button\" prompt:", - "lineNumber": 220, - "lineChange": "none" - }, - { - "line": "var q = window.query;", - "lineNumber": 221, - "lineChange": "none" - }, - { - "line": "if (query.get('summarylevel') && query.get(query.get(\"summarylevel\")))", - "lineNumber": 215, - "lineChange": "removed" - }, - { - "line": "if (this.get('summarylevel') && this.get(this.get(\"summarylevel\")))", - "lineNumber": 222, - "lineChange": "added" - }, - { - "line": " // The item we just selected is of the same type as our", - "lineNumber": 223, - "lineChange": "none" - }, - { - "line": " // target datatype. We just picked the value we wanted.", - "lineNumber": 224, - "lineChange": "none" - } - ] - } - ] - }, - "4": { - "id": "javascript%2Fdc_interfile_project%2FReplacementRegex", - "rule": "ReplacementRegex", - "message": "The pattern regex in replace may be improved to /\\r?\\n$/to handle different new lines.", - "severity": 2, - "lead_url": "", - "leadURL": "", - "categories": [ - "Defect" - ], - "tags": [ - "upgrade", - "maintenance", - "bug", - "newline", - "favicon", - "auth" - ], - "title": "", - "cwe": [], - "text": "", - "repoDatasetSize": 53, - "exampleCommitDescriptions": [ - "Fix match on ending newline bug", - "Better logging for favicons.", - "* Even better auth switching and timeline syntax" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/mendersoftware/gui/commit/c405d03b427597de4403ecb17d0ba5fb59db6990?diff=split#diff-39fc4832feaa070d647472aea98a21dcL118", - "lines": [ - { - "line": "// Transform dot notation to bracket notation", - "lineNumber": 116, - "lineChange": "none" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^\\.\\[]+)/g, '[$1]') : givenKey;", - "lineNumber": 117, - "lineChange": "removed" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^.[]+)/g, '[$1]') : givenKey;", - "lineNumber": 117, - "lineChange": "added" - }, - { - "line": "// The regex chunks", - "lineNumber": 119, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/ljharb/qs/commit/1fb74cb66310c506e4b6bc04fa258a1759750222?diff=split#diff-ad0d84b4085543e1482273b0ab1bae60L96", - "lines": [ - { - "line": "// Transform dot notation to bracket notation", - "lineNumber": 94, - "lineChange": "none" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^\\.\\[]+)/g, '[$1]') : givenKey;", - "lineNumber": 95, - "lineChange": "removed" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^.[]+)/g, '[$1]') : givenKey;", - "lineNumber": 95, - "lineChange": "added" - }, - { - "line": "// The regex chunks", - "lineNumber": 97, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/concur/skipper/commit/2a50021fb0b7362a7a7a7b2b6774e2c2acd18f4f?diff=split#diff-bba0562eab7e4091eaf0cb9c19c00c1fL98", - "lines": [ - { - "line": "// Transform dot notation to bracket notation", - "lineNumber": 122, - "lineChange": "none" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^\\.\\[]+)/g, '[$1]') : givenKey;", - "lineNumber": 97, - "lineChange": "removed" - }, - { - "line": "var key = options.allowDots ? givenKey.replace(/\\.([^.[]+)/g, '[$1]') : givenKey;", - "lineNumber": 123, - "lineChange": "added" - }, - { - "line": "// The regex chunks", - "lineNumber": 125, - "lineChange": "none" - } - ] - } - ] - }, - "5": { - "id": "javascript%2Fdc_interfile_project%2FNoRateLimitingForExpensiveWebOperation", - "rule": "NoRateLimitingForExpensiveWebOperation", - "message": "This endpoint handler performs a system command execution and does not use a rate-limiting mechanism. It may enable the attackers to perform Denial-of-service attacks. Consider using a rate-limiting middleware such as express-limit.", - "severity": 2, - "lead_url": "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md", - "leadURL": "https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa4-lack-of-resources-and-rate-limiting.md", - "categories": [ - "Security" - ], - "tags": [ - "maintenance", - "file", - "server" - ], - "title": "Allocation of Resources Without Limits or Throttling", - "cwe": [ - "CWE-770" - ], - "text": "", - "repoDatasetSize": 796, - "exampleCommitDescriptions": [ - "More tests for both old and new config file formats.", - "Server code refactor + unit tests" - ], - "exampleCommitFixes": [ - { - "commitURL": "https://github.com/soomtong/blititor/commit/6627d47e769eaa3308445105f924a514f9e750bd?diff=split#diff-832a2c38c4705ad5036bd453a0a9390bR23", - "lines": [ - { - "line": "var consoleCommand = {", - "lineNumber": 21, - "lineChange": "added" - }, - { - "line": " list: path.join(executePath, 'list'),", - "lineNumber": 22, - "lineChange": "added" - }, - { - "line": " create: path.join(executePath, 'create'),", - "lineNumber": 23, - "lineChange": "added" - }, - { - "line": " connect: path.join(executePath, 'connect')", - "lineNumber": 24, - "lineChange": "added" - }, - { - "line": "}", - "lineNumber": 55, - "lineChange": "none" - }, - { - "line": "function viewGateway(req, res) {", - "lineNumber": 57, - "lineChange": "none" - }, - { - "line": " var params = {", - "lineNumber": 58, - "lineChange": "none" - }, - { - "line": " title: '넷 앱 컨트롤러 허브',", - "lineNumber": 59, - "lineChange": "none" - }, - { - "line": "var executePath = path.join(BLITITOR.root, 'theme', BLITITOR.config.site.theme, 'bin')", - "lineNumber": 61, - "lineChange": "removed" - }, - { - "line": "var cmd = {", - "lineNumber": 62, - "lineChange": "removed" - }, - { - "line": " list: path.join(executePath, 'list'),", - "lineNumber": 63, - "lineChange": "removed" - }, - { - "line": " create: path.join(executePath, 'create'),", - "lineNumber": 64, - "lineChange": "removed" - }, - { - "line": " connect: path.join(executePath, 'connect')", - "lineNumber": 65, - "lineChange": "removed" - }, - { - "line": "};", - "lineNumber": 71, - "lineChange": "removed" - }, - { - "line": "childProcess.execFile(cmd.list, { env: gatewayConnectionInfo }, function (error, stdout, stderr) {", - "lineNumber": 73, - "lineChange": "removed" - }, - { - "line": " var result = stdout.toString().replace(/\\\\n/g, '\\n');", - "lineNumber": 74, - "lineChange": "removed" - }, - { - "line": "console.log(result);", - "lineNumber": 76, - "lineChange": "removed" - }, - { - "line": "};", - "lineNumber": 80, - "lineChange": "added" - }, - { - "line": "childProcess.execFile(consoleCommand.list, gatewayConnectionInfo, function (error, stdout, stderr) {", - "lineNumber": 82, - "lineChange": "added" - }, - { - "line": " var result = stdout.toString().replace(/\\\\n/g, '\\n');", - "lineNumber": 83, - "lineChange": "added" - }, - { - "line": "console.log(result);", - "lineNumber": 85, - "lineChange": "added" - } - ] - }, - { - "commitURL": "https://github.com/webtorrent/webtorrent.io/commit/b91657799cdb07f6639f250f40dcc6bcbc7c1658?diff=split#diff-b751a6aa76f40c029af6d50a1fd2c836L234", - "lines": [ - { - "line": "// WebTorrent Desktop Windows auto-update endpoint", - "lineNumber": 238, - "lineChange": "none" - }, - { - "line": "app.get('/desktop/update/*', function (req, res) {", - "lineNumber": 239, - "lineChange": "none" - }, - { - "line": " const pathname = new URL(req.url, 'http://example.com').pathname", - "lineNumber": 240, - "lineChange": "none" - }, - { - "line": " let filename = pathname.replace(/^\\/desktop\\/update\\//i, '')", - "lineNumber": 241, - "lineChange": "none" - }, - { - "line": " const sysarch = req.query.sysarch || 'ia32' // if not specified, default to ia32", - "lineNumber": 243, - "lineChange": "none" - }, - { - "line": " }", - "lineNumber": 257, - "lineChange": "none" - }, - { - "line": "} else {", - "lineNumber": 258, - "lineChange": "none" - }, - { - "line": " const match = /-(\\d+\\.\\d+\\.\\d+)-/.exec(filename)", - "lineNumber": 259, - "lineChange": "none" - }, - { - "line": " fileVersion = match && match[1]", - "lineNumber": 260, - "lineChange": "none" - }, - { - "line": "}", - "lineNumber": 261, - "lineChange": "none" - } - ] - }, - { - "commitURL": "https://github.com/lastmjs/zwitterion/commit/bd49184dcf08f1fd2b22f0b6ee168b93262997d4?diff=split#diff-7a9076d6d94e62c13d641aa71f19ae8eL189", - "lines": [ - { - "line": "// end side-effects", - "lineNumber": 186, - "lineChange": "none" - }, - { - "line": "function createNodeServer(http, nodePort, webSocketPort, watchFiles, tsWarning, tsError, target) {", - "lineNumber": 187, - "lineChange": "none" - }, - { - "line": " return http.createServer(async (req, res) => {", - "lineNumber": 188, - "lineChange": "none" - }, - { - "line": " const fileExtension = req.url.slice(req.url.lastIndexOf('.') + 1);", - "lineNumber": 189, - "lineChange": "none" - }, - { - "line": " switch (fileExtension) {", - "lineNumber": 191, - "lineChange": "none" - }, - { - "line": " case '/': {", - "lineNumber": 192, - "lineChange": "none" - }, - { - "line": " const indexFileContents = (await fs.readFile(`./index.html`)).toString();", - "lineNumber": 193, - "lineChange": "none" - }, - { - "line": " const modifiedIndexFileContents = modifyHTML(indexFileContents, 'index.html', watchFiles, webSocketPort);", - "lineNumber": 194, - "lineChange": "none" - }, - { - "line": " res.end(modifiedIndexFileContents);", - "lineNumber": 195, - "lineChange": "none" - }, - { - "line": "if (!disableSpa) {", - "lineNumber": 417, - "lineChange": "added" - }, - { - "line": " const indexFileContents = (await fs.readFile(`./index.html`)).toString();", - "lineNumber": 418, - "lineChange": "added" - }, - { - "line": " const modifiedIndexFileContents = modifyHTML(indexFileContents, 'index.html', watchFiles, webSocketPort);", - "lineNumber": 419, - "lineChange": "added" - }, - { - "line": " const directoryPath = req.url.slice(0, req.url.lastIndexOf('/')) || '/';", - "lineNumber": 420, - "lineChange": "added" - }, - { - "line": "}", - "lineNumber": 575, - "lineChange": "none" - }, - { - "line": "function modifyHTML(originalText, directoryPath, watchFiles, webSocketPort) {", - "lineNumber": 576, - "lineChange": "none" - }, - { - "line": " const text = originalText.includes('') && watchFiles ? originalText.replace('', `", - "lineNumber": 577, - "lineChange": "none" - }, - { - "line": "