Code Security Report: 10 high severity findings, 186 total findings

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2024-11-04 04:59pm
Total Findings: 186 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 7339
Detected Programming Languages: 3 (JavaScript / TypeScript*, Go, Python)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
High	Insecure Directory Permissions	CWE-732	fs.go:118	1	2024-08-16 04:42pm
Vulnerable Code grafana/pkg/plugins/storage/fs.go Lines 113 to 118 in 446a5d4 } // Create needed directories to extract file // We can ignore gosec G304 here since it makes sense to give all users read access // nolint:gosec if err := os.MkdirAll(filepath.Dir(dstPath), 0755); err != nil { 1 Data Flow/s detected grafana/pkg/plugins/storage/fs.go Line 118 in 446a5d4 if err := os.MkdirAll(filepath.Dir(dstPath), 0755); err != nil { Secure Code Warrior Training Material
High	Insecure Directory Permissions	CWE-732	fs.go:105	1	2024-08-16 04:42pm
Vulnerable Code grafana/pkg/plugins/storage/fs.go Lines 100 to 105 in 446a5d4 dstPath := filepath.Clean(filepath.Join(fs.pluginsDir, removeGitBuildFromName(zf.Name, pluginDirName))) // lgtm[go/zipslip] if zf.FileInfo().IsDir() { // We can ignore gosec G304 here since it makes sense to give all users read access // nolint:gosec if err := os.MkdirAll(dstPath, 0755); err != nil { 1 Data Flow/s detected grafana/pkg/plugins/storage/fs.go Line 105 in 446a5d4 if err := os.MkdirAll(dstPath, 0755); err != nil { Secure Code Warrior Training Material
High	Insecure File Permissions	CWE-732	file.go:130	1	2024-08-16 04:42pm
Vulnerable Code grafana/pkg/infra/log/file.go Lines 125 to 130 in 446a5d4 func (w *FileLogWriter) createLogFile() (*os.File, error) { // Open the log file // We can ignore G304 here since we can't unconditionally lock these log files down to be readable only // by the owner // nolint:gosec return os.OpenFile(w.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0644) 1 Data Flow/s detected grafana/pkg/infra/log/file.go Line 130 in 446a5d4 return os.OpenFile(w.Filename, os.O_WRONLY|os.O_APPEND|os.O_CREATE, 0644) Secure Code Warrior Training Material
High	DOM Based Cross-Site Scripting	CWE-79	index.tsx:41	1	2024-08-16 04:42pm
Vulnerable Code grafana/public/swagger/index.tsx Lines 36 to 41 in 446a5d4 window.onload = () => { // the trailing slash breaks relative URL loading if (window.location.pathname.endsWith('/')) { const idx = window.location.href.lastIndexOf('/'); window.location.href = window.location.href.substring(0, idx); 1 Data Flow/s detected grafana/public/swagger/index.tsx Line 41 in 446a5d4 window.location.href = window.location.href.substring(0, idx); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Video
High	DOM Based Cross-Site Scripting	CWE-79	AppRootPage.tsx:91	1	2024-08-16 04:42pm
Vulnerable Code grafana/public/app/features/plugins/components/AppRootPage.tsx Lines 86 to 91 in 446a5d4 ); } const pluginRoot = plugin.root && ( <PluginContextProvider meta={plugin.meta}> <plugin.root 1 Data Flow/s detected grafana/public/app/features/plugins/components/AppRootPage.tsx Line 96 in 446a5d4 path={location.pathname} Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Video
High	Cross-Site Scripting	CWE-79	webhook-listener.go:160	1	2024-08-16 04:42pm
Vulnerable Code grafana/devenv/docker/ha-test-unified-alerting/webhook-listener.go Lines 155 to 160 in 446a5d4 log.Println(err) w.WriteHeader(http.StatusInternalServerError) return } w.Header().Add("Content-Type", "application/json") w.Write(b) 1 Data Flow/s detected grafana/devenv/docker/ha-test-unified-alerting/webhook-listener.go Line 131 in 446a5d4 b, err := io.ReadAll(r.Body) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video
High	Cross-Site Scripting	CWE-79	webhook-listener.go:135	1	2024-08-16 04:42pm
Vulnerable Code grafana/devenv/docker/ha-test-unified-alerting/webhook-listener.go Lines 130 to 135 in 446a5d4 log.Printf("got submission from: %s\n", r.RemoteAddr) b, err := io.ReadAll(r.Body) if err != nil { log.Println(err) w.WriteHeader(http.StatusBadRequest) return 1 Data Flow/s detected grafana/devenv/docker/ha-test-unified-alerting/webhook-listener.go Line 131 in 446a5d4 b, err := io.ReadAll(r.Body) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video
High	Cross-Site Scripting	CWE-79	middleware.go:29	1	2024-08-16 04:42pm
Vulnerable Code grafana/pkg/tsdb/cloudwatch/routes/middleware.go Lines 24 to 29 in 446a5d4 respondWithError(rw, httpError) return } rw.Header().Set("Content-Type", "application/json") _, err := rw.Write(json) 1 Data Flow/s detected grafana/pkg/tsdb/cloudwatch/routes/middleware.go Line 21 in 446a5d4 json, httpError := handleFunc(ctx, pluginContext, reqCtxFactory, req.URL.Query()) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video
High	Cross-Site Scripting	CWE-79	resource_handler.go:57	1	2024-08-16 04:42pm
Vulnerable Code grafana/pkg/tsdb/cloudwatch/resource_handler.go Lines 52 to 57 in 446a5d4 if err != nil { writeResponse(rw, http.StatusBadRequest, fmt.Sprintf("unexpected error %v", err), logger.FromContext(ctx)) return } rw.WriteHeader(http.StatusOK) _, err = rw.Write(body) 1 Data Flow/s detected grafana/pkg/tsdb/cloudwatch/resource_handler.go Line 46 in 446a5d4 data, err := handleFunc(ctx, pluginContext, req.URL.Query()) grafana/pkg/tsdb/cloudwatch/resource_handler.go Line 51 in 446a5d4 body, err := json.Marshal(data) grafana/pkg/tsdb/cloudwatch/resource_handler.go Line 57 in 446a5d4 _, err = rw.Write(body) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video
High	Cross-Site Scripting	CWE-79	events_views.py:65	1	2024-08-16 04:42pm
Vulnerable Code grafana/devenv/docker/blocks/graphite09/files/events_views.py Lines 60 to 65 in 446a5d4 else: return HttpResponse(status=405) def get_data(request): if 'jsonp' in request.REQUEST: response = HttpResponse( 1 Data Flow/s detected grafana/devenv/docker/blocks/graphite09/files/events_views.py Line 65 in 446a5d4 response = HttpResponse( Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior Cross-Site Scripting Video

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Cross-Site Scripting	CWE-79	Go	4
High	Cross-Site Scripting	CWE-79	Python	1
High	DOM Based Cross-Site Scripting	CWE-79	JavaScript / TypeScript*	2
High	Insecure Directory Permissions	CWE-732	Go	2
High	Insecure File Permissions	CWE-732	Go	1
Medium	Heap Inspection	CWE-244	Go	52
Medium	Insecure TLS Configuration	CWE-295	Go	3
Medium	Hardcoded Password/Credentials	CWE-798	JavaScript / TypeScript*	1
Medium	Sleep Denial of Service	CWE-400	Go	1
Medium	Weak Pseudo-Random	CWE-338	Go	93
Low	Log Forging	CWE-117	Go	10
Low	Weak Hash Strength	CWE-916	Go	16