-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ShiftLeft build rules #11
Conversation
Checking analysis of application
|
ID | CVSS | Rating | CVE | Title |
---|---|---|---|---|
63 | 9.8 | critical | CVE-2015-4412 | BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (res… |
69 | 9.8 | critical | CVE-2020-7610 | All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype, … |
47 | 9.0 | critical | Remote Code Execution: Code Injection Through Attacker-controlled Data via req in views.js:anonymous.anonymous2 |
|
48 | 9.0 | critical | NoSQL Injection: HTTP Data to NoSQL Database via req in Order.js:anonymous.anonymous |
|
49 | 9.0 | critical | Weak Cipher: Use of a Broken Cryptographic Algorithm in Login.js:encryptData |
Severity rating | Count |
---|---|
Critical | 14 |
High | 0 |
Medium | 0 |
Low | 0 |
Finding Type | Count |
---|---|
Container | 7 |
Vuln | 5 |
Oss_vuln | 2 |
Category | Count |
---|---|
Weak Cipher | 3 |
Crypto | 3 |
Remote Code Execution | 1 |
NoSQL Injection | 1 |
CVE | Count |
---|---|
CVE-2022-28391 | 2 |
CVE-2021-3711 | 2 |
CVE-2022-37434 | 1 |
CVE-2021-36159 | 1 |
CVE-2021-30139 | 1 |
CVE-2020-7610 | 1 |
CVE-2015-4412 | 1 |
OWASP 2021 Category | Count |
---|---|
A02-Cryptographic-Failures | 3 |
A03-Injection | 2 |
Allow one OSS or container finding: FAIL
(86 matched vulnerabilities; configured threshold is 1).
First 5 findings:
ID | CVSS | Rating | CVE | Title |
---|---|---|---|---|
63 | 9.8 | critical | CVE-2015-4412 | BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (r… |
69 | 9.8 | critical | CVE-2020-7610 | All versions of bson before 1.1.4 are vulnerable to Deserialization of Untrusted Data. The package will ignore an unknown value for an object's _bsontype… |
53 | 9.0 | critical | CVE-2021-30139 | pkg:pkg/alpine/[email protected] |
56 | 9.0 | critical | CVE-2021-36159 | pkg:pkg/alpine/[email protected] |
112 | 9.0 | critical | CVE-2022-28391 | CVE-2022-28391 affecting package busybox 1.35.0-1. A patched version of the package is available. |
Severity rating | Count |
---|---|
Critical | 9 |
High | 54 |
Medium | 21 |
Low | 2 |
Finding Type | Count |
---|---|
Container | 67 |
Oss_vuln | 19 |
Allow no reachable OSS vulnerability: FAIL
(4 matched vulnerabilities; configured threshold is 0).
Findings:
ID | CVSS | Rating | CVE | Title |
---|---|---|---|---|
54 | 7.5 | high | CVE-2021-3749 | axios before v0.21.2 is vulnerable to Inefficient Regular Expression Complexity. |
72 | 7.5 | high | CVE-2022-24999 | qs before 6.10.3 allows attackers to cause a Node process hang because an __ proto__ key can be used. In many typical web framework use cases, an unauthen… |
57 | 6.5 | medium | CVE-2023-45857 | An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XS… |
52 | 5.9 | medium | CVE-2020-28168 | Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that res… |
Severity rating | Count |
---|---|
Critical | 0 |
High | 2 |
Medium | 2 |
Low | 0 |
CVE | Count |
---|---|
CVE-2023-45857 | 1 |
CVE-2022-24999 | 1 |
CVE-2021-3749 | 1 |
CVE-2020-28168 | 1 |
3 rules failed.
This pull request enables build rules. You can read more about build rules here. The build rules are controlled by the
shiftleft.yml
file in the repository.Visit app.shiftleft.io to see the security findings for this repository.
We've done a few things on your behalf
SHIFTLEFT_ACCESS_TOKEN
to allow GitHub Actions in this repository to communicate with the Qwiet (Shiftleft) APIQuestions? Comments? Want to learn more? Get in touch with us or check out our documentation.