foundeo / fixinator Goto Github PK
View Code? Open in Web Editor NEWColdFusion / CFML Code Security Scanner
Home Page: https://fixinator.app/
License: GNU General Public License v3.0
fixinator's People
Contributors
Stargazers
Watchers
fixinator's Issues
Using gitLastCommit with submodules fails
I can reproduce this by only updating the submodule (mrcore) in a pull request and letting Jenkins run the pipeline. Below is the command parameters being used as well as the console output.
+ /usr/local/bin/box fixinator path=. gitLastCommit=true resultFormat=junit resultFile=./fixinator-report.xml
fixinator v3.0.2 built by Foundeo Inc.
___ _
/ __) | |
_| |__ ___ _ _ ____ __| |_____ ___
(_ __) _ \| | | | _ \ / _ | ___ |/ _ \
| | | |_| | |_| | | | ( (_| | ____| |_| |
|_| \___/|____/|_| |_|\____|_____)\___/
inc.
Fixinator will send source code to: https://api.fixinator.app/v1/scan
for scanning. The code is kept in RAM during scanning and is not persisted.
For details see: https://github.com/foundeo/fixinator/wiki/How-Does-Fixinator-Work
Note: The enterprise version allows you to run the code scanner fully on your own servers.
Detected CI Environment, I will continue without prompting
Fixinator API Server: https://api.fixinator.app/v1/scan
Scanning only files changed in the last git commit.
M: v2/mrcore
Scanning /opt/jenkins/workspace/PR-155/
�[38;5;15m�[48;5;9mERROR (5.6.1+00618)�[0m
�[38;5;9m�[1mMissing categories data, make sure you are using the latest fixinator server version.�[0m
�[38;5;9m�[1m�[0m
�[38;5;6m�[1m/modules/fixinator/models/fixinator/FixinatorReport.cfc: line 293
�[0m291: </cfloop>
292: <cfelse>
�[1m293: <cfthrow message="Missing categories data, make sure you are using the latest fixinator server version.">�[0m
294: </cfif>
295: <!--- ensure that nothing was missed due to missing category data --->
�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/modules/fixinator/models/fixinator/FixinatorReport.cfc: line 31
�[0m�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/modules/fixinator/commands/fixinator.cfc: line 416
�[0m�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/system/services/CommandService.cfc: line 443
�[0m�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/system/services/CommandService.cfc: line 245
�[0m�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/system/Shell.cfc: line 817
�[0m�[38;5;6m�[1mcalled from �[0m�[38;5;6m�[1m/system/Bootstrap.cfm: line 119
�[0m
�[38;5;15mTo enable full stack trace, run �[0m�[38;5;11m�[1mconfig set verboseErrors=true�[0m
Post stage
[Pipeline] junit
Recording test results
No test report files were found. Configuration error?
Error when executing always post condition:
Also: hudson.remoting.Channel$CallSiteStackTrace: Remote call to buildhost
at hudson.remoting.Channel.attachCallSiteStackTrace(Channel.java:1784)
at hudson.remoting.UserRequest$ExceptionResponse.retrieve(UserRequest.java:356)
at hudson.remoting.Channel.call(Channel.java:1000)
at hudson.FilePath.act(FilePath.java:1186)
at hudson.FilePath.act(FilePath.java:1175)
at hudson.tasks.junit.JUnitParser.parseResult(JUnitParser.java:118)
at hudson.tasks.junit.JUnitResultArchiver.parse(JUnitResultArchiver.java:157)
at hudson.tasks.junit.JUnitResultArchiver.parseAndSummarize(JUnitResultArchiver.java:251)
at hudson.tasks.junit.pipeline.JUnitResultsStepExecution.run(JUnitResultsStepExecution.java:63)
at hudson.tasks.junit.pipeline.JUnitResultsStepExecution.run(JUnitResultsStepExecution.java:29)
at org.jenkinsci.plugins.workflow.steps.SynchronousNonBlockingStepExecution.lambda$start$0(SynchronousNonBlockingStepExecution.java:47)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
hudson.AbortException: No test report files were found. Configuration error?
at hudson.tasks.junit.JUnitParser$ParseResultCallable.invoke(JUnitParser.java:184)
at hudson.FilePath$FileCallableWrapper.call(FilePath.java:3492)
at hudson.remoting.UserRequest.perform(UserRequest.java:211)
at hudson.remoting.UserRequest.perform(UserRequest.java:54)
at hudson.remoting.Request$2.run(Request.java:377)
at hudson.remoting.InterceptingExecutorService.lambda$wrap$0(InterceptingExecutorService.java:78)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Slow execution when calling cloud service directly from instance of FixinatorClient.cfc
When I try to run the code below it takes over 5 min to get response but I get one at the end.
<cfset FX = new FixinatorClient()>
<cfset result = FX.run(path = "SOME-FILE")>
Poking around found out that the problem is on line 90 of FixinatorClient:
local.batches = [{batchType:"progressBar", hasProgressBar:hasProgressBar, progressBar:progressBar, lock_name=local.lock_name}];
When I commented out the line, the execution went down to a few seconds. I would assume that you have some timeout that creates the hold up. You already have hasProgressBar flag, so maybe you can skip the addition of progressBar to the local.batches array.
Incorrect message for <cflocation> addtoken report
For the <cflocation> addtoken report, if the attribute exists but is set to yes or true it reports that it is missing, like this:
[MEDIUM] CFLocation Missing Add Token found on line 357 of handleOption.cfm high confidence
The CFLocation tag will automatically add the Session Identifiers (CFID, CFTOKEN or JSESSIONID) to the URL which increases risks for session hijacking.
<cflocation url="/login" addtoken="true">
Whilst not a big issue, I did have to read the issue message a couple of times before I realised what it meant.
Usage of arrayEach() causes error in Adobe CF 2018 when working directly with FixinatorClient.cfc
I'm building a custom client to use Fixinator Service without command box using Adobe CF2018.
It it very simple, I create an instance of FixinatorClient component and then set the API key and call run() method passing an absolute path to a file and config struct.
I got error on line 106 of FixinatorClient.cfc due to the fact that Adobe CF2018 arrayEach() does not support the last two arguments.
arrayEach(local.batches, processBatch, true, arrayLen(local.batches));
I did remove the last two arguments and was able to continue.
Allow passing multiple directories in path argument
So, we can do this in fixinator:
fixinator path=modelsbut we can't pass multiple directories:
fixinator path=models,handlersI get "Sorry, /var/lib/dir/models,handlers is not a file or directory".
Missing API key should fail build
I noticed if the API key is not set (due to id10t errors 🙄 ) the CI build still passes. It seems 403 errors from the Fixinator server are caught, and do not return a non-zero exit code.
For reference, here's my Github Actions run:
https://github.com/michaelborn/cfPlaid/runs/3692858559?check_suite_focus=true
With a brief snippet of the error:
Note: The enterprise version allows you to run the code scanner fully on your own servers.
Detected CI Environment, I will continue without prompting
Fixinator API Server: https://api.fixinator.app/v1/scan
["/github/workspace/models/","/github/workspace/ModuleConfig.cfc"]
√ | Scanning /github/workspace/
---- Fixinator Client Error ----
Fixinator API Key () is invalid, disabled or over the API request limit. Please contact Foundeo Inc. for assistance. Please provide your API key in correspondance. https://foundeo.com/contact/
403 Forbidden {"message":"Forbidden"}
This error should cause a non-zero exit code to be returned so the build will fail.
Update GitHub documentation to use actions/checkout@v4
I set up the GitHub Fixinator action using the examples specified in the documentation.
https://github.com/foundeo/fixinator/wiki/Running-Fixinator-on-Github-Actions
Those examples use actions/checkout@v2, but now I am getting warnings in the Fixinator scans that it's using Node v16 and we should upgrade to Node v20. Reviewing the GitHub docs, it looks like this is a simple fix, as you can use v4 instead of v2:
actions/checkout@v4
Can you update the documentation to reflect that or any other updated settings? Using v4 worked for me, and I no longer see those annotations in my scans.
Payload error detail never outputted
In fixinator.cfc lines 385-389 are not outputting to Commandbox shell (v5.6.1+00618).
print.line().boldRedLine("---- Fixinator Client Error ----").line();
print.redLine(err.message);
if (structKeyExists(err, "detail")) {
print.whiteLine(err.detail);
}
I am using enterprise version installed locally with the latest updated code and when attempting to scan using the root folder of my application's code I kept getting an unhelpful response in Commandbox of "Fixinator Exiting Due to Error" with no other detail. As far as I can tell the above code should have run to output the detail but for some reason isn't.
As a side note, most of the erroring was due to https://dev.lucee.org/t/5-3-9-160-underload-causing-java-lang-nullpointerexception/11007 which is because of the Lucee version that CommandBox installs (after updating it to the latest snapshot I no longer received that error). This is likely because it was a large number of files, some of which were somewhat large.
My other errors were due to 408 errors for which I modified FixinatorClient.cfc : line 399 to run through the retry for them and then I no longer get the issue.
Fixinator client returns inaccurate error messaging when used with enterprise server
When using the Fixinator client with an enterprise server, the error messaging is inaccurate.
In the following example, I have...
- nginx configured to return a 403 unless a valid x-api-key header is provided
- the client configured to use myserver.com
- provided an invalid API key
And I get the following error message:
Fixinator API Server: https://myserver.com/scan/
✓ | Scanning /mycode/
---- Fixinator Client Error ----
Fixinator API Key (xxx) is invalid, disabled or over the API request limit. Please contact Foundeo Inc. for assistance. Please provide your API key in correspondance. https://foundeo.com/contact/
403 Forbidden <html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.2</center>
</body>
</html>
Perhaps if the client is set to use an API server other than the Foundeo hosted one, it could return some more generic messaging, allowing the customization to appear in a customized 403 response.
Ignore on same line failure
In the README.md in the Ignoring issues in code section it states you can add ignores on the line or above but it only seems to work on above the line.
The comment must be on the same line as the issue, or on the line above the issue.
It does not ignore if it is on the same line.
Example
var password = "test2021!"; //ignore:plain-text-key
Response:
[MEDIUM] plain-text-key found on line 7 of JunkTest.cfc high confidence
/JunkTest.cfc:7
7: var password = "**********"; //ignore:plain-text-key
File JunkTest.cfc
component {
function run()
{
describe("Test",
function()
{
var password = "test2021!"; //ignore:plain-text-key
});
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.