groupon / codeburner Goto Github PK
View Code? Open in Web Editor NEWSecurity-focused static code analysis for everyone
Home Page: http://groupon.github.io/codeburner
License: MIT License
Security-focused static code analysis for everyone
Home Page: http://groupon.github.io/codeburner
License: MIT License
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: SQL Injection
Severity: Medium
Details: Possible SQL injection
http://brakemanscanner.org/docs/warning_types/sql_injection/
Scanner: Brakeman
File: app/models/service.rb, Line: 65
Code:
where("#{attribute} LIKE ?", value)
There were many important updates to FSB
Line 7 in ae67ef0
Latest cli package:
https://github.com/find-sec-bugs/find-sec-bugs/releases/download/version-1.7.1/findsecbugs-cli-1.7.1.zip
Codeburner identified the following vulnerability in groupon/codeburner release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Unscoped Find
Severity: Low
Details: Unscoped call to Finding#find
http://brakemanscanner.org/docs/warning_types/unscoped_find/
Scanner: Brakeman
File: app/controllers/api/finding_controller.rb, Line: 225
Code:
Finding.find(params[:id])
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Cross-Site Request Forgery
Severity: Medium
Details: protect_from_forgery should be configured with 'with: :exception'
http://brakemanscanner.org/docs/warning_types/cross-site_request_forgery/
Scanner: Brakeman
File: app/controllers/application_controller.rb, Line: 27
Code:
protect_from_forgery(:with => :null_session)
I was attempting to deploy with the docker-build script and kept receiving an error about failing to retrieve specific dependencies. This is likely due to an old base layer docker image and updated dependencies.
Adding 'apt-get clean' to the beginning of the Dockerfile allowed me to successfully complete the Docker deployment.
A bit of a shameless plug, as I work on Snyk, but I believe it fits.
Snyk works off an open source vuln DB (https://github.com/Snyk/vulndb), and includes patches (typically reduced & back-ported versions of the original fix), that make remediation very actionable.
Codeburner identified the following vulnerability in groupon/codeburner release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Insecure GEM Source
Severity: High
Details: Insecure Source URI found: http://rubygems.org/ - use git or https
Scanner: BundleAudit
File: Gemfile.lock
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Unscoped Find
Severity: Low
Details: Unscoped call to Finding#find
http://brakemanscanner.org/docs/warning_types/unscoped_find/
Scanner: Brakeman
File: app/controllers/api/finding_controller.rb, Line: 225
Code:
Finding.find(params[:id])
Codeburner identified the following vulnerability in groupon/codeburner release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Unscoped Find
Severity: Low
Details: Unscoped call to Filter#find
http://brakemanscanner.org/docs/warning_types/unscoped_find/
Scanner: Brakeman
File: app/controllers/api/filter_controller.rb, Line: 239
Code:
Filter.find(params[:id])
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: SQL Injection
Severity: Medium
Details: Possible SQL injection
http://brakemanscanner.org/docs/warning_types/sql_injection/
Scanner: Brakeman
File: app/models/burn.rb, Line: 53
Code:
where("#{attribute} LIKE '%'")
Codeburner identified the following vulnerability in groupon/codeburner release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: Unscoped Find
Severity: Low
Details: Unscoped call to Filter#find
http://brakemanscanner.org/docs/warning_types/unscoped_find/
Scanner: Brakeman
File: app/controllers/api/filter_controller.rb, Line: 128
Code:
Filter.find(params[:id])
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: SQL Injection
Severity: Medium
Details: Possible SQL injection
http://brakemanscanner.org/docs/warning_types/sql_injection/
Scanner: Brakeman
File: app/models/service.rb, Line: 59
Code:
where("#{attribute} LIKE '%'")
Codeburner identified the following vulnerability in codeburner-public release a5dee0f228f0fce09d1ebbd31d3fa0e4ae23ee26:
Description: SQL Injection
Severity: Medium
Details: Possible SQL injection
http://brakemanscanner.org/docs/warning_types/sql_injection/
Scanner: Brakeman
File: app/models/finding.rb, Line: 81
Code:
where("#{attribute} LIKE '%'")
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.