diff --git a/tmp/gosec-report.json b/tmp/gosec-report.json new file mode 100644 index 0000000000..4de2b8f832 --- /dev/null +++ b/tmp/gosec-report.json @@ -0,0 +1,812 @@ +{ + "Golang errors": {}, + "Issues": [ + { + "severity": "HIGH", + "confidence": "MEDIUM", + "cwe": { + "id": "190", + "url": "https://cwe.mitre.org/data/definitions/190.html" + }, + "rule_id": "G115", + "details": "integer overflow conversion int -\u003e uint16", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "480: \t\t\tMinVersion: uint16(tlsMinVersion),\n481: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n482: \t\t\tCipherSuites: allowedTLSCiphers,\n", + "line": "481", + "column": "36", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "MEDIUM", + "cwe": { + "id": "190", + "url": "https://cwe.mitre.org/data/definitions/190.html" + }, + "rule_id": "G115", + "details": "integer overflow conversion int -\u003e uint16", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "479: \t\tbaseTLSConfig := \u0026tls.Config{\n480: \t\t\tMinVersion: uint16(tlsMinVersion),\n481: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n", + "line": "480", + "column": "36", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "MEDIUM", + "cwe": { + "id": "190", + "url": "https://cwe.mitre.org/data/definitions/190.html" + }, + "rule_id": "G115", + "details": "integer overflow conversion int -\u003e uint16", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "178: \t\t\tMinVersion: uint16(tlsMinVersion),\n179: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n180: \t\t\tCipherSuites: allowedTLSCiphers,\n", + "line": "179", + "column": "36", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "MEDIUM", + "cwe": { + "id": "190", + "url": "https://cwe.mitre.org/data/definitions/190.html" + }, + "rule_id": "G115", + "details": "integer overflow conversion int -\u003e uint16", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "177: \t\tbaseTLSConfig := \u0026tls.Config{\n178: \t\t\tMinVersion: uint16(tlsMinVersion),\n179: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n", + "line": "178", + "column": "36", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "MEDIUM", + "cwe": { + "id": "338", + "url": "https://cwe.mitre.org/data/definitions/338.html" + }, + "rule_id": "G404", + "details": "Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand)", + "file": "/home/runner/work/dex/dex/storage/kubernetes/storage.go", + "code": "747: \t\tstep := policy[attempts]\n748: \t\treturn time.Duration(step*5+rand.Intn(step)) * time.Microsecond\n749: \t}\n", + "line": "748", + "column": "31", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/storage/sql/config.go", + "code": "317: func (s *MySQL) makeTLSConfig() error {\n318: \tcfg := \u0026tls.Config{}\n319: \tif s.SSL.CAFile != \"\" {\n", + "line": "318", + "column": "10", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/storage/ent/mysql.go", + "code": "129: func (m *MySQL) makeTLSConfig() error {\n130: \tcfg := \u0026tls.Config{}\n131: \n", + "line": "130", + "column": "10", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/examples/grpc-client/client.go", + "code": "32: \n33: \tclientTLSConfig := \u0026tls.Config{\n34: \t\tRootCAs: cPool,\n35: \t\tCertificates: []tls.Certificate{clientCert},\n36: \t}\n37: \tcreds := credentials.NewTLS(clientTLSConfig)\n", + "line": "33-36", + "column": "22", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/examples/example-app/main.go", + "code": "43: func httpClientForRootCAs(rootCAs string) (*http.Client, error) {\n44: \ttlsConfig := tls.Config{RootCAs: x509.NewCertPool()}\n45: \trootCABytes, err := os.ReadFile(rootCAs)\n", + "line": "44", + "column": "15", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "478: \n479: \t\tbaseTLSConfig := \u0026tls.Config{\n480: \t\t\tMinVersion: uint16(tlsMinVersion),\n481: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n482: \t\t\tCipherSuites: allowedTLSCiphers,\n483: \t\t\tPreferServerCipherSuites: true,\n484: \t\t}\n485: \n", + "line": "479-484", + "column": "21", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS MinVersion too low.", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "176: \t\t}\n177: \t\tbaseTLSConfig := \u0026tls.Config{\n178: \t\t\tMinVersion: uint16(tlsMinVersion),\n179: \t\t\tMaxVersion: uint16(tlsMaxVersion),\n180: \t\t\tCipherSuites: allowedTLSCiphers,\n181: \t\t\tPreferServerCipherSuites: true,\n182: \t\t}\n183: \n", + "line": "177-182", + "column": "21", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "HIGH", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS InsecureSkipVerify set true.", + "file": "/home/runner/work/dex/dex/pkg/httpclient/httpclient.go", + "code": "39: \n40: \ttlsConfig := tls.Config{RootCAs: pool, InsecureSkipVerify: insecureSkipVerify}\n41: \tfor index, rootCABytes := range extractCAs(rootCAs) {\n", + "line": "40", + "column": "61", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS InsecureSkipVerify may be true.", + "file": "/home/runner/work/dex/dex/connector/ldap/ldap.go", + "code": "264: \n265: \ttlsConfig := \u0026tls.Config{ServerName: host, InsecureSkipVerify: c.InsecureSkipVerify}\n266: \tif c.RootCA != \"\" || len(c.RootCAData) != 0 {\n", + "line": "265", + "column": "65", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "295", + "url": "https://cwe.mitre.org/data/definitions/295.html" + }, + "rule_id": "G402", + "details": "TLS InsecureSkipVerify may be true.", + "file": "/home/runner/work/dex/dex/connector/keystone/keystone.go", + "code": "40: \t\tTLSClientConfig: \u0026tls.Config{\n41: \t\t\tInsecureSkipVerify: c.InsecureSkipVerify,\n42: \t\t},\n", + "line": "41", + "column": "24", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "144: \ttokenTypeSAML2 = \"urn:ietf:params:oauth:token-type:saml2\"\n145: \ttokenTypeJWT = \"urn:ietf:params:oauth:token-type:jwt\"\n146: )\n", + "line": "145", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "143: \ttokenTypeSAML1 = \"urn:ietf:params:oauth:token-type:saml1\"\n144: \ttokenTypeSAML2 = \"urn:ietf:params:oauth:token-type:saml2\"\n145: \ttokenTypeJWT = \"urn:ietf:params:oauth:token-type:jwt\"\n", + "line": "144", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "142: \ttokenTypeID = \"urn:ietf:params:oauth:token-type:id_token\"\n143: \ttokenTypeSAML1 = \"urn:ietf:params:oauth:token-type:saml1\"\n144: \ttokenTypeSAML2 = \"urn:ietf:params:oauth:token-type:saml2\"\n", + "line": "143", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "141: \ttokenTypeRefresh = \"urn:ietf:params:oauth:token-type:refresh_token\"\n142: \ttokenTypeID = \"urn:ietf:params:oauth:token-type:id_token\"\n143: \ttokenTypeSAML1 = \"urn:ietf:params:oauth:token-type:saml1\"\n", + "line": "142", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "140: \ttokenTypeAccess = \"urn:ietf:params:oauth:token-type:access_token\"\n141: \ttokenTypeRefresh = \"urn:ietf:params:oauth:token-type:refresh_token\"\n142: \ttokenTypeID = \"urn:ietf:params:oauth:token-type:id_token\"\n", + "line": "141", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "139: \t// https://www.rfc-editor.org/rfc/rfc8693.html#section-3\n140: \ttokenTypeAccess = \"urn:ietf:params:oauth:token-type:access_token\"\n141: \ttokenTypeRefresh = \"urn:ietf:params:oauth:token-type:refresh_token\"\n", + "line": "140", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/server/oauth2.go", + "code": "134: \tgrantTypeDeviceCode = \"urn:ietf:params:oauth:grant-type:device_code\"\n135: \tgrantTypeTokenExchange = \"urn:ietf:params:oauth:grant-type:token-exchange\"\n136: )\n", + "line": "135", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/connector/saml/saml.go", + "code": "44: \t// subject confirmation methods\n45: \tsubjectConfirmationMethodBearer = \"urn:oasis:names:tc:SAML:2.0:cm:bearer\"\n46: \n", + "line": "45", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/connector/linkedin/linkedin.go", + "code": "20: \tauthURL = \"https://www.linkedin.com/oauth/v2/authorization\"\n21: \ttokenURL = \"https://www.linkedin.com/oauth/v2/accessToken\"\n22: )\n", + "line": "21", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/v2/api_grpc.pb.go", + "code": "37: \tDex_RevokeRefresh_FullMethodName = \"/api.Dex/RevokeRefresh\"\n38: \tDex_VerifyPassword_FullMethodName = \"/api.Dex/VerifyPassword\"\n39: )\n", + "line": "38", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/v2/api_grpc.pb.go", + "code": "28: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n29: \tDex_ListPasswords_FullMethodName = \"/api.Dex/ListPasswords\"\n30: \tDex_CreateConnector_FullMethodName = \"/api.Dex/CreateConnector\"\n", + "line": "29", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/v2/api_grpc.pb.go", + "code": "27: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n28: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n29: \tDex_ListPasswords_FullMethodName = \"/api.Dex/ListPasswords\"\n", + "line": "28", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/v2/api_grpc.pb.go", + "code": "26: \tDex_CreatePassword_FullMethodName = \"/api.Dex/CreatePassword\"\n27: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n28: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n", + "line": "27", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/v2/api_grpc.pb.go", + "code": "25: \tDex_DeleteClient_FullMethodName = \"/api.Dex/DeleteClient\"\n26: \tDex_CreatePassword_FullMethodName = \"/api.Dex/CreatePassword\"\n27: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n", + "line": "26", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/api_grpc.pb.go", + "code": "31: \tDex_RevokeRefresh_FullMethodName = \"/api.Dex/RevokeRefresh\"\n32: \tDex_VerifyPassword_FullMethodName = \"/api.Dex/VerifyPassword\"\n33: )\n", + "line": "32", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/api_grpc.pb.go", + "code": "27: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n28: \tDex_ListPasswords_FullMethodName = \"/api.Dex/ListPasswords\"\n29: \tDex_GetVersion_FullMethodName = \"/api.Dex/GetVersion\"\n", + "line": "28", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/api_grpc.pb.go", + "code": "26: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n27: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n28: \tDex_ListPasswords_FullMethodName = \"/api.Dex/ListPasswords\"\n", + "line": "27", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/api_grpc.pb.go", + "code": "25: \tDex_CreatePassword_FullMethodName = \"/api.Dex/CreatePassword\"\n26: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n27: \tDex_DeletePassword_FullMethodName = \"/api.Dex/DeletePassword\"\n", + "line": "26", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "HIGH", + "confidence": "LOW", + "cwe": { + "id": "798", + "url": "https://cwe.mitre.org/data/definitions/798.html" + }, + "rule_id": "G101", + "details": "Potential hardcoded credentials", + "file": "/home/runner/work/dex/dex/api/api_grpc.pb.go", + "code": "24: \tDex_DeleteClient_FullMethodName = \"/api.Dex/DeleteClient\"\n25: \tDex_CreatePassword_FullMethodName = \"/api.Dex/CreatePassword\"\n26: \tDex_UpdatePassword_FullMethodName = \"/api.Dex/UpdatePassword\"\n", + "line": "25", + "column": "2", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "676", + "url": "https://cwe.mitre.org/data/definitions/676.html" + }, + "rule_id": "G114", + "details": "Use of net/http serve function that has no support for setting timeouts", + "file": "/home/runner/work/dex/dex/examples/example-app/main.go", + "code": "187: \t\t\t\tlog.Printf(\"listening on %s\", listen)\n188: \t\t\t\treturn http.ListenAndServeTLS(listenURL.Host, tlsCert, tlsKey, nil)\n189: \t\t\tdefault:\n", + "line": "188", + "column": "12", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "676", + "url": "https://cwe.mitre.org/data/definitions/676.html" + }, + "rule_id": "G114", + "details": "Use of net/http serve function that has no support for setting timeouts", + "file": "/home/runner/work/dex/dex/examples/example-app/main.go", + "code": "184: \t\t\t\tlog.Printf(\"listening on %s\", listen)\n185: \t\t\t\treturn http.ListenAndServe(listenURL.Host, nil)\n186: \t\t\tcase \"https\":\n", + "line": "185", + "column": "12", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "LOW", + "cwe": { + "id": "79", + "url": "https://cwe.mitre.org/data/definitions/79.html" + }, + "rule_id": "G203", + "details": "The used method does not auto-escape HTML. This can potentially lead to 'Cross-site Scripting' vulnerabilities, in case the attacker controls the input.", + "file": "/home/runner/work/dex/dex/server/handlers.go", + "code": "188: \t\t\tType: conn.Type,\n189: \t\t\tURL: template.URL(connURL.String()),\n190: \t\t}\n", + "line": "189", + "column": "10", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "78", + "url": "https://cwe.mitre.org/data/definitions/78.html" + }, + "rule_id": "G204", + "details": "Subprocess launched with variable", + "file": "/home/runner/work/dex/dex/cmd/docker-entrypoint/main.go", + "code": "36: \n37: \tif err := syscall.Exec(argv0, args, os.Environ()); err != nil {\n38: \t\treturn fmt.Errorf(\"cannot exec command %s (%q): %w\", args, argv0, err)\n", + "line": "37", + "column": "12", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "78", + "url": "https://cwe.mitre.org/data/definitions/78.html" + }, + "rule_id": "G204", + "details": "Subprocess launched with a potential tainted input or cmd arguments", + "file": "/home/runner/work/dex/dex/cmd/docker-entrypoint/main.go", + "code": "57: \n58: \tcmd := exec.Command(\"gomplate\", \"-f\", path, \"-o\", tmpFile.Name())\n59: \t// TODO(nabokihms): Workaround to run gomplate from a non-root directory in distroless images\n", + "line": "58", + "column": "9", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/storage/kubernetes/client.go", + "code": "482: func namespaceFromFile(path string) (string, error) {\n483: \tdata, err := os.ReadFile(path)\n484: \tif err != nil {\n", + "line": "483", + "column": "15", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/storage/kubernetes/client.go", + "code": "436: func loadKubeConfig(kubeConfigPath string) (cluster k8sapi.Cluster, user k8sapi.AuthInfo, namespace string, err error) {\n437: \tdata, err := os.ReadFile(kubeConfigPath)\n438: \tif err != nil {\n", + "line": "437", + "column": "15", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/storage/kubernetes/client.go", + "code": "369: \t\t}\n370: \t\treturn os.ReadFile(file)\n371: \t}\n", + "line": "370", + "column": "10", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/pkg/httpclient/httpclient.go", + "code": "20: \n21: \t\tpemData, err := os.ReadFile(ca)\n22: \t\tif err != nil {\n", + "line": "21", + "column": "19", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/examples/grpc-client/client.go", + "code": "19: \tcPool := x509.NewCertPool()\n20: \tcaCert, err := os.ReadFile(caPath)\n21: \tif err != nil {\n", + "line": "20", + "column": "17", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/examples/example-app/main.go", + "code": "44: \ttlsConfig := tls.Config{RootCAs: x509.NewCertPool()}\n45: \trootCABytes, err := os.ReadFile(rootCAs)\n46: \tif err != nil {\n", + "line": "45", + "column": "22", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/connector/google/google.go", + "code": "369: func getCredentialsFromFilePath(serviceAccountFilePath string) ([]byte, error) {\n370: \tjsonCredentials, err := os.ReadFile(serviceAccountFilePath)\n371: \tif err != nil {\n", + "line": "370", + "column": "26", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "682: \t\tcPool := x509.NewCertPool()\n683: \t\tclientCert, err := os.ReadFile(caFile)\n684: \t\tif err != nil {\n", + "line": "683", + "column": "22", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "HIGH", + "cwe": { + "id": "22", + "url": "https://cwe.mitre.org/data/definitions/22.html" + }, + "rule_id": "G304", + "details": "Potential file inclusion via variable", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "92: \tconfigFile := options.config\n93: \tconfigData, err := os.ReadFile(configFile)\n94: \tif err != nil {\n", + "line": "93", + "column": "21", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "LOW", + "cwe": { + "id": "400", + "url": "https://cwe.mitre.org/data/definitions/400.html" + }, + "rule_id": "G112", + "details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "490: \n491: \t\tserver := \u0026http.Server{\n492: \t\t\tHandler: serv,\n493: \t\t\tTLSConfig: tlsConfig,\n494: \t\t}\n495: \t\tdefer server.Close()\n", + "line": "491-494", + "column": "14", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "LOW", + "cwe": { + "id": "400", + "url": "https://cwe.mitre.org/data/definitions/400.html" + }, + "rule_id": "G112", + "details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "440: \n441: \t\tserver := \u0026http.Server{\n442: \t\t\tHandler: serv,\n443: \t\t}\n444: \t\tdefer server.Close()\n", + "line": "441-443", + "column": "14", + "nosec": false, + "suppressions": null + }, + { + "severity": "MEDIUM", + "confidence": "LOW", + "cwe": { + "id": "400", + "url": "https://cwe.mitre.org/data/definitions/400.html" + }, + "rule_id": "G112", + "details": "Potential Slowloris Attack because ReadHeaderTimeout is not configured in the http.Server", + "file": "/home/runner/work/dex/dex/cmd/dex/serve.go", + "code": "411: \n412: \t\tserver := \u0026http.Server{\n413: \t\t\tHandler: telemetryRouter,\n414: \t\t}\n415: \t\tdefer server.Close()\n", + "line": "412-414", + "column": "14", + "nosec": false, + "suppressions": null + } + ], + "Stats": { + "files": 190, + "lines": 66814, + "nosec": 0, + "found": 50 + }, + "GosecVersion": "dev" +} \ No newline at end of file diff --git a/tmp/pr-body.md b/tmp/pr-body.md new file mode 100644 index 0000000000..266ebab65f --- /dev/null +++ b/tmp/pr-body.md @@ -0,0 +1,232 @@ +# 🚨 Gosec Vulnerability Report for branch `private/harsh/soc2-scan` +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 481 + • Rule ID: G115 + • Details: integer overflow conversion int -> uint16 + • Confidence: MEDIUM + • Severity: HIGH + +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 480 + • Rule ID: G115 + • Details: integer overflow conversion int -> uint16 + • Confidence: MEDIUM + • Severity: HIGH + +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 179 + • Rule ID: G115 + • Details: integer overflow conversion int -> uint16 + • Confidence: MEDIUM + • Severity: HIGH + +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 178 + • Rule ID: G115 + • Details: integer overflow conversion int -> uint16 + • Confidence: MEDIUM + • Severity: HIGH + +* File: /home/runner/work/dex/dex/storage/kubernetes/storage.go + • Line: 748 + • Rule ID: G404 + • Details: Use of weak random number generator (math/rand or math/rand/v2 instead of crypto/rand) + • Confidence: MEDIUM + • Severity: HIGH + +* File: /home/runner/work/dex/dex/storage/sql/config.go + • Line: 318 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/storage/ent/mysql.go + • Line: 130 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/examples/grpc-client/client.go + • Line: 33-36 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/examples/example-app/main.go + • Line: 44 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 479-484 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/cmd/dex/serve.go + • Line: 177-182 + • Rule ID: G402 + • Details: TLS MinVersion too low. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/pkg/httpclient/httpclient.go + • Line: 40 + • Rule ID: G402 + • Details: TLS InsecureSkipVerify set true. + • Confidence: HIGH + • Severity: HIGH + +* File: /home/runner/work/dex/dex/connector/ldap/ldap.go + • Line: 265 + • Rule ID: G402 + • Details: TLS InsecureSkipVerify may be true. + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/connector/keystone/keystone.go + • Line: 41 + • Rule ID: G402 + • Details: TLS InsecureSkipVerify may be true. + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 145 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 144 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 143 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 142 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 141 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 140 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/server/oauth2.go + • Line: 135 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/connector/saml/saml.go + • Line: 45 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/connector/linkedin/linkedin.go + • Line: 21 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/v2/api_grpc.pb.go + • Line: 38 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/v2/api_grpc.pb.go + • Line: 29 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/v2/api_grpc.pb.go + • Line: 28 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/v2/api_grpc.pb.go + • Line: 27 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/v2/api_grpc.pb.go + • Line: 26 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/api_grpc.pb.go + • Line: 32 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/api_grpc.pb.go + • Line: 28 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/api_grpc.pb.go + • Line: 27 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/api_grpc.pb.go + • Line: 26 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH + +* File: /home/runner/work/dex/dex/api/api_grpc.pb.go + • Line: 25 + • Rule ID: G101 + • Details: Potential hardcoded credentials + • Confidence: LOW + • Severity: HIGH +