New bugs 2 #8

PavelLinearB · 2023-06-06T12:35:40Z

orca-security-us

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0 0 0 0
Passed	Vulnerabilities	0 0 0 0
Passed	Secrets	0 0 0 0

jit-ci

❌ Jit has detected 3 important findings in this PR that you should review.
The findings are detailed below as separate comments.
It’s highly recommended that you fix these security issues before merge.

jit-ci · 2023-06-06T12:36:51Z

introduction/views.py

-                    val=""
+                    val=login.objects.raw(sql_query)
+                    val=login.objects.raw(sql_query)
+                    val=login.objects.raw(sql_query)


Security control: Static Code Analysis Python Semgrep

Type: Gitlab.Bandit.B611

Description: You should be very careful whenever you write raw SQL. Consider using Django ORM before raw SQL. See https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

#jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”

#jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”

#jit_undo_ignore Undo ignore command

jit-ci · 2023-06-06T12:36:51Z

introduction/views.py

@@ -156,7 +156,9 @@
                print(sql_query)
                try:
                    print("\nin try\n")
-                    val=""
+                    val=login.objects.raw(sql_query)
+                    val=login.objects.raw(sql_query)


Security control: Static Code Analysis Python Semgrep

Type: Gitlab.Bandit.B611

Description: You should be very careful whenever you write raw SQL. Consider using Django ORM before raw SQL. See https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

#jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”

#jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”

#jit_undo_ignore Undo ignore command

jit-ci · 2023-06-06T12:36:51Z

introduction/views.py

@@ -156,7 +156,9 @@
                print(sql_query)
                try:
                    print("\nin try\n")
-                    val=""
+                    val=login.objects.raw(sql_query)


Security control: Static Code Analysis Python Semgrep

Type: Gitlab.Bandit.B611

Description: You should be very careful whenever you write raw SQL. Consider using Django ORM before raw SQL. See https://docs.djangoproject.com/en/3.0/topics/db/sql/#passing-parameters-into-raw

Severity: HIGH

Learn more about this issue

Jit Bot commands and options (e.g., ignore issue)

You can trigger Jit actions by commenting on this PR review:

#jit_ignore_fp Ignore and mark this specific single instance of finding as “False Positive”

#jit_ignore_accept Ignore and mark this specific single instance of finding as “Accept Risk”

#jit_undo_ignore Undo ignore command

introduction/views.py

introduction/mitre.py

gitstream-cm · 2023-06-06T13:16:24Z

This PR failed due to High severity vulnerability finding, if you don't fix it please select:

I need help with that fix.
I want to accept the risk, please approve.
This is false positive, please approve.
This is a test / simulator environment, please exclude.

sonarcloud · 2023-06-06T13:18:22Z

SonarCloud Quality Gate failed.

6 Bugs
3 Vulnerabilities
1 Security Hotspot
3 Code Smells

No Coverage information
0.0% Duplication

orca-security-us

Orca Security Scan Summary

Status	Check	Issues by priority
Passed	Infrastructure as Code	0 0 0 0	View in Orca
Passed	Vulnerabilities	0 0 0 0	View in Orca
Passed	Secrets	0 0 0 0	View in Orca

sonarcloud · 2023-12-28T09:36:20Z

Quality Gate failed

Failed conditions

1 Security Hotspot
E Security Rating on New Code (required ≥ A)
C Reliability Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

introduction/mitre.py

@@ -210,6 +210,11 @@
 # @authentication_decorator
 @csrf_exempt
 def mitre_lab_25_api(request):
+    if request.method == "POST":
+        expression = request.POST.get('expression')
+        result = eval(expression)


gitstream-cm · 2023-12-28T09:38:52Z

This PR failed due to High severity vulnerability finding, if you don't fix it please select:

I need help with that fix.
I want to accept the risk, please approve.
This is false positive, please approve.
This is a test / simulator environment, please exclude.

PavelLinearB and others added 4 commits June 6, 2023 15:15

Update README.md

43fadcc

Update README.md

743fad6

Update README.md

005bb4f

Update README.md

d493700

orca-security-us bot reviewed Jun 6, 2023

View reviewed changes

gitstream-cm bot added the 1 min review label Jun 6, 2023

jit-ci bot reviewed Jun 6, 2023

View reviewed changes

gitstream-cm bot added the Blue label label Jun 6, 2023

github-advanced-security bot found potential problems Jun 6, 2023

View reviewed changes

introduction/views.py Fixed Show fixed Hide fixed

introduction/views.py Fixed Show fixed Hide fixed

introduction/mitre.py Fixed Show fixed Hide fixed

gitstream-cm bot requested a review from Dudu-linb June 6, 2023 12:37

gitstream-cm bot added 🛡️ x 3 Vulnerabilities 1 🌶️ x 1 Security Hotspots 1 💩 x 3 Code Smells 1 🐞 x 6 Bugs 1 labels Jun 6, 2023

Update README.md

d589747

gitstream-cm bot added the Fix pending label Jun 6, 2023