New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to blobfuse 2.3.0 release #247

Merged

jfantinhardesty merged 31 commits into main from blobfuse-2.3.0

Jul 2, 2024

Merged

Update to blobfuse 2.3.0 release #247

Final cleanup of config and small helper function

Mend for GitHub.com / Mend Code Security Check succeeded Jul 2, 2024 in 1m 17s

Code Security Report

New findings (7)

The Code Security Check detected a total of 7 new findings.

Severity

Vulnerability Type

CWE

File

Data Flows

Date

Medium

Heap Inspection

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/config.go

Line 153 in cc74eb9

    
           ClientSecret            string `config:"clientsecret" yaml:"clientsecret,omitempty"`

Secure Code Warrior Training Material

Medium

Heap Inspection

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/azauth.go

Line 56 in cc74eb9

ClientSecret string

Secure Code Warrior Training Material

Low

Weak Hash Strength

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/utils.go

Line 557 in cc74eb9

hasher := md5.New()

Secure Code Warrior Training Material

● Training

▪ Secure Code Warrior Weak Hash Strength Training

● Videos

▪ Secure Code Warrior Weak Hash Strength Video

● Further Reading

▪ OWASP Cryptographic Storage Cheat Sheet

▪ OWASP Transport Layer Protection Cheat Sheet

▪ OWASP Password Storage Cheat Sheet

▪ OWASP Using a broken or risky cryptographic algorithm article

Low

Weak Hash Strength

block_blob.go:719

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/block_blob.go

Line 719 in cc74eb9

return errors.New("md5 sum mismatch on download")

Secure Code Warrior Training Material

● Training

▪ Secure Code Warrior Weak Hash Strength Training

● Videos

▪ Secure Code Warrior Weak Hash Strength Video

● Further Reading

▪ OWASP Cryptographic Storage Cheat Sheet

▪ OWASP Transport Layer Protection Cheat Sheet

▪ OWASP Password Storage Cheat Sheet

▪ OWASP Using a broken or risky cryptographic algorithm article

Low

Weak Hash Strength

block_blob.go:703

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/block_blob.go

Line 703 in cc74eb9

log.Warn("BlockBlob::ReadToFile : Failed to generate MD5 Sum for %s", name)

Secure Code Warrior Training Material

● Training

▪ Secure Code Warrior Weak Hash Strength Training

● Videos

▪ Secure Code Warrior Weak Hash Strength Video

● Further Reading

▪ OWASP Cryptographic Storage Cheat Sheet

▪ OWASP Transport Layer Protection Cheat Sheet

▪ OWASP Password Storage Cheat Sheet

▪ OWASP Using a broken or risky cryptographic algorithm article

Low

Weak Hash Strength

block_blob.go:718

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/block_blob.go

Line 718 in cc74eb9

log.Err("BlockBlob::ReadToFile : MD5 Sum mismatch %s", name)

Secure Code Warrior Training Material

● Training

▪ Secure Code Warrior Weak Hash Strength Training

● Videos

▪ Secure Code Warrior Weak Hash Strength Video

● Further Reading

▪ OWASP Cryptographic Storage Cheat Sheet

▪ OWASP Transport Layer Protection Cheat Sheet

▪ OWASP Password Storage Cheat Sheet

▪ OWASP Using a broken or risky cryptographic algorithm article

Low

Weak Hash Strength

block_blob.go:714

1

2024-06-11 04:43pm

Vulnerable Code

cloudfuse/component/azstorage/block_blob.go

Line 714 in cc74eb9

log.Warn("BlockBlob::ReadToFile : Failed to get MD5 Sum for blob %s", name)

Secure Code Warrior Training Material

● Training

▪ Secure Code Warrior Weak Hash Strength Training

● Videos

▪ Secure Code Warrior Weak Hash Strength Video

● Further Reading

▪ OWASP Cryptographic Storage Cheat Sheet

▪ OWASP Transport Layer Protection Cheat Sheet

▪ OWASP Password Storage Cheat Sheet

▪ OWASP Using a broken or risky cryptographic algorithm article

Resolved findings (2)

With your last commit you resolved 2 findings.

Severity	Vulnerability Type	CWE	File	Data Flows	Date
Medium	Heap Inspection	CWE-244	config.go:148	1	2024-04-02 02:23pm
Medium	Heap Inspection	CWE-244	azauth.go:54	1	2024-04-02 02:23pm

Overall findings

The Code Security Check detected a total of 29 findings, 15 of them high severity. More details about the overall state can be found in the Mend Application.

Scan token: 44706ab997144180a7bd1f5dd867626e

View more details on Mend for GitHub.com