@fabasoad/sarif-to-slack 0.1.1 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (99) hide show
  1. package/.github/ISSUE_TEMPLATE/bug_report.md +1 -1
  2. package/.github/pull_request_template.md +3 -3
  3. package/.github/workflows/linting.yml +14 -0
  4. package/.github/workflows/release.yml +5 -1
  5. package/.github/workflows/send-sarif-to-slack.yml +214 -0
  6. package/.github/workflows/unit-tests.yml +1 -0
  7. package/.pre-commit-config.yaml +3 -3
  8. package/.tool-versions +1 -1
  9. package/CONTRIBUTING.md +1 -1
  10. package/Makefile +10 -3
  11. package/README.md +36 -5
  12. package/biome.json +15 -12
  13. package/dist/Logger.js +17 -6
  14. package/dist/Processors.js +23 -22
  15. package/dist/SarifToSlackService.d.ts.map +1 -1
  16. package/dist/SarifToSlackService.js +6 -7
  17. package/dist/SlackMessageBuilder.js +51 -55
  18. package/dist/index.d.ts +9 -4
  19. package/dist/index.d.ts.map +1 -1
  20. package/dist/index.js +10 -5
  21. package/dist/model/SarifModelPerRun.d.ts +17 -0
  22. package/dist/model/SarifModelPerRun.d.ts.map +1 -0
  23. package/dist/model/SarifModelPerRun.js +84 -0
  24. package/dist/model/SarifModelPerSarif.d.ts +20 -0
  25. package/dist/model/SarifModelPerSarif.d.ts.map +1 -0
  26. package/dist/model/SarifModelPerSarif.js +97 -0
  27. package/dist/model/types.d.ts +17 -0
  28. package/dist/model/types.d.ts.map +1 -0
  29. package/dist/model/types.js +31 -0
  30. package/dist/sarif-to-slack.d.ts +121 -18
  31. package/dist/tsdoc-metadata.json +1 -1
  32. package/dist/types.d.ts +107 -15
  33. package/dist/types.d.ts.map +1 -1
  34. package/dist/types.js +73 -7
  35. package/dist/utils/SarifUtils.d.ts +5 -0
  36. package/dist/utils/SarifUtils.d.ts.map +1 -0
  37. package/dist/utils/SarifUtils.js +32 -0
  38. package/dist/utils/SortUtils.d.ts +5 -0
  39. package/dist/utils/SortUtils.d.ts.map +1 -0
  40. package/dist/utils/SortUtils.js +8 -0
  41. package/dist/version.d.ts +2 -0
  42. package/dist/version.d.ts.map +1 -0
  43. package/dist/version.js +4 -0
  44. package/etc/sarif-to-slack.api.md +47 -9
  45. package/jest.config.json +4 -4
  46. package/package.json +14 -10
  47. package/scripts/save-version.sh +6 -0
  48. package/src/Logger.ts +22 -17
  49. package/src/Processors.ts +22 -22
  50. package/src/SarifToSlackService.ts +6 -7
  51. package/src/SlackMessageBuilder.ts +85 -68
  52. package/src/index.ts +17 -6
  53. package/src/model/SarifModelPerRun.ts +114 -0
  54. package/src/model/SarifModelPerSarif.ts +116 -0
  55. package/src/model/types.ts +31 -0
  56. package/src/types.ts +113 -15
  57. package/src/utils/SarifUtils.ts +44 -0
  58. package/src/utils/SortUtils.ts +21 -0
  59. package/src/version.ts +3 -0
  60. package/test-data/sarif/codeql-csharp.sarif +1 -0
  61. package/test-data/sarif/codeql-go.sarif +1 -0
  62. package/test-data/sarif/codeql-python.sarif +1 -0
  63. package/test-data/sarif/codeql-ruby.sarif +1 -0
  64. package/test-data/sarif/codeql-typescript.sarif +1 -0
  65. package/test-data/sarif/grype-container.sarif +1774 -0
  66. package/test-data/sarif/runs-1-tools-1-results-0.sarif +18 -0
  67. package/test-data/sarif/runs-2-tools-1-results-0.sarif +30 -0
  68. package/test-data/sarif/runs-2-tools-1.sarif +656 -0
  69. package/test-data/sarif/runs-2-tools-2-results-0.sarif +44 -0
  70. package/test-data/sarif/runs-2-tools-2.sarif +686 -0
  71. package/test-data/sarif/runs-3-tools-2-results-0.sarif +48 -0
  72. package/test-data/sarif/runs-3-tools-2.sarif +278 -0
  73. package/test-data/sarif/snyk-composer.sarif +934 -0
  74. package/test-data/sarif/snyk-container.sarif +313 -0
  75. package/test-data/sarif/snyk-gomodules.sarif +388 -0
  76. package/test-data/sarif/snyk-gradle.sarif +274 -0
  77. package/test-data/sarif/snyk-hex.sarif +66 -0
  78. package/test-data/sarif/snyk-maven.sarif +274 -0
  79. package/test-data/sarif/snyk-npm.sarif +896 -0
  80. package/test-data/sarif/snyk-nuget.sarif +90 -0
  81. package/test-data/sarif/snyk-pip.sarif +66 -0
  82. package/test-data/sarif/snyk-pnpm.sarif +90 -0
  83. package/test-data/sarif/snyk-poetry.sarif +1952 -0
  84. package/test-data/sarif/snyk-rubygems.sarif +440 -0
  85. package/test-data/sarif/snyk-sbt.sarif +178 -0
  86. package/test-data/sarif/snyk-swift.sarif +112 -0
  87. package/test-data/sarif/snyk-yarn.sarif +2900 -0
  88. package/test-data/sarif/trivy-iac.sarif +134 -0
  89. package/test-data/sarif/wiz-container.sarif +30916 -0
  90. package/test-data/sarif/wiz-iac.sarif +558 -0
  91. package/tests/Processors.spec.ts +3 -3
  92. package/tests/integration/SendSarifToSlack.spec.ts +56 -0
  93. package/tsconfig.json +14 -14
  94. package/dist/Logger.js.map +0 -1
  95. package/dist/Processors.js.map +0 -1
  96. package/dist/SarifToSlackService.js.map +0 -1
  97. package/dist/SlackMessageBuilder.js.map +0 -1
  98. package/dist/index.js.map +0 -1
  99. package/dist/types.js.map +0 -1
package/test-data/sarif/codeql-csharp.sarif ADDED
@@ -0,0 +1 @@
1
+ {"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"cs/compilation-message","name":"cs/compilation-message","shortDescription":{"text":"Compilation message"},"fullDescription":{"text":"A message emitted by the compiler, including warnings and errors."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"A message emitted by the compiler, including warnings and errors.","id":"cs/compilation-message","kind":"diagnostic","name":"Compilation message"}},{"id":"cs/diagnostics/extraction-errors","name":"cs/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all errors reported by the extractor or the compiler. Extractor errors are limited to those files where there are no compilation errors."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all errors reported by the extractor or the compiler. Extractor errors are\n limited to those files where there are no compilation errors.","id":"cs/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"cs/compilation-error","name":"cs/compilation-error","shortDescription":{"text":"Compilation error"},"fullDescription":{"text":"A compilation error can cause extraction problems, and could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"A compilation error can cause extraction problems, and could lead to inaccurate results.","id":"cs/compilation-error","kind":"diagnostic","name":"Compilation error"}},{"id":"cs/diagnostics/successfully-extracted-files","name":"cs/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"A list of all files in the source code directory that were extracted without encountering an extraction or compiler error in the file."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"A list of all files in the source code directory that were extracted\n without encountering an extraction or compiler error in the file.","id":"cs/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"cs/extraction-message","name":"cs/extraction-message","shortDescription":{"text":"Extraction message"},"fullDescription":{"text":"An error message reported by the extractor. This could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"An error message reported by the extractor. This could lead to inaccurate results.","id":"cs/extraction-message","kind":"diagnostic","name":"Extraction message"}},{"id":"cs/extraction-error","name":"cs/extraction-error","shortDescription":{"text":"Extraction error"},"fullDescription":{"text":"An error message reported by the extractor, limited to those files where there are no compilation errors. This indicates a bug or limitation in the extractor, and could lead to inaccurate results."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["internal","non-attributable"],"description":"An error message reported by the extractor, limited to those files where there are no\n compilation errors. This indicates a bug or limitation in the extractor, and could lead\n to inaccurate results.","id":"cs/extraction-error","kind":"diagnostic","name":"Extraction error"}},{"id":"csharp/diagnostic/database-quality","name":"csharp/diagnostic/database-quality","shortDescription":{"text":"Low C# analysis quality"},"fullDescription":{"text":"Low C# analysis quality"},"defaultConfiguration":{"enabled":true},"properties":{"description":"Low C# analysis quality","id":"csharp/diagnostic/database-quality","kind":"diagnostic","name":"Low C# analysis quality"}},{"id":"cs/baseline/expected-extracted-files","name":"cs/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"cs/sensitive-data-transmission","name":"cs/sensitive-data-transmission","shortDescription":{"text":"Information exposure through transmitted data"},"fullDescription":{"text":"Transmitting sensitive information to the user is a potential security risk."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-201"],"description":"Transmitting sensitive information to the user is a potential security risk.","id":"cs/sensitive-data-transmission","kind":"path-problem","name":"Information exposure through transmitted data","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"cs/code-injection","name":"cs/code-injection","shortDescription":{"text":"Improper control of generation of code"},"fullDescription":{"text":"Treating externally controlled strings as code can allow an attacker to execute malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-096"],"description":"Treating externally controlled strings as code can allow an attacker to execute\n malicious code.","id":"cs/code-injection","kind":"path-problem","name":"Improper control of generation of code","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"cs/information-exposure-through-exception","name":"cs/information-exposure-through-exception","shortDescription":{"text":"Information exposure through an exception"},"fullDescription":{"text":"Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Leaking information about an exception, such as messages and stack traces, to an\n external user can expose implementation details that are useful to an attacker for\n developing a subsequent exploit.","id":"cs/information-exposure-through-exception","kind":"path-problem","name":"Information exposure through an exception","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"cs/user-controlled-bypass","name":"cs/user-controlled-bypass","shortDescription":{"text":"User-controlled bypass of sensitive method"},"fullDescription":{"text":"User-controlled bypassing of sensitive methods may allow attackers to avoid passing through authentication systems."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-807","external/cwe/cwe-247","external/cwe/cwe-350"],"description":"User-controlled bypassing of sensitive methods may allow attackers to avoid\n passing through authentication systems.","id":"cs/user-controlled-bypass","kind":"path-problem","name":"User-controlled bypass of sensitive method","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/web/missing-x-frame-options","name":"cs/web/missing-x-frame-options","shortDescription":{"text":"Missing X-Frame-Options HTTP header"},"fullDescription":{"text":"If the 'X-Frame-Options' setting is not provided, a malicious user may be able to overlay their own UI on top of the site by using an iframe."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-451","external/cwe/cwe-829"],"description":"If the 'X-Frame-Options' setting is not provided, a malicious user may be able to\n overlay their own UI on top of the site by using an iframe.","id":"cs/web/missing-x-frame-options","kind":"problem","name":"Missing X-Frame-Options HTTP header","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/web/unvalidated-url-redirection","name":"cs/web/unvalidated-url-redirection","shortDescription":{"text":"URL redirection from remote source"},"fullDescription":{"text":"URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"cs/web/unvalidated-url-redirection","kind":"path-problem","name":"URL redirection from remote source","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"cs/web/persistent-cookie","name":"cs/web/persistent-cookie","shortDescription":{"text":"Cookie security: persistent cookie"},"fullDescription":{"text":"Persistent cookies are vulnerable to attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-539"],"description":"Persistent cookies are vulnerable to attacks.","id":"cs/web/persistent-cookie","kind":"problem","name":"Cookie security: persistent cookie","precision":"high","problem.severity":"warning","security-severity":"8.2"}},{"id":"cs/assembly-path-injection","name":"cs/assembly-path-injection","shortDescription":{"text":"Assembly path injection"},"fullDescription":{"text":"Loading a .NET assembly based on a path constructed from user-controlled sources may allow a malicious user to load code which modifies the program in unintended ways."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-114"],"description":"Loading a .NET assembly based on a path constructed from user-controlled sources\n may allow a malicious user to load code which modifies the program in unintended\n ways.","id":"cs/assembly-path-injection","kind":"path-problem","name":"Assembly path injection","precision":"high","problem.severity":"error","security-severity":"8.2"}},{"id":"cs/web/directory-browse-enabled","name":"cs/web/directory-browse-enabled","shortDescription":{"text":"ASP.NET config file enables directory browsing"},"fullDescription":{"text":"Directory browsing should not be enabled in production as it can leak sensitive information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-548"],"description":"Directory browsing should not be enabled in production as it can leak sensitive information.","id":"cs/web/directory-browse-enabled","kind":"problem","name":"ASP.NET config file enables directory browsing","precision":"very-high","problem.severity":"warning","security-severity":"6.5"}},{"id":"cs/exposure-of-sensitive-information","name":"cs/exposure-of-sensitive-information","shortDescription":{"text":"Exposure of private information"},"fullDescription":{"text":"If private information is written to an external location, it may be accessible by unauthorized persons."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-359"],"description":"If private information is written to an external location, it may be accessible by\n unauthorized persons.","id":"cs/exposure-of-sensitive-information","kind":"path-problem","name":"Exposure of private information","precision":"high","problem.severity":"error","security-severity":"6.5"}},{"id":"cs/web/requiressl-not-set","name":"cs/web/requiressl-not-set","shortDescription":{"text":"'requireSSL' attribute is not set to true"},"fullDescription":{"text":"Omitting the 'requireSSL' attribute allows data to be transmitted insecurely using HTTP. Always set 'requireSSL' to 'true' to ensure that HTTPS is used at all times."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-319","external/cwe/cwe-614"],"description":"Omitting the 'requireSSL' attribute allows data to be transmitted insecurely\n using HTTP. Always set 'requireSSL' to 'true' to ensure that HTTPS\n is used at all times.","id":"cs/web/requiressl-not-set","kind":"problem","name":"'requireSSL' attribute is not set to true","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/sql-injection","name":"cs/sql-injection","shortDescription":{"text":"SQL query built from user-controlled sources"},"fullDescription":{"text":"Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a SQL query from user-controlled sources is vulnerable to insertion of\n malicious SQL code by the user.","id":"cs/sql-injection","kind":"path-problem","name":"SQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/web/missing-global-error-handler","name":"cs/web/missing-global-error-handler","shortDescription":{"text":"Missing global error handler"},"fullDescription":{"text":"ASP.NET applications should not set the 'customError' mode to \"off\" without providing a global error handler, otherwise they may leak exception information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-12","external/cwe/cwe-248"],"description":"ASP.NET applications should not set the 'customError' mode to \"off\" without providing\n a global error handler, otherwise they may leak exception information.","id":"cs/web/missing-global-error-handler","kind":"problem","name":"Missing global error handler","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/inadequate-rsa-padding","name":"cs/inadequate-rsa-padding","shortDescription":{"text":"Weak encryption: inadequate RSA padding"},"fullDescription":{"text":"Finds uses of RSA encryption with inadequate padding."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-780"],"description":"Finds uses of RSA encryption with inadequate padding.","id":"cs/inadequate-rsa-padding","kind":"problem","name":"Weak encryption: inadequate RSA padding","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/insufficient-key-size","name":"cs/insufficient-key-size","shortDescription":{"text":"Weak encryption: Insufficient key size"},"fullDescription":{"text":"Finds uses of encryption algorithms with too small a key size"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Finds uses of encryption algorithms with too small a key size","id":"cs/insufficient-key-size","kind":"problem","name":"Weak encryption: Insufficient key size","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/web/debug-binary","name":"cs/web/debug-binary","shortDescription":{"text":"Creating an ASP.NET debug binary may reveal sensitive information"},"fullDescription":{"text":"ASP.NET projects should not produce debug binaries when deploying to production as debug builds provide additional information useful to a malicious attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","maintainability","frameworks/asp.net","external/cwe/cwe-11","external/cwe/cwe-532"],"description":"ASP.NET projects should not produce debug binaries when deploying to production as\n debug builds provide additional information useful to a malicious attacker.","id":"cs/web/debug-binary","kind":"problem","name":"Creating an ASP.NET debug binary may reveal sensitive information","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/web/request-validation-disabled","name":"cs/web/request-validation-disabled","shortDescription":{"text":"Page request validation is disabled"},"fullDescription":{"text":"ASP.NET pages should not disable the built-in request validation."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","frameworks/asp.net","external/cwe/cwe-16"],"description":"ASP.NET pages should not disable the built-in request validation.","id":"cs/web/request-validation-disabled","kind":"problem","name":"Page request validation is disabled","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/resource-injection","name":"cs/resource-injection","shortDescription":{"text":"Resource injection"},"fullDescription":{"text":"Building a resource descriptor from untrusted user input is vulnerable to a malicious user providing an unintended resource."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-099"],"description":"Building a resource descriptor from untrusted user input is vulnerable to a\n malicious user providing an unintended resource.","id":"cs/resource-injection","kind":"path-problem","name":"Resource injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/ldap-injection","name":"cs/ldap-injection","shortDescription":{"text":"LDAP query built from user-controlled sources"},"fullDescription":{"text":"Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-090"],"description":"Building an LDAP query from user-controlled sources is vulnerable to insertion of\n malicious LDAP code by the user.","id":"cs/ldap-injection","kind":"path-problem","name":"LDAP query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/xml-injection","name":"cs/xml-injection","shortDescription":{"text":"XML injection"},"fullDescription":{"text":"Building an XML document from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-091"],"description":"Building an XML document from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"cs/xml-injection","kind":"path-problem","name":"XML injection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/weak-encryption","name":"cs/weak-encryption","shortDescription":{"text":"Weak encryption"},"fullDescription":{"text":"Finds uses of encryption algorithms that are weak and obsolete"},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Finds uses of encryption algorithms that are weak and obsolete","id":"cs/weak-encryption","kind":"problem","name":"Weak encryption","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/unvalidated-local-pointer-arithmetic","name":"cs/unvalidated-local-pointer-arithmetic","shortDescription":{"text":"Unvalidated local pointer arithmetic"},"fullDescription":{"text":"Using the result of a virtual method call in pointer arithmetic without validation is dangerous because the method may be overridden by a subtype to return any value."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-119","external/cwe/cwe-120","external/cwe/cwe-122","external/cwe/cwe-788"],"description":"Using the result of a virtual method call in pointer arithmetic without\n validation is dangerous because the method may be overridden by a subtype\n to return any value.","id":"cs/unvalidated-local-pointer-arithmetic","kind":"problem","name":"Unvalidated local pointer arithmetic","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/log-forging","name":"cs/log-forging","shortDescription":{"text":"Log entries created from user input"},"fullDescription":{"text":"Building log entries from user-controlled sources is vulnerable to insertion of forged log entries by a malicious user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-117"],"description":"Building log entries from user-controlled sources is vulnerable to\n insertion of forged log entries by a malicious user.","id":"cs/log-forging","kind":"path-problem","name":"Log entries created from user input","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"cs/web/broad-cookie-domain","name":"cs/web/broad-cookie-domain","shortDescription":{"text":"Cookie security: overly broad domain"},"fullDescription":{"text":"Finds cookies with an overly broad domain."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-287"],"description":"Finds cookies with an overly broad domain.","id":"cs/web/broad-cookie-domain","kind":"problem","name":"Cookie security: overly broad domain","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/session-reuse","name":"cs/session-reuse","shortDescription":{"text":"Failure to abandon session"},"fullDescription":{"text":"Reusing an existing session as a different user could allow an attacker to access someone else's account by using their session."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-384"],"description":"Reusing an existing session as a different user could allow\n an attacker to access someone else's account by using\n their session.","id":"cs/session-reuse","kind":"problem","name":"Failure to abandon session","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/cleartext-storage-of-sensitive-information","name":"cs/cleartext-storage-of-sensitive-information","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n attacker.","id":"cs/cleartext-storage-of-sensitive-information","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/ecb-encryption","name":"cs/ecb-encryption","shortDescription":{"text":"Encryption using ECB"},"fullDescription":{"text":"Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Highlights uses of the encryption mode 'CipherMode.ECB'. This mode should normally not be used because it is vulnerable to replay attacks.","id":"cs/ecb-encryption","kind":"problem","name":"Encryption using ECB","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"cs/uncontrolled-format-string","name":"cs/uncontrolled-format-string","shortDescription":{"text":"Uncontrolled format string"},"fullDescription":{"text":"Passing untrusted format strings from remote data sources can throw exceptions and cause a denial of service."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Passing untrusted format strings from remote data sources can throw exceptions\n and cause a denial of service.","id":"cs/uncontrolled-format-string","kind":"path-problem","name":"Uncontrolled format string","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"cs/web/missing-token-validation","name":"cs/web/missing-token-validation","shortDescription":{"text":"Missing cross-site request forgery token validation"},"fullDescription":{"text":"Handling a POST request without verifying that the request came from the user allows a malicious attacker to submit a request on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Handling a POST request without verifying that the request came from the user\n allows a malicious attacker to submit a request on behalf of the user.","id":"cs/web/missing-token-validation","kind":"problem","name":"Missing cross-site request forgery token validation","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"cs/unsafe-deserialization-untrusted-input","name":"cs/unsafe-deserialization-untrusted-input","shortDescription":{"text":"Deserialization of untrusted data"},"fullDescription":{"text":"Calling an unsafe deserializer with data controlled by an attacker can lead to denial of service and other security problems."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Calling an unsafe deserializer with data controlled by an attacker\n can lead to denial of service and other security problems.","id":"cs/unsafe-deserialization-untrusted-input","kind":"path-problem","name":"Deserialization of untrusted data","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/deserialized-delegate","name":"cs/deserialized-delegate","shortDescription":{"text":"Deserialized delegate"},"fullDescription":{"text":"Deserializing a delegate allows for remote code execution when an attacker can control the serialized data."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing a delegate allows for remote code execution when an\n attacker can control the serialized data.","id":"cs/deserialized-delegate","kind":"problem","name":"Deserialized delegate","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"cs/regex-injection","name":"cs/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to provide a regex that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to provide a regex that could require\n exponential time on certain inputs.","id":"cs/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/redos","name":"cs/redos","shortDescription":{"text":"Denial of Service from comparison of user input against expensive regex"},"fullDescription":{"text":"User input should not be matched against a regular expression that could require exponential time on certain input."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be matched against a regular expression that could require\n exponential time on certain input.","id":"cs/redos","kind":"path-problem","name":"Denial of Service from comparison of user input against expensive regex","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/zipslip","name":"cs/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"cs/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/path-injection","name":"cs/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access unexpected resources.","id":"cs/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"cs/xml/insecure-dtd-handling","name":"cs/xml/insecure-dtd-handling","shortDescription":{"text":"Untrusted XML is read insecurely"},"fullDescription":{"text":"Untrusted XML is read with an insecure resolver and DTD processing enabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827","external/cwe/cwe-776"],"description":"Untrusted XML is read with an insecure resolver and DTD processing enabled.","id":"cs/xml/insecure-dtd-handling","kind":"path-problem","name":"Untrusted XML is read insecurely","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"cs/command-line-injection","name":"cs/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"cs/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/web/broad-cookie-path","name":"cs/web/broad-cookie-path","shortDescription":{"text":"Cookie security: overly broad path"},"fullDescription":{"text":"Finds cookies with an overly broad path."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-287"],"description":"Finds cookies with an overly broad path.","id":"cs/web/broad-cookie-path","kind":"problem","name":"Cookie security: overly broad path","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"cs/xml/xpath-injection","name":"cs/xml/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"cs/xml/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"cs/web/disabled-header-checking","name":"cs/web/disabled-header-checking","shortDescription":{"text":"Header checking disabled"},"fullDescription":{"text":"Finds places where header checking is disabled."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-113"],"description":"Finds places where header checking is disabled.","id":"cs/web/disabled-header-checking","kind":"problem","name":"Header checking disabled","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"cs/web/xss","name":"cs/web/xss","shortDescription":{"text":"Cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a web page allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a web page\n allows for a cross-site scripting vulnerability.","id":"cs/web/xss","kind":"path-problem","name":"Cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"cs/insecure-randomness","name":"cs/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security sensitive value may allow an attacker to predict what sensitive value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security sensitive value may allow an attacker to predict what sensitive value will\n be generated.","id":"cs/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"cs/summary/lines-of-code","name":"cs/summary/lines-of-code","shortDescription":{"text":"Total lines of C# code in the database"},"fullDescription":{"text":"The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of code across all files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.","id":"cs/summary/lines-of-code","kind":"metric","name":"Total lines of C# code in the database"}},{"id":"cs/telemetry/supported-external-api-taint","name":"cs/telemetry/supported-external-api-taint","shortDescription":{"text":"Supported flow steps in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as flow steps. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as flow steps. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-taint","kind":"metric","name":"Supported flow steps in external libraries"}},{"id":"cs/telemetry/unsupported-external-api","name":"cs/telemetry/unsupported-external-api","shortDescription":{"text":"Usage of unsupported APIs coming from external libraries"},"fullDescription":{"text":"A list of 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries.","id":"cs/telemetry/unsupported-external-api","kind":"metric","name":"Usage of unsupported APIs coming from external libraries"}},{"id":"cs/telemetry/supported-external-api-sources","name":"cs/telemetry/supported-external-api-sources","shortDescription":{"text":"Supported sources in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as sources. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as sources. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-sources","kind":"metric","name":"Supported sources in external libraries"}},{"id":"cs/telemetry/external-libs","name":"cs/telemetry/external-libs","shortDescription":{"text":"External libraries"},"fullDescription":{"text":"A list of external libraries used in the code given by their namespace."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of external libraries used in the code given by their namespace.","id":"cs/telemetry/external-libs","kind":"metric","name":"External libraries"}},{"id":"cs/telemetry/supported-external-api-sinks","name":"cs/telemetry/supported-external-api-sinks","shortDescription":{"text":"Supported sinks in external libraries"},"fullDescription":{"text":"A list of 3rd party APIs detected as sinks. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of 3rd party APIs detected as sinks. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api-sinks","kind":"metric","name":"Supported sinks in external libraries"}},{"id":"cs/telemetry/extraction-information","name":"cs/telemetry/extraction-information","shortDescription":{"text":"C# extraction information"},"fullDescription":{"text":"Information about the extraction for a C# database"},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"Information about the extraction for a C# database","id":"cs/telemetry/extraction-information","kind":"metric","name":"C# extraction information"}},{"id":"cs/telemetry/supported-external-api","name":"cs/telemetry/supported-external-api","shortDescription":{"text":"Usage of supported APIs coming from external libraries"},"fullDescription":{"text":"A list of supported 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"A list of supported 3rd party APIs used in the codebase. Excludes APIs exposed by test libraries.","id":"cs/telemetry/supported-external-api","kind":"metric","name":"Usage of supported APIs coming from external libraries"}}]},"extensions":[{"name":"codeql/csharp-queries","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/csharp-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/csharp-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/csharp-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/csharp-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":1,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1},"region":{"startLine":2,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2},"region":{"startLine":10,"startColumn":7,"endColumn":13}}}],"message":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Hidden CS8933 The using directive for 'System' appeared previously as global using"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":50,"endColumn":74}}}],"message":{"text":"Warning SYSLIB0021 'DESCryptoServiceProvider' is obsolete: 'Derived cryptographic types are obsolete. Use the Create method on the base type instead.'"},"level":"none","descriptor":{"id":"cs/compilation-message","index":0},"properties":{"formattedMessage":{"text":"Warning SYSLIB0021 'DESCryptoServiceProvider' is obsolete: 'Derived cryptographic types are obsolete. Use the Create method on the base type instead.'"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"obj/Debug/net9.0/csharp.GlobalUsings.g.cs","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/diagnostics/successfully-extracted-files","index":3},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"cs/baseline/expected-extracted-files","index":7},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T08:00:49.139+00:00","descriptor":{"id":"cli/sip-enablement","index":8},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"obj/Debug/net9.0/.NETCoreApp,Version=v9.0.AssemblyAttributes.cs","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"obj/Debug/net9.0/csharp.AssemblyInfo.cs","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"obj/Debug/net9.0/csharp.GlobalUsings.g.cs","uriBaseId":"%SRCROOT%","index":3}}],"results":[{"ruleId":"cs/weak-encryption","ruleIndex":20,"rule":{"id":"cs/weak-encryption","index":20},"message":{"text":"DES encryption uses keys of 56 bits only. Switch to AesCryptoServiceProvider or RijndaelManaged instead."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"Program.cs","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":13,"startColumn":46,"endColumn":76}}}],"partialFingerprints":{"primaryLocationLineHash":"cacc56887e648f5d:1","primaryLocationStartColumnFingerprint":"37"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"cs/summary/lines-of-code","index":42},"ruleId":"cs/summary/lines-of-code","ruleIndex":42,"value":38,"baseline":19},{"rule":{"id":"cs/telemetry/supported-external-api-taint","index":43},"ruleId":"cs/telemetry/supported-external-api-taint","ruleIndex":43,"value":1,"message":{"text":"System.Text#Encoding.GetBytes(System.String)"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System.Security.Cryptography"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System"}},{"rule":{"id":"cs/telemetry/external-libs","index":46},"ruleId":"cs/telemetry/external-libs","ruleIndex":46,"value":2,"message":{"text":"System.Text"}},{"rule":{"id":"cs/telemetry/supported-external-api-sinks","index":47},"ruleId":"cs/telemetry/supported-external-api-sinks","ruleIndex":47,"value":1,"message":{"text":"System.Security.Cryptography#SymmetricAlgorithm.CreateEncryptor()"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":3.0,"message":{"text":"Compiler diagnostic count for CS8933"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Compiler diagnostic count for SYSLIB0021"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/sdk/9.0.200/Sdks/Microsoft.NET.Sdk/targets/../analyzers/Microsoft.CodeAnalysis.CSharp.NetAnalyzers.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/sdk/9.0.200/Sdks/Microsoft.NET.Sdk/targets/../analyzers/Microsoft.CodeAnalysis.NetAnalyzers.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.ComInterfaceGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.JavaScript.JSImportGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.LibraryImportGenerator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/Microsoft.Interop.SourceGeneration.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/System.Text.Json.SourceGeneration.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"CSC analyzer: /Users/john.doe/.asdf/installs/dotnet-core/9.0.200/packs/Microsoft.NETCore.App.Ref/9.0.2/analyzers/dotnet/cs/System.Text.RegularExpressions.Generator.dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":3.0,"message":{"text":"Number of diagnostics with severity 0"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of diagnostics with severity 2"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of files with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":165.0,"message":{"text":"Number of files with extension dll"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":4.0,"message":{"text":"Number of files with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":1.0,"message":{"text":"Number of files with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":15.0,"message":{"text":"Number of lines of code with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":38.0,"message":{"text":"Number of lines of code with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Number of lines of code with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":15.0,"message":{"text":"Total number of lines with extension props"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":60.0,"message":{"text":"Total number of lines with extension cs"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Total number of lines with extension csproj"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":172.0,"message":{"text":"Number of files"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":85.0,"message":{"text":"Total number of lines"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":63.0,"message":{"text":"Number of lines of code"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of access with target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":2343.0,"message":{"text":"Number of access with target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of calls with call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":10.0,"message":{"text":"Number of calls with call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of expressions with known kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of expressions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of access with missing target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":58216.0,"message":{"text":"Number of expressions with known kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":60.0,"message":{"text":"Number of expressions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":100.0,"message":{"text":"Percentage of type mentions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of expressions with unknown kind"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of expressions with unknown type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":24.0,"message":{"text":"Number of type mentions with known type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of calls with missing call target"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of type mentions with unknown type"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Is extracted with build-mode set to 'none'"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of compiler reported ambiguity errors"}},{"rule":{"id":"cs/telemetry/extraction-information","index":48},"ruleId":"cs/telemetry/extraction-information","ruleIndex":48,"value":0.0,"message":{"text":"Number of compiler reported ambiguity error messages"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Text#Encoding.GetBytes(System.String)"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Text#Encoding.get_ASCII()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System#Console.WriteLine(System.Object)"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System#Array.get_Length()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Security.Cryptography#SymmetricAlgorithm.CreateEncryptor()"}},{"rule":{"id":"cs/telemetry/supported-external-api","index":49},"ruleId":"cs/telemetry/supported-external-api","ruleIndex":49,"value":1,"message":{"text":"System.Security.Cryptography#ICryptoTransform.TransformFinalBlock(System.Byte\\[\\],System.Int32,System.Int32)"}}]}}]}
package/test-data/sarif/codeql-go.sarif ADDED
@@ -0,0 +1 @@
1
+ {"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"go/diagnostics/extraction-errors","name":"go/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"go/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"go/diagnostics/successfully-extracted-files","name":"go/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"List all files that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"List all files that were extracted.","id":"go/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"go/baseline/expected-extracted-files","name":"go/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"go/stack-trace-exposure","name":"go/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Information from a stack trace propagates to an external user. Stack traces can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Information from a stack trace propagates to an external user.\n Stack traces can unintentionally reveal implementation details\n that are useful to an attacker for developing a subsequent exploit.","id":"go/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"go/unvalidated-url-redirection","name":"go/unvalidated-url-redirection","shortDescription":{"text":"Open URL redirect"},"fullDescription":{"text":"Open URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"Open URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"go/unvalidated-url-redirection","kind":"path-problem","name":"Open URL redirect","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"go/bad-redirect-check","name":"go/bad-redirect-check","shortDescription":{"text":"Bad redirect check"},"fullDescription":{"text":"A redirect check that checks for a leading slash but not two leading slashes or a leading slash followed by a backslash is incomplete."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"A redirect check that checks for a leading slash but not two\n leading slashes or a leading slash followed by a backslash is\n incomplete.","id":"go/bad-redirect-check","kind":"path-problem","name":"Bad redirect check","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"go/weak-crypto-key","name":"go/weak-crypto-key","shortDescription":{"text":"Use of a weak cryptographic key"},"fullDescription":{"text":"Using a weak cryptographic key can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Using a weak cryptographic key can allow an attacker to compromise security.","id":"go/weak-crypto-key","kind":"path-problem","name":"Use of a weak cryptographic key","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/insecure-tls","name":"go/insecure-tls","shortDescription":{"text":"Insecure TLS configuration"},"fullDescription":{"text":"If an application supports insecure TLS versions or ciphers, it may be vulnerable to machine-in-the-middle and other attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"If an application supports insecure TLS versions or ciphers, it may be vulnerable to\n machine-in-the-middle and other attacks.","id":"go/insecure-tls","kind":"path-problem","name":"Insecure TLS configuration","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"go/request-forgery","name":"go/request-forgery","shortDescription":{"text":"Uncontrolled data used in network request"},"fullDescription":{"text":"Sending network requests with user-controlled data allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Sending network requests with user-controlled data allows for request forgery attacks.","id":"go/request-forgery","kind":"path-problem","name":"Uncontrolled data used in network request","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"go/allocation-size-overflow","name":"go/allocation-size-overflow","shortDescription":{"text":"Size computation for allocation may overflow"},"fullDescription":{"text":"When computing the size of an allocation based on the size of a large object, the result may overflow and cause a runtime panic."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-190"],"description":"When computing the size of an allocation based on the size of a large object,\n the result may overflow and cause a runtime panic.","id":"go/allocation-size-overflow","kind":"path-problem","name":"Size computation for allocation may overflow","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"go/sql-injection","name":"go/sql-injection","shortDescription":{"text":"Database query built from user-controlled sources"},"fullDescription":{"text":"Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"go/sql-injection","kind":"path-problem","name":"Database query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"go/unsafe-quoting","name":"go/unsafe-quoting","shortDescription":{"text":"Potentially unsafe quoting"},"fullDescription":{"text":"If a quoted string literal is constructed from data that may itself contain quotes, the embedded data could (accidentally or intentionally) change the structure of the overall string."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-089","external/cwe/cwe-094"],"description":"If a quoted string literal is constructed from data that may itself contain quotes,\n the embedded data could (accidentally or intentionally) change the structure of\n the overall string.","id":"go/unsafe-quoting","kind":"path-problem","name":"Potentially unsafe quoting","precision":"high","problem.severity":"warning","security-severity":"9.3"}},{"id":"go/regex/missing-regexp-anchor","name":"go/regex/missing-regexp-anchor","shortDescription":{"text":"Missing regular expression anchor"},"fullDescription":{"text":"Regular expressions without anchors can be vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-20"],"description":"Regular expressions without anchors can be vulnerable to bypassing.","id":"go/regex/missing-regexp-anchor","kind":"problem","name":"Missing regular expression anchor","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"go/incomplete-url-scheme-check","name":"go/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.","id":"go/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"go/incomplete-hostname-regexp","name":"go/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-20"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped\n dot as part of the hostname might match more hostnames than expected.","id":"go/incomplete-hostname-regexp","kind":"path-problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"go/suspicious-character-in-regex","name":"go/suspicious-character-in-regex","shortDescription":{"text":"Suspicious characters in a regular expression"},"fullDescription":{"text":"If a literal bell character or backspace appears in a regular expression, the start of text or word boundary may have been intended."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-20"],"description":"If a literal bell character or backspace appears in a regular expression, the start of text or word boundary may have been intended.","id":"go/suspicious-character-in-regex","kind":"path-problem","name":"Suspicious characters in a regular expression","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"go/email-injection","name":"go/email-injection","shortDescription":{"text":"Email content injection"},"fullDescription":{"text":"Incorporating untrusted input directly into an email message can enable content spoofing, which in turn may lead to information leaks and other security issues."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-640"],"description":"Incorporating untrusted input directly into an email message can enable\n content spoofing, which in turn may lead to information leaks and other\n security issues.","id":"go/email-injection","kind":"path-problem","name":"Email content injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"go/disabled-certificate-check","name":"go/disabled-certificate-check","shortDescription":{"text":"Disabled TLS certificate check"},"fullDescription":{"text":"If an application disables TLS certificate checking, it may be vulnerable to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-295"],"description":"If an application disables TLS certificate checking, it may be vulnerable to\n man-in-the-middle attacks.","id":"go/disabled-certificate-check","kind":"problem","name":"Disabled TLS certificate check","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"go/missing-jwt-signature-check","name":"go/missing-jwt-signature-check","shortDescription":{"text":"Missing JWT signature check"},"fullDescription":{"text":"Failing to check the JSON Web Token (JWT) signature may allow an attacker to forge their own tokens."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"Failing to check the JSON Web Token (JWT) signature may allow an attacker to forge their own tokens.","id":"go/missing-jwt-signature-check","kind":"path-problem","name":"Missing JWT signature check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"go/uncontrolled-allocation-size","name":"go/uncontrolled-allocation-size","shortDescription":{"text":"Slice memory allocation with excessive size value"},"fullDescription":{"text":"Allocating memory for slices with the built-in make function from user-controlled sources can lead to a denial of service."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-770"],"description":"Allocating memory for slices with the built-in make function from user-controlled sources can lead to a denial of service.","id":"go/uncontrolled-allocation-size","kind":"path-problem","name":"Slice memory allocation with excessive size value","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/insecure-hostkeycallback","name":"go/insecure-hostkeycallback","shortDescription":{"text":"Use of insecure HostKeyCallback implementation"},"fullDescription":{"text":"Detects insecure SSL client configurations with an implementation of the `HostKeyCallback` that accepts all host keys."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-322"],"description":"Detects insecure SSL client configurations with an implementation of the `HostKeyCallback` that accepts all host keys.","id":"go/insecure-hostkeycallback","kind":"path-problem","name":"Use of insecure HostKeyCallback implementation","precision":"high","problem.severity":"warning","security-severity":"8.2"}},{"id":"go/clear-text-logging","name":"go/clear-text-logging","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Logging sensitive information without encryption or hashing can\n expose it to an attacker.","id":"go/clear-text-logging","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/constant-oauth2-state","name":"go/constant-oauth2-state","shortDescription":{"text":"Use of constant `state` value in OAuth 2.0 URL"},"fullDescription":{"text":"Using a constant value for the `state` in the OAuth 2.0 URL makes the application susceptible to CSRF attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Using a constant value for the `state` in the OAuth 2.0 URL makes the application\n susceptible to CSRF attacks.","id":"go/constant-oauth2-state","kind":"path-problem","name":"Use of constant `state` value in OAuth 2.0 URL","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"go/insecure-randomness","name":"go/insecure-randomness","shortDescription":{"text":"Use of insufficient randomness as the key of a cryptographic algorithm"},"fullDescription":{"text":"Using insufficient randomness as the key of a cryptographic algorithm can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using insufficient randomness as the key of a cryptographic algorithm can allow an attacker to compromise security.","id":"go/insecure-randomness","kind":"path-problem","name":"Use of insufficient randomness as the key of a cryptographic algorithm","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"go/unsafe-unzip-symlink","name":"go/unsafe-unzip-symlink","shortDescription":{"text":"Arbitrary file write extracting an archive containing symbolic links"},"fullDescription":{"text":"Extracting files from a malicious zip archive without validating that the destination file path is within the destination directory can cause files outside the destination directory to be overwritten. Extracting symbolic links in particular requires resolving previously extracted links to ensure the destination directory is not escaped."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious zip archive without validating that the\n destination file path is within the destination directory can cause files outside\n the destination directory to be overwritten. Extracting symbolic links in particular\n requires resolving previously extracted links to ensure the destination directory\n is not escaped.","id":"go/unsafe-unzip-symlink","kind":"path-problem","name":"Arbitrary file write extracting an archive containing symbolic links","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/zipslip","name":"go/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"go/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/path-injection","name":"go/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"go/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"go/command-injection","name":"go/command-injection","shortDescription":{"text":"Command built from user-controlled sources"},"fullDescription":{"text":"Building a system command from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-078"],"description":"Building a system command from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"go/command-injection","kind":"path-problem","name":"Command built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"go/incorrect-integer-conversion","name":"go/incorrect-integer-conversion","shortDescription":{"text":"Incorrect conversion between integer types"},"fullDescription":{"text":"Converting the result of `strconv.Atoi`, `strconv.ParseInt`, and `strconv.ParseUint` to integer types of smaller bit size can produce unexpected values."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-190","external/cwe/cwe-681"],"description":"Converting the result of `strconv.Atoi`, `strconv.ParseInt`,\n and `strconv.ParseUint` to integer types of smaller bit size\n can produce unexpected values.","id":"go/incorrect-integer-conversion","kind":"path-problem","name":"Incorrect conversion between integer types","precision":"very-high","problem.severity":"warning","security-severity":"8.1"}},{"id":"go/xml/xpath-injection","name":"go/xml/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"go/xml/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"go/reflected-xss","name":"go/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.","id":"go/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"go/summary/lines-of-code","name":"go/summary/lines-of-code","shortDescription":{"text":"Total lines of Go code in the database"},"fullDescription":{"text":"The total number of lines of Go code across all extracted files, including auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of Go code across all extracted files, including auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.","id":"go/summary/lines-of-code","kind":"metric","name":"Total lines of Go code in the database"}}]},"extensions":[{"name":"codeql/go-queries","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/go-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","taxa":[{"id":"ext/net.http.model.yml/2/15","properties":{"CodeQL/DataExtensionLocation":{"artifactLocation":{"uri":"ext/net.http.model.yml"},"region":{"startLine":55,"startColumn":9,"endLine":55,"endColumn":9}}}},{"id":"ext/net.url.model.yml/0/15","properties":{"CodeQL/DataExtensionLocation":{"artifactLocation":{"uri":"ext/net.url.model.yml"},"region":{"startLine":21,"startColumn":9,"endLine":21,"endColumn":9}}}},{"id":"ext/net.url.model.yml/0/22","properties":{"CodeQL/DataExtensionLocation":{"artifactLocation":{"uri":"ext/net.url.model.yml"},"region":{"startLine":28,"startColumn":9,"endLine":28,"endColumn":9}}}}],"locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/.codeql/libraries/codeql/go-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/.codeql/libraries/codeql/go-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.8+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/go-queries/1.0.8/.codeql/libraries/codeql/threat-models/1.0.8/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"message":{"text":"Extraction failed with error This application uses version go1.23 of the source-processing packages but runs version go1.24 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go."},"level":"error","descriptor":{"id":"go/diagnostics/extraction-errors","index":0},"properties":{"formattedMessage":{"text":"Extraction failed with error This application uses version go1.23 of the source-processing packages but runs version go1.24 of 'go list'. It may fail to process source files that rely on newer language features. If so, rebuild the application using a newer version of Go."}}},{"message":{"text":"Extraction failed in main.go with error package requires newer Go version go1.24 (application built with go1.23)"},"level":"error","descriptor":{"id":"go/diagnostics/extraction-errors","index":0},"properties":{"formattedMessage":{"text":"Extraction failed in main.go with error package requires newer Go version go1.24 (application built with go1.23)"}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"go.mod","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"go/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T07:59:00.815+00:00","descriptor":{"id":"cli/sip-enablement","index":3},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"go.mod","uriBaseId":"%SRCROOT%","index":1}}],"results":[{"ruleId":"go/command-injection","ruleIndex":24,"rule":{"id":"go/command-injection","index":24},"message":{"text":"This command depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":10,"startColumn":34,"endColumn":58}}}],"partialFingerprints":{"primaryLocationLineHash":"e9584120171099c2:1","primaryLocationStartColumnFingerprint":"32"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":10,"startColumn":34,"endColumn":39}},"message":{"text":"selection of URL"}},"taxa":[{"index":0,"toolComponent":{"index":1},"properties":{"CodeQL/DataflowRole":"source"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":10,"startColumn":34,"endColumn":47}},"message":{"text":"call to Query"}},"taxa":[{"index":1,"toolComponent":{"index":1},"properties":{"CodeQL/DataflowRole":"step"}}]},{"location":{"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":10,"startColumn":34,"endColumn":58}},"message":{"text":"call to Get"}},"taxa":[{"index":2,"toolComponent":{"index":1},"properties":{"CodeQL/DataflowRole":"step"}}]}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"main.go","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":10,"startColumn":34,"endColumn":39}},"message":{"text":"user-provided value"}}]}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"go/summary/lines-of-code","index":28},"ruleId":"go/summary/lines-of-code","ruleIndex":28,"value":14,"baseline":14}]}}]}
package/test-data/sarif/codeql-python.sarif ADDED
@@ -0,0 +1 @@
1
+ {"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"py/diagnostics/successfully-extracted-files","name":"py/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted Python files"},"fullDescription":{"text":"Lists all Python files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all Python files in the source code directory that were extracted.","id":"py/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted Python files"}},{"id":"py/diagnostics/extraction-warnings","name":"py/diagnostics/extraction-warnings","shortDescription":{"text":"Python extraction warnings"},"fullDescription":{"text":"List all extraction warnings for Python files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction warnings for Python files in the source code directory.","id":"py/diagnostics/extraction-warnings","kind":"diagnostic","name":"Python extraction warnings"}},{"id":"py/baseline/expected-extracted-files","name":"py/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"py/code-injection","name":"py/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary\n code execution.","id":"py/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3","sub-severity":"high"}},{"id":"py/stack-trace-exposure","name":"py/stack-trace-exposure","shortDescription":{"text":"Information exposure through an exception"},"fullDescription":{"text":"Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Leaking information about an exception, such as messages and stack traces, to an\n external user can expose implementation details that are useful to an attacker for\n developing a subsequent exploit.","id":"py/stack-trace-exposure","kind":"path-problem","name":"Information exposure through an exception","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"py/url-redirection","name":"py/url-redirection","shortDescription":{"text":"URL redirection from remote source"},"fullDescription":{"text":"URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"py/url-redirection","kind":"path-problem","name":"URL redirection from remote source","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"low"}},{"id":"py/weak-crypto-key","name":"py/weak-crypto-key","shortDescription":{"text":"Use of weak cryptographic key"},"fullDescription":{"text":"Use of a cryptographic key that is too small may allow the encryption to be broken."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Use of a cryptographic key that is too small may allow the encryption to be broken.","id":"py/weak-crypto-key","kind":"problem","name":"Use of weak cryptographic key","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/http-response-splitting","name":"py/http-response-splitting","shortDescription":{"text":"HTTP Response Splitting"},"fullDescription":{"text":"Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-113","external/cwe/cwe-079"],"description":"Writing user input directly to an HTTP header\n makes code vulnerable to attack by header splitting.","id":"py/http-response-splitting","kind":"path-problem","name":"HTTP Response Splitting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"py/nosql-injection","name":"py/nosql-injection","shortDescription":{"text":"NoSQL Injection"},"fullDescription":{"text":"Building a NoSQL query from user-controlled sources is vulnerable to insertion of malicious NoSQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-943"],"description":"Building a NoSQL query from user-controlled sources is vulnerable to insertion of\n malicious NoSQL code by the user.","id":"py/nosql-injection","kind":"path-problem","name":"NoSQL Injection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"py/insecure-default-protocol","name":"py/insecure-default-protocol","shortDescription":{"text":"Default version of SSL/TLS may be insecure"},"fullDescription":{"text":"Leaving the SSL/TLS version unspecified may result in an insecure default protocol being used."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Leaving the SSL/TLS version unspecified may result in an insecure\n default protocol being used.","id":"py/insecure-default-protocol","kind":"problem","name":"Default version of SSL/TLS may be insecure","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/weak-cryptographic-algorithm","name":"py/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"py/weak-cryptographic-algorithm","kind":"problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/insecure-protocol","name":"py/insecure-protocol","shortDescription":{"text":"Use of insecure SSL/TLS version"},"fullDescription":{"text":"Using an insecure SSL/TLS version may leave the connection vulnerable to attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Using an insecure SSL/TLS version may leave the connection vulnerable to attacks.","id":"py/insecure-protocol","kind":"problem","name":"Use of insecure SSL/TLS version","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/weak-sensitive-data-hashing","name":"py/weak-sensitive-data-hashing","shortDescription":{"text":"Use of a broken or weak cryptographic hashing algorithm on sensitive data"},"fullDescription":{"text":"Using broken or weak cryptographic hashing algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328","external/cwe/cwe-916"],"description":"Using broken or weak cryptographic hashing algorithms can compromise security.","id":"py/weak-sensitive-data-hashing","kind":"path-problem","name":"Use of a broken or weak cryptographic hashing algorithm on sensitive data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/full-ssrf","name":"py/full-ssrf","shortDescription":{"text":"Full server-side request forgery"},"fullDescription":{"text":"Making a network request to a URL that is fully user-controlled allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request to a URL that is fully user-controlled allows for request forgery attacks.","id":"py/full-ssrf","kind":"path-problem","name":"Full server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"py/pam-auth-bypass","name":"py/pam-auth-bypass","shortDescription":{"text":"PAM authorization bypass due to incorrect usage"},"fullDescription":{"text":"Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-285"],"description":"Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass.","id":"py/pam-auth-bypass","kind":"path-problem","name":"PAM authorization bypass due to incorrect usage","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"py/insecure-cookie","name":"py/insecure-cookie","shortDescription":{"text":"Failure to use secure cookies"},"fullDescription":{"text":"Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-1004","external/cwe/cwe-1275"],"description":"Insecure cookies may be sent in cleartext, which makes them vulnerable to\n interception.","id":"py/insecure-cookie","kind":"problem","name":"Failure to use secure cookies","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/sql-injection","name":"py/sql-injection","shortDescription":{"text":"SQL query built from user-controlled sources"},"fullDescription":{"text":"Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a SQL query from user-controlled sources is vulnerable to insertion of\n malicious SQL code by the user.","id":"py/sql-injection","kind":"path-problem","name":"SQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"py/incomplete-hostname-regexp","name":"py/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"py/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/cookie-injection","name":"py/cookie-injection","shortDescription":{"text":"Construction of a cookie using user-supplied input"},"fullDescription":{"text":"Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-20"],"description":"Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack.","id":"py/cookie-injection","kind":"path-problem","name":"Construction of a cookie using user-supplied input","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/incomplete-url-substring-sanitization","name":"py/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-20"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"py/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/overly-large-range","name":"py/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"py/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/flask-debug","name":"py/flask-debug","shortDescription":{"text":"Flask app is run in debug mode"},"fullDescription":{"text":"Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-215","external/cwe/cwe-489"],"description":"Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger.","id":"py/flask-debug","kind":"problem","name":"Flask app is run in debug mode","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/ldap-injection","name":"py/ldap-injection","shortDescription":{"text":"LDAP query built from user-controlled sources"},"fullDescription":{"text":"Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-090"],"description":"Building an LDAP query from user-controlled sources is vulnerable to insertion of\n malicious LDAP code by the user.","id":"py/ldap-injection","kind":"path-problem","name":"LDAP query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"py/bind-socket-all-network-interfaces","name":"py/bind-socket-all-network-interfaces","shortDescription":{"text":"Binding a socket to all network interfaces"},"fullDescription":{"text":"Binding a socket to all interfaces opens it up to traffic from any IPv4 address and is therefore associated with security risks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-200"],"description":"Binding a socket to all interfaces opens it up to traffic from any IPv4 address\n and is therefore associated with security risks.","id":"py/bind-socket-all-network-interfaces","kind":"problem","name":"Binding a socket to all network interfaces","precision":"high","problem.severity":"error","security-severity":"6.5","sub-severity":"low"}},{"id":"py/paramiko-missing-host-key-validation","name":"py/paramiko-missing-host-key-validation","shortDescription":{"text":"Accepting unknown SSH host keys when using Paramiko"},"fullDescription":{"text":"Accepting unknown host keys can allow man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-295"],"description":"Accepting unknown host keys can allow man-in-the-middle attacks.","id":"py/paramiko-missing-host-key-validation","kind":"problem","name":"Accepting unknown SSH host keys when using Paramiko","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/insecure-temporary-file","name":"py/insecure-temporary-file","shortDescription":{"text":"Insecure temporary file"},"fullDescription":{"text":"Creating a temporary file using this method may be insecure."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["external/cwe/cwe-377","security"],"description":"Creating a temporary file using this method may be insecure.","id":"py/insecure-temporary-file","kind":"problem","name":"Insecure temporary file","precision":"high","problem.severity":"error","security-severity":"7.0","sub-severity":"high"}},{"id":"py/bad-tag-filter","name":"py/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"py/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/xml-bomb","name":"py/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.","id":"py/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/clear-text-storage-sensitive-data","name":"py/clear-text-storage-sensitive-data","shortDescription":{"text":"Clear-text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n attacker.","id":"py/clear-text-storage-sensitive-data","kind":"path-problem","name":"Clear-text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/clear-text-logging-sensitive-data","name":"py/clear-text-logging-sensitive-data","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n expose it to an attacker.","id":"py/clear-text-logging-sensitive-data","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/csrf-protection-disabled","name":"py/csrf-protection-disabled","shortDescription":{"text":"CSRF protection weakened or disabled"},"fullDescription":{"text":"Disabling or weakening CSRF protection may make the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling or weakening CSRF protection may make the application\n vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"py/csrf-protection-disabled","kind":"problem","name":"CSRF protection weakened or disabled","precision":"high","problem.severity":"warning","security-severity":"8.8"}},{"id":"py/unsafe-deserialization","name":"py/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["external/cwe/cwe-502","security","serialization"],"description":"Deserializing user-controlled data may allow attackers to execute arbitrary code.","id":"py/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/regex-injection","name":"py/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.","id":"py/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/redos","name":"py/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"py/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/polynomial-redos","name":"py/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"py/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/path-injection","name":"py/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access unexpected resources.","id":"py/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5","sub-severity":"high"}},{"id":"py/xxe","name":"py/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.","id":"py/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"py/command-line-injection","name":"py/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"py/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/xpath-injection","name":"py/xpath-injection","shortDescription":{"text":"XPath query built from user-controlled sources"},"fullDescription":{"text":"Building a XPath query from user-controlled sources is vulnerable to insertion of malicious Xpath code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building a XPath query from user-controlled sources is vulnerable to insertion of\n malicious Xpath code by the user.","id":"py/xpath-injection","kind":"path-problem","name":"XPath query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"py/reflective-xss","name":"py/reflective-xss","shortDescription":{"text":"Reflected server-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a web page allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a web page\n allows for a cross-site scripting vulnerability.","id":"py/reflective-xss","kind":"path-problem","name":"Reflected server-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"high"}},{"id":"py/use-of-input","name":"py/use-of-input","shortDescription":{"text":"'input' function used in Python 2"},"fullDescription":{"text":"The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","correctness","security/cwe/cwe-94","security/cwe/cwe-95"],"description":"The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run.","id":"py/use-of-input","kind":"problem","name":"'input' function used in Python 2","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/summary/lines-of-code","name":"py/summary/lines-of-code","shortDescription":{"text":"Total lines of Python code in the database"},"fullDescription":{"text":"The total number of lines of Python code across all files, including external libraries and auto-generated files. This is a useful metric of the size of a database. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of Python code across all files, including\n external libraries and auto-generated files. This is a useful metric of the size of a\n database. This query counts the lines of code, excluding whitespace or comments.","id":"py/summary/lines-of-code","kind":"metric","name":"Total lines of Python code in the database"}},{"id":"py/summary/lines-of-user-code","name":"py/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written Python code in the database"},"fullDescription":{"text":"The total number of lines of Python code from the source code directory, excluding auto-generated files. This query counts the lines of code, excluding whitespace or comments. Note: If external libraries are included in the codebase either in a checked-in virtual environment or as vendored code, that will currently be counted as user written code."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of Python code from the source code directory,\n excluding auto-generated files. This query counts the lines of code, excluding\n whitespace or comments. Note: If external libraries are included in the codebase\n either in a checked-in virtual environment or as vendored code, that will currently\n be counted as user written code.","id":"py/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written Python code in the database"}}]},"extensions":[{"name":"codeql/python-queries","semanticVersion":"1.2.2+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/python-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/diagnostics/successfully-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".codeql-db/codeql-database.yml","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/diagnostics/successfully-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T08:10:22.071+00:00","descriptor":{"id":"cli/sip-enablement","index":3},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":".codeql-db/codeql-database.yml","uriBaseId":"%SRCROOT%","index":1}}],"results":[{"ruleId":"py/bind-socket-all-network-interfaces","ruleIndex":20,"rule":{"id":"py/bind-socket-all-network-interfaces","index":20},"message":{"text":"'0.0.0.0' binds a socket to all interfaces."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"5e7a4c3f4c46a812:1","primaryLocationStartColumnFingerprint":"0"}}],"columnKind":"unicodeCodePoints","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"py/summary/lines-of-code","index":38},"ruleId":"py/summary/lines-of-code","ruleIndex":38,"value":121874},{"rule":{"id":"py/summary/lines-of-user-code","index":39},"ruleId":"py/summary/lines-of-user-code","ruleIndex":39,"value":3,"baseline":3}]}}]}
package/test-data/sarif/codeql-ruby.sarif ADDED
@@ -0,0 +1 @@
1
+ {"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"rb/diagnostics/extraction-errors","name":"rb/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"rb/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"rb/diagnostics/successfully-extracted-files","name":"rb/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"rb/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"rb/baseline/expected-extracted-files","name":"rb/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"rb/code-injection","name":"rb/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary\n code execution.","id":"rb/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3","sub-severity":"high"}},{"id":"rb/stack-trace-exposure","name":"rb/stack-trace-exposure","shortDescription":{"text":"Information exposure through an exception"},"fullDescription":{"text":"Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Leaking information about an exception, such as messages and stack traces, to an\n external user can expose implementation details that are useful to an attacker for\n developing a subsequent exploit.","id":"rb/stack-trace-exposure","kind":"path-problem","name":"Information exposure through an exception","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"rb/url-redirection","name":"rb/url-redirection","shortDescription":{"text":"URL redirection from remote source"},"fullDescription":{"text":"URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"rb/url-redirection","kind":"path-problem","name":"URL redirection from remote source","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"low"}},{"id":"rb/weak-cryptographic-algorithm","name":"rb/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"rb/weak-cryptographic-algorithm","kind":"problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"rb/weak-sensitive-data-hashing","name":"rb/weak-sensitive-data-hashing","shortDescription":{"text":"Use of a broken or weak cryptographic hashing algorithm on sensitive data"},"fullDescription":{"text":"Using broken or weak cryptographic hashing algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328","external/cwe/cwe-916"],"description":"Using broken or weak cryptographic hashing algorithms can compromise security.","id":"rb/weak-sensitive-data-hashing","kind":"path-problem","name":"Use of a broken or weak cryptographic hashing algorithm on sensitive data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"rb/request-forgery","name":"rb/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"rb/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"rb/weak-cookie-configuration","name":"rb/weak-cookie-configuration","shortDescription":{"text":"Weak cookie configuration"},"fullDescription":{"text":"Misconfiguring how cookies are encrypted or sent can expose a user to various attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["external/cwe/cwe-732","external/cwe/cwe-1275","security"],"description":"Misconfiguring how cookies are encrypted or sent can expose a user to various attacks.","id":"rb/weak-cookie-configuration","kind":"problem","name":"Weak cookie configuration","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/sensitive-get-query","name":"rb/sensitive-get-query","shortDescription":{"text":"Sensitive data read from GET request"},"fullDescription":{"text":"Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-598"],"description":"Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.","id":"rb/sensitive-get-query","kind":"problem","name":"Sensitive data read from GET request","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"rb/sql-injection","name":"rb/sql-injection","shortDescription":{"text":"SQL query built from user-controlled sources"},"fullDescription":{"text":"Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a SQL query from user-controlled sources is vulnerable to insertion of\n malicious SQL code by the user.","id":"rb/sql-injection","kind":"path-problem","name":"SQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"rb/incomplete-hostname-regexp","name":"rb/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"rb/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/regex/badly-anchored-regexp","name":"rb/regex/badly-anchored-regexp","shortDescription":{"text":"Badly anchored regular expression"},"fullDescription":{"text":"Regular expressions anchored using `^` or `$` are vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Regular expressions anchored using `^` or `$` are vulnerable to bypassing.","id":"rb/regex/badly-anchored-regexp","kind":"path-problem","name":"Badly anchored regular expression","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/incomplete-url-substring-sanitization","name":"rb/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"rb/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/overly-large-range","name":"rb/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"rb/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"rb/incomplete-sanitization","name":"rb/incomplete-sanitization","shortDescription":{"text":"Incomplete string escaping or encoding"},"fullDescription":{"text":"A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.","id":"rb/incomplete-sanitization","kind":"problem","name":"Incomplete string escaping or encoding","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/bad-tag-filter","name":"rb/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"rb/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/incomplete-multi-character-sanitization","name":"rb/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.","id":"rb/incomplete-multi-character-sanitization","kind":"problem","name":"Incomplete multi-character sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"rb/insecure-mass-assignment","name":"rb/insecure-mass-assignment","shortDescription":{"text":"Insecure Mass Assignment"},"fullDescription":{"text":"Using mass assignment with user-controlled attributes allows unintended parameters to be set."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-915"],"description":"Using mass assignment with user-controlled attributes allows unintended parameters to be set.","id":"rb/insecure-mass-assignment","kind":"path-problem","name":"Insecure Mass Assignment","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"rb/redos","name":"rb/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"rb/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"rb/regexp-injection","name":"rb/regexp-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped. Otherwise, a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without\n first being escaped. Otherwise, a malicious user may be able to\n inject an expression that could require exponential time on\n certain inputs.","id":"rb/regexp-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"rb/polynomial-redos","name":"rb/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"rb/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"rb/clear-text-storage-sensitive-data","name":"rb/clear-text-storage-sensitive-data","shortDescription":{"text":"Clear-text storage of sensitive information"},"fullDescription":{"text":"Storing sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Storing sensitive information without encryption or hashing can\n expose it to an attacker.","id":"rb/clear-text-storage-sensitive-data","kind":"path-problem","name":"Clear-text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"rb/clear-text-logging-sensitive-data","name":"rb/clear-text-logging-sensitive-data","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n expose it to an attacker.","id":"rb/clear-text-logging-sensitive-data","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"rb/tainted-format-string","name":"rb/tainted-format-string","shortDescription":{"text":"Use of externally-controlled format string"},"fullDescription":{"text":"Using external input in format strings can lead to garbled output."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Using external input in format strings can lead to garbled output.","id":"rb/tainted-format-string","kind":"path-problem","name":"Use of externally-controlled format string","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"rb/csrf-protection-not-enabled","name":"rb/csrf-protection-not-enabled","shortDescription":{"text":"CSRF protection not enabled"},"fullDescription":{"text":"Not enabling CSRF protection may make the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Not enabling CSRF protection may make the application\n vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"rb/csrf-protection-not-enabled","kind":"problem","name":"CSRF protection not enabled","precision":"high","problem.severity":"warning","security-severity":"8.8"}},{"id":"rb/csrf-protection-disabled","name":"rb/csrf-protection-disabled","shortDescription":{"text":"CSRF protection weakened or disabled"},"fullDescription":{"text":"Disabling or weakening CSRF protection may make the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling or weakening CSRF protection may make the application\n vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"rb/csrf-protection-disabled","kind":"problem","name":"CSRF protection weakened or disabled","precision":"high","problem.severity":"warning","security-severity":"8.8"}},{"id":"rb/insecure-dependency","name":"rb/insecure-dependency","shortDescription":{"text":"Dependency download using unencrypted communication channel"},"fullDescription":{"text":"Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-300","external/cwe/cwe-319","external/cwe/cwe-494","external/cwe/cwe-829"],"description":"Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.","id":"rb/insecure-dependency","kind":"problem","name":"Dependency download using unencrypted communication channel","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"rb/unsafe-deserialization","name":"rb/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing user-controlled data may allow attackers to\n execute arbitrary code.","id":"rb/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"rb/path-injection","name":"rb/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"rb/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"rb/xxe","name":"rb/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-776","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.","id":"rb/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"rb/command-line-injection","name":"rb/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"rb/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"rb/kernel-open","name":"rb/kernel-open","shortDescription":{"text":"Use of `Kernel.open`, `IO.read` or similar sinks with user-controlled input"},"fullDescription":{"text":"Using `Kernel.open`, `IO.read`, `IO.write`, `IO.binread`, `IO.binwrite`, `IO.foreach`, `IO.readlines`, or `URI.open` may allow a malicious user to execute arbitrary system commands."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088","external/cwe/cwe-073"],"description":"Using `Kernel.open`, `IO.read`, `IO.write`, `IO.binread`, `IO.binwrite`,\n `IO.foreach`, `IO.readlines`, or `URI.open` may allow a malicious\n user to execute arbitrary system commands.","id":"rb/kernel-open","kind":"path-problem","name":"Use of `Kernel.open`, `IO.read` or similar sinks with user-controlled input","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"rb/non-constant-kernel-open","name":"rb/non-constant-kernel-open","shortDescription":{"text":"Use of `Kernel.open` or `IO.read` or similar sinks with a non-constant value"},"fullDescription":{"text":"Using `Kernel.open`, `IO.read`, `IO.write`, `IO.binread`, `IO.binwrite`, `IO.foreach`, `IO.readlines`, or `URI.open` may allow a malicious user to execute arbitrary system commands."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088","external/cwe/cwe-073"],"description":"Using `Kernel.open`, `IO.read`, `IO.write`, `IO.binread`, `IO.binwrite`,\n `IO.foreach`, `IO.readlines`, or `URI.open` may allow a malicious\n user to execute arbitrary system commands.","id":"rb/non-constant-kernel-open","kind":"problem","name":"Use of `Kernel.open` or `IO.read` or similar sinks with a non-constant value","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"rb/shell-command-constructed-from-input","name":"rb/shell-command-constructed-from-input","shortDescription":{"text":"Unsafe shell command constructed from library input"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088","external/cwe/cwe-073"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"rb/shell-command-constructed-from-input","kind":"path-problem","name":"Unsafe shell command constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"rb/insecure-download","name":"rb/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection may allow man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n may allow man-in-the-middle attacks.","id":"rb/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"rb/reflected-xss","name":"rb/reflected-xss","shortDescription":{"text":"Reflected server-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a web page allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a web page\n allows for a cross-site scripting vulnerability.","id":"rb/reflected-xss","kind":"path-problem","name":"Reflected server-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"high"}},{"id":"rb/html-constructed-from-input","name":"rb/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.","id":"rb/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"rb/stored-xss","name":"rb/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.","id":"rb/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"rb/summary/number-of-files-extracted-with-errors","name":"rb/summary/number-of-files-extracted-with-errors","shortDescription":{"text":"Total number of Ruby files that were extracted with errors"},"fullDescription":{"text":"The total number of Ruby code files that we extracted, but where at least one extraction error occurred in the process."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary"],"description":"The total number of Ruby code files that we extracted, but where\n at least one extraction error occurred in the process.","id":"rb/summary/number-of-files-extracted-with-errors","kind":"metric","name":"Total number of Ruby files that were extracted with errors"}},{"id":"rb/summary/lines-of-code","name":"rb/summary/lines-of-code","shortDescription":{"text":"Total lines of Ruby code in the database"},"fullDescription":{"text":"The total number of lines of Ruby code from the source code directory, including external libraries and auto-generated files. This is a useful metric of the size of a database. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of Ruby code from the source code\n directory, including external libraries and auto-generated files. This is a\n useful metric of the size of a database. This query counts the lines of\n code, excluding whitespace or comments.","id":"rb/summary/lines-of-code","kind":"metric","name":"Total lines of Ruby code in the database"}},{"id":"rb/summary/number-of-successfully-extracted-files","name":"rb/summary/number-of-successfully-extracted-files","shortDescription":{"text":"Total number of Ruby files that were extracted without error"},"fullDescription":{"text":"The total number of Ruby code files that we extracted without encountering any extraction errors"},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary"],"description":"The total number of Ruby code files that we extracted without\n encountering any extraction errors","id":"rb/summary/number-of-successfully-extracted-files","kind":"metric","name":"Total number of Ruby files that were extracted without error"}},{"id":"rb/summary/lines-of-user-code","name":"rb/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written Ruby code in the database"},"fullDescription":{"text":"The total number of lines of Ruby code from the source code directory, excluding external library and auto-generated files. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","debug"],"description":"The total number of lines of Ruby code from the source code\n directory, excluding external library and auto-generated files. This\n query counts the lines of code, excluding whitespace or comments.","id":"rb/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written Ruby code in the database"}}]},"extensions":[{"name":"codeql/ruby-queries","semanticVersion":"1.1.3+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/ruby-queries/1.1.3/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/ruby-queries/1.1.3/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/ruby-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/ruby-queries/1.1.3/.codeql/libraries/codeql/ruby-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/ruby-queries/1.1.3/.codeql/libraries/codeql/ruby-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"rb/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"rb/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T08:07:06.608+00:00","descriptor":{"id":"cli/sip-enablement","index":3},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0}}],"results":[{"ruleId":"rb/request-forgery","ruleIndex":5,"rule":{"id":"rb/request-forgery","index":5},"message":{"text":"The URL of this request depends on a [user-provided value](1)."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"startColumn":10,"endColumn":18}}}],"partialFingerprints":{"primaryLocationLineHash":"f756b044c287db7:1","primaryLocationStartColumnFingerprint":"5"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":22}},"message":{"text":"call to params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":33}},"message":{"text":"...[...]"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":5,"endColumn":13}},"message":{"text":"filename"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"startColumn":10,"endColumn":18}},"message":{"text":"filename"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":22}},"message":{"text":"user-provided value"}}]},{"ruleId":"rb/csrf-protection-not-enabled","ruleIndex":23,"rule":{"id":"rb/csrf-protection-not-enabled","index":23},"message":{"text":"Potential CSRF vulnerability due to forgery protection not being enabled."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":3,"endLine":8,"endColumn":4}}}],"partialFingerprints":{"primaryLocationLineHash":"507013c0dc4aeb6e:1","primaryLocationStartColumnFingerprint":"0"}},{"ruleId":"rb/kernel-open","ruleIndex":30,"rule":{"id":"rb/kernel-open","index":30},"message":{"text":"This call to Kernel.open depends on a [user-provided value](1). Consider replacing it with File.open."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"startColumn":10,"endColumn":18}}}],"partialFingerprints":{"primaryLocationLineHash":"f756b044c287db7:1","primaryLocationStartColumnFingerprint":"5"},"codeFlows":[{"threadFlows":[{"locations":[{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":22}},"message":{"text":"call to params"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":33}},"message":{"text":"...[...]"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":5,"endColumn":13}},"message":{"text":"filename"}}},{"location":{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"startColumn":10,"endColumn":18}},"message":{"text":"filename"}}}]}]}],"relatedLocations":[{"id":1,"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":5,"startColumn":16,"endColumn":22}},"message":{"text":"user-provided value"}}]},{"ruleId":"rb/non-constant-kernel-open","ruleIndex":31,"rule":{"id":"rb/non-constant-kernel-open","index":31},"message":{"text":"Call to Kernel.open with a non-constant value. Consider replacing it with File.open."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.rb","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"startColumn":5,"endColumn":19}}}],"partialFingerprints":{"primaryLocationLineHash":"f756b044c287db7:1","primaryLocationStartColumnFingerprint":"0"}}],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"rb/summary/number-of-files-extracted-with-errors","index":37},"ruleId":"rb/summary/number-of-files-extracted-with-errors","ruleIndex":37,"value":0},{"rule":{"id":"rb/summary/lines-of-code","index":38},"ruleId":"rb/summary/lines-of-code","ruleIndex":38,"value":7,"baseline":7},{"rule":{"id":"rb/summary/number-of-successfully-extracted-files","index":39},"ruleId":"rb/summary/number-of-successfully-extracted-files","ruleIndex":39,"value":1},{"rule":{"id":"rb/summary/lines-of-user-code","index":40},"ruleId":"rb/summary/lines-of-user-code","ruleIndex":40,"value":7}]}}]}