Looking for volunteers to triage the CodeQL SAST results

[prabhu]

With 179 findings, I am sure there will be one or two useful findings under the security tab. After all, this project takes input from the command line and environment variables and executes various external commands (with shell: true for Windows 🥇), so there must be some bugs that could lead to arbitrary code execution, file writes, and so on. And of course, many of our users run the tool as root with some even passing the docker.sock for container SBOM generation purposes, so there are lots of opportunities for things to go wrong.

We need a lot of help to help make this tool more secure and safe. Initially, we need someone with a security or bug hunting background to triage the findings and identify the top 5 categories that needs investigation. Since there is a lot of identical code in the project, most bugs would be similar. We then need more contributors who can offer some fixes and tips to mitigate the issues. There could be regression bugs, with stuff stopping to work for some percentage of users; all these could be managed with enough testing and support from the community.

Please say hi, if you're interested in helping us.

[xenloops]

Hi Prabhu,
I'd be happy to help. Have been doing SAST for 8 years for various companies off and on, and can certainly help triage.
Cheers,
Nathan

[prabhu]

@xenloops, thank you so much for your offer! You must have received an invite from the admin to join the org.

It will be nice to meet you virtually to say hello and discuss about the task. I would appreciate it if you could suggest a time using the calendly link below

https://calendly.com/prabhuat/hello

[prabhu]

@xenloops

[prabhu]

The count has increased to 181 findings. I think we might need help from multiple people to help triage the results.

[xenloops]

Hi Prabhu, Sorry for the long wait! I was at a conference last week and this week has kept me busier at work than I expected. But I'm still ready and willing to start looking through the findings! The invite I got, of course, has since expired. Mind sending another? I'll find a slot on your calendar to discuss. Cheers! Nathan Sent with [Proton Mail](https://proton.me/) secure email.

…

On Sunday, May 19th, 2024 at 5:39 AM, prabhu ***@***.***> wrote: The count has increased to 181 findings. I think we might need help from multiple people to help triage the results. — Reply to this email directly, [view it on GitHub](#1051 (comment)), or [unsubscribe](https://github.com/notifications/unsubscribe-auth/ANVVPHKY3CLIDOVTB5W7IMTZDB6PDAVCNFSM6AAAAABHNPZD56VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TIOBWGY3TA). You are receiving this because you were mentioned.Message ID: ***@***.***>

[xenloops]

Hi Prabhu,
It was good speaking with you yesterday. I gained access to the project, but do not see anything (other than the security.md file) under the Security tab. Am I missing a permission?
Nathan

[prabhu]

Could you check now?

[xenloops]

W00t! Now I see them. Thanks!

[prabhu]

@xenloops Did you manage to review the results? Anything that stood out?

[xenloops]

Hi @prabhu, it's been slow going -- there are two classes of Criticals left to look through (9 findings), then I'll dig into the Highs. I'll plan to finish the Criticals in the next two weeks. It's been hard to set aside time to research consistently.

[prabhu]

Thank you for the update! Looking forward to the report!

[xenloops]

Hello @prabhu, attaching my analysis of the findings. There are many that might not be concerns given the context of cdxgen, but these are the top five categories that should at least be looked at and remediated or ruled out, as well as notes on the remaining six. Many can be fixed by adding a sanitization call.

I'd be happy to help dig into these further.

Cheers,
Nate

cdxgen_SAST_summary.xlsx