Highest Voted 'sast' Questions

7

votes

2 answers

Why is GitLab CI SAST not exluding directories that I ask it to exclude?

I have enabled SAST scanning in GitLab CI (GitLab Community Edition) 14.5.2. The SAST runs tools like semgrep and ESLint run over the source code and scan for vulnerabilities. This works... except it's not excluding paths and files from the results…

gitlab-ci sast semgrep

asked Jan 27 '22 at 23:30

locka

5,809
3
33
38

4

votes

0 answers

Gitlab SAST with mirrored repo

We have a bitbucket repo which is mirrored to Gitlab. Now we want to enable SAST plugin for go (gosec): https://docs.gitlab.com/ee/user/application_security/sast/ Since the imports in the go code still point to bitbucket, when the analyser runs it…

gitlab bitbucket gitlab-ci bitbucket-api sast

asked Aug 27 '21 at 05:28

Harshit Gupta

167
1
1
10

3

votes

0 answers

Coverity issues for Filesystem path, filename, or URI manipulation in C#, .NET Core

We had a Coverity scan performed in our code and found the issue related to "Filesystem path, filename, or URI manipulation" which is a high impact security issue. This is the code we had at first: var xxxFilesPath =…

c# .net asp.net-core coverity sast

asked Jan 11 '22 at 07:35

ROY

63
8

2

votes

0 answers

Potential use of variable for URL detected in http.Redirect

When I do a SAST scan of my go code, a vulnerability is detected in the following line http.Redirect(w, r, "/", http.StatusSeeOther) Vulnerability Description: Potential use of variable for URL detected Cause: Whenever a URL is constructed from the…

go sast

asked Jan 25 '23 at 09:24

Poojana V

51
7

2

votes

1 answer

How to do Snyk code test in Jenkins pipeline?

I am helping our DevOps team integrate Snyk into the Jenkins pipelines for SAST. By default, it seems like this Snyk plugin is doing snyk test (which does open-source dependency scans) and appends the additional arguments provided with it. I…

jenkins devops snyk sast devsecops

asked Apr 07 '22 at 08:27

iamahecker

21
5

2

votes

0 answers

checkmarx medium severity: May unintentionally allow setting the value of method in the object

I am getting below medium vulnerability highlighted in checkmarx: The rModificationRequest at r-config\com\mycompapi\RController.java in line# may unintentionally allow setting the value of saveAndFlush in modifyR, in the object…

java security checkmarx secure-coding sast

asked May 11 '21 at 14:11

nanosoft

2,913
4
41
61

1

vote

1 answer

Sonar and Veracode

Is sonar and veracode serves the same purpose or we can use both tools to scan our applications? Metrics like, coverage, duplications, bugs and code smells are avilable in sonar but they are not available in veracode. so we need to use both tools or…

sonarqube veracode devsecops sast

asked Feb 02 '23 at 05:53

Naresh Ede

123
2
12

1

vote

1 answer

Ignore snyk code quality issue with .snyk file

Snyk finds some code quality issue that should be ignored. I'm using Snyk CLI: "snyk code test" ✗ [High] Server-Side Request Forgery (SSRF) Path: project/src/main/java/com/MyClass.java, line 140 Info: Unsanitized input from an HTTP…

snyk sast

asked Jan 20 '23 at 08:24

Nickname0222022022

577
1
4
22

1

vote

0 answers

How to use an Iconfiguration service as Idisposable in .net core as Coverity shows a resource leak?

I am using IconfigurationRoot service using Build() function. IConfigurationBuilder builder = new ConfigurationBuilder(); builder.AddJsonFile(Path.Combine(Directory.GetCurrentDirectory(), "appsettings.json")); var configservice =…

c# .net-core configuration coverity sast

asked Dec 20 '22 at 06:14

learner _987

59
5

1

vote

0 answers

Sonar Analyzer Test Code Issues not shown

I had my SonarQube code analysis setup and it work realy well, it also shows my test code, but it is not showing the issues in my test code. To test this, i build some // TODO: tasks in my test code and they are not reported as Issues in…

typescript sonarqube sonarqube-scan sonarcloud sast

asked Nov 10 '22 at 11:30

DerHerrGammler

324
2
9

1

vote

1 answer

Trying to update my .gitlab-ci.yml file to run SAST and the pipeline fails (Failed to pull image)

Still pretty new to this so forgive me if I'm saying anything wrongly. This is my code stages: runSAST run-sast-job: stage: runSAST image: maven:3.8.6-openjdk-11-sliim script: | - mvn verify package sonar:sonar…

docker maven gitlab devsecops sast

asked Aug 31 '22 at 18:21

codestein

59
6

1

vote

0 answers

SQL Injection with Semgrep/Spotbugs

For SAST checks in our CI pipeline we use Semgrep and SpotBugs scanners. This scanner finds the following situation as an instance of SQL Injection. Repository Class Query q = em.createNativeQuery(FIND_PRODUCTS_BY_IDENTIFER); …

java spring-data-jpa spotbugs sast semgrep

asked Aug 22 '22 at 13:21

Naveen Neelayyagari

115
4

1

vote

0 answers

Is there a way to extract Status Reports from Coverity via Rest API Call?

I want to extract status report from coverity using rest api calls for particular report name. Is there a way to extract the reports via api. I tried multiple api calls and went through their api webservice documentation but did not find anything.…

coverity sast

asked Jun 09 '22 at 03:25

monstermind

11
2

1

vote

0 answers

Is it possible when merging two branches new vulns appear?

I'm thinking about when is the perfect moment to run a SAST review but I am not sure. For me the best moment is before merging my branch to master (on the pull request), due to, you can fix it before putting your code on production. However,…

security sast

asked Feb 03 '22 at 14:46

fuentecilla86

91
6

1

vote

0 answers

Coverity scan for .Netstandard 2.1 library

I am trying to use Coverity with my .NetStandard2.1 library. using commands like: set COVERITY_PATH="C:\Users\xxx\Desktop\cov-analysis-win64-8.5.0\bin" set PATH=%PATH%;%COVERITY_PATH% cov-configure --cs cov-build --dir MY_EMIT_DIR dotnet build ||…

c# .net .net-standard coverity sast

asked Dec 16 '21 at 10:11

jiten

5,128
4
44
73

Questions tagged [sast]