Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defects and vulnerabilities reported by Snyk scan #380

Open
vprashar2929 opened this issue Mar 17, 2024 · 0 comments
Open

Defects and vulnerabilities reported by Snyk scan #380

vprashar2929 opened this issue Mar 17, 2024 · 0 comments

Comments

@vprashar2929
Copy link
Collaborator

Recently we ran a Snyk scan on the openshift-power-monitoring/power-monitoring-operator which is a fork of this repository. Upon running the scan following issues in the code were reported:

Testing /go/src/github.com/openshift-power-monitoring/power-monitoring-operator ...

 ✗ [Low] Use of Hardcoded Credentials
   ID: a837195b-e732-4599-96b6-da7c18dc5b8f 
   Path: vendor/k8s.io/klog/v2/klog_file.go, line 48 
   Info: Do not hardcode credentials in code. Found hardcoded credential used in userName.

 ✗ [Low] Use of Password Hash With Insufficient Computational Effort
   ID: 8bd77647-ce34-4092-948a-93d79c97e823 
   Path: vendor/github.com/google/uuid/hash.go, line 44 
   Info: The MD5 hash (used in crypto.md5.New) is insecure. Consider changing it to a secure hash algorithm

 ✗ [Low] Use of Password Hash With Insufficient Computational Effort
   ID: 5c990851-bed3-4932-92ac-7e21708eee6f 
   Path: vendor/github.com/google/uuid/hash.go, line 52 
   Info: The SHA1 hash (used in crypto.sha1.New) is insecure. Consider changing it to a secure hash algorithm

 ✗ [Medium] Improper Certificate Validation
   ID: e35e6c2c-16c9-498e-805f-a2fe04332c9a 
   Path: vendor/sigs.k8s.io/controller-runtime/pkg/webhook/server.go, line 275 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [Medium] Improper Certificate Validation
   ID: 2b4e53b0-48d5-44c4-bb8d-6ff8b8316b1d 
   Path: vendor/k8s.io/client-go/util/cert/server_inspection.go, line 33 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [Medium] Improper Certificate Validation
   ID: 49c69430-d38f-4c71-b608-305c7e085869 
   Path: vendor/k8s.io/client-go/util/cert/server_inspection.go, line 67 
   Info: TrustManager might be too permissive: The client will accept any certificate and any host name in that certificate, making it susceptible to man-in-the-middle attacks.

 ✗ [High] Generation of Error Message Containing Sensitive Information
   ID: db11068f-38d6-48cc-8a09-4f84007c37be 
   Path: vendor/sigs.k8s.io/controller-runtime/pkg/log/log.go, line 64 
   Info: Information exposure through error stack trace in fmt.Fprintf.


✔ Test completed

Organization:      openshift-ci-internal
Test type:         Static code analysis
Project path:      /go/src/github.com/openshift-power-monitoring/power-monitoring-operator

Summary:

  7 Code issues found
  1 [High]   3 [Medium]   3 [Low] 

Code Report Complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@vprashar2929