diff --git a/CHANGELOG.md b/CHANGELOG.md index d7be093b20..7bf48d3363 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,7 @@ Release report: TBD - Update _wazuh_db_ schema database version ([#4353](https://github.com/wazuh/wazuh-qa/pull/4353)) \- (Tests) - Update the JSON schema with the required fields for the output content of the migration tool ([#4375](https://github.com/wazuh/wazuh-qa/pull/4375)) \- (Tests) +- Update framework known flaws file ([#4443](https://github.com/wazuh/wazuh-qa/pull/4443)) \- (Tests) ## [4.7.0] - TBD diff --git a/tests/scans/code_analysis/known_flaws/known_flaws_api.json b/tests/scans/code_analysis/known_flaws/known_flaws_api.json index b07ed8582f..dd26854cd1 100644 --- a/tests/scans/code_analysis/known_flaws/known_flaws_api.json +++ b/tests/scans/code_analysis/known_flaws/known_flaws_api.json @@ -1,7 +1,7 @@ { "false_positives": [ { - "code": " default_api_configuration = {\n \"host\": \"0.0.0.0\",\n \"port\": 55000,\n \"drop_privileges\": True,\n \"experimental_features\": False,\n \"max_upload_size\": 10485760,\n \"intervals\": {\n \"request_timeout\": 10\n },\n38 \"https\": {\n39 \"enabled\": True,\n40 \"key\": \"server.key\",\n41 \"cert\": \"server.crt\",\n42 \"use_ca\": False,\n43 \"ca\": \"ca.crt\",\n44 \"ssl_protocol\": \"TLSv1.2\",\n45 \"ssl_ciphers\": \"\"\n46 },\n47 \"logs\": {\n48 \"level\": \"info\",\n49 \"format\": \"plain\",\n50 \"max_size\": {\n51 \"enabled\": False,\n52 \"size\": \"1M\"\n53 }\n54 },\n55 \"cors\": {\n56 \"enabled\": False,\n57 \"source_route\": \"*\",\n58 \"expose_headers\": \"*\",\n59 \"allow_headers\": \"*\",\n60 \"allow_credentials\": False,\n61 },\n62 \"cache\": {\n63 \"enabled\": True,\n64 \"time\": 0.750\n65 },\n66 \"access\": {\n67 \"max_login_attempts\": 50,\n68 \"block_time\": 300,\n69 \"max_request_per_minute\": 300\n70 },\n71 \"upload_configuration\": {\n72 \"remote_commands\": {\n73 \"localfile\": {\n74 \"allow\": True,\n75 \"exceptions\": []\n76 },\n77 \"wodle_command\": {\n78 \"allow\": True,\n79 \"exceptions\": []\n80 }\n81 },\n82 \"limits\": {\n83 \"eps\": {\n84 \"allow\": True\n85 }\n86 }\n", + "code": " default_api_configuration = {\n \"host\": \"0.0.0.0\",\n \"port\": 55000,\n \"drop_privileges\": True,\n \"experimental_features\": False,\n \"max_upload_size\": 10485760,\n \"intervals\": {\n \"request_timeout\": 10\n },\n38 \"https\": {\n39 \"enabled\": True,\n40 \"key\": \"server.key\",\n41 \"cert\": \"server.crt\",\n42 \"use_ca\": False,\n43 \"ca\": \"ca.crt\",\n44 \"ssl_protocol\": \"TLSv1.2\",\n45 \"ssl_ciphers\": \"\"\n46 },\n47 \"logs\": {\n48 \"level\": \"info\",\n49 \"format\": \"plain\",\n50 \"max_size\": {\n51 \"enabled\": False,\n52 \"size\": \"1M\"\n53 }\n54 },\n55 \"cors\": {\n56 \"enabled\": False,\n57 \"source_route\": \"*\",\n58 \"expose_headers\": \"*\",\n59 \"allow_headers\": \"*\",\n60 \"allow_credentials\": False,\n61 },\n62 \"cache\": {\n63 \"enabled\": True,\n64 \"time\": 0.750\n65 },\n66 \"access\": {\n67 \"max_login_attempts\": 50,\n68 \"block_time\": 300,\n69 \"max_request_per_minute\": 300\n70 },\n71 \"upload_configuration\": {\n72 \"remote_commands\": {\n73 \"localfile\": {\n74 \"allow\": True,\n75 \"exceptions\": []\n76 },\n77 \"wodle_command\": {\n78 \"allow\": True,\n79 \"exceptions\": []\n80 }\n81 },\n82 \"limits\": {\n83 \"eps\": {\n84 \"allow\": True\n85 }\n86 },\n87 \"agents\": {\n88 \"allow_higher_versions\": {\n89 \"allow\": True\n90 }\n91 }\n", "filename": "api/api/configuration.py", "issue_confidence": "MEDIUM", "issue_severity": "MEDIUM", @@ -9,22 +9,22 @@ "line_number": 30, "line_range": [ 29, - 84 + 89 ], "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b104_hardcoded_bind_all_interfaces.html", "test_id": "B104", "test_name": "hardcoded_bind_all_interfaces" }, { - "code": " )\n app.add_api('spec.yaml',\n arguments={'title': 'Wazuh API',\n 'protocol': 'https' if api_conf['https']['enabled'] else 'http',\n 'host': api_conf['host'],\n 'port': api_conf['port']\n },\n strict_validation=True,\n validate_responses=False,\n76 pass_context_arg_name='request',\n77 options={\"middlewares\": [response_postprocessing, security_middleware, request_logging,\n78 set_secure_headers]})\n79 \n", + "code": " )\n app.add_api('spec.yaml',\n arguments={'title': 'Wazuh API',\n 'protocol': 'https' if api_conf['https']['enabled'] else 'http',\n 'host': api_conf['host'],\n 'port': api_conf['port']\n },\n strict_validation=True,\n validate_responses=False,\n82 pass_context_arg_name='request',\n83 options={\"middlewares\": [response_postprocessing, security_middleware, request_logging,\n84 set_secure_headers]})\n85 \n", "filename": "api/scripts/wazuh-apid.py", "issue_confidence": "MEDIUM", "issue_severity": "LOW", "issue_text": "Possible hardcoded password: 'request'", - "line_number": 68, + "line_number": 74, "line_range": [ - 68, - 78 + 74, + 84 ], "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b106_hardcoded_password_funcarg.html", "test_id": "B106", diff --git a/tests/scans/code_analysis/known_flaws/known_flaws_framework.json b/tests/scans/code_analysis/known_flaws/known_flaws_framework.json index 422f5ffebc..05cd598d0b 100644 --- a/tests/scans/code_analysis/known_flaws/known_flaws_framework.json +++ b/tests/scans/code_analysis/known_flaws/known_flaws_framework.json @@ -6,9 +6,9 @@ "issue_confidence": "HIGH", "issue_severity": "MEDIUM", "issue_text": "Use of insecure MD2, MD4, MD5, or SHA1 hash function.", - "line_number": 724, + "line_number": 737, "line_range": [ - 724 + 737 ], "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b303-md5", "test_id": "B303", @@ -20,38 +20,10 @@ "issue_confidence": "HIGH", "issue_severity": "LOW", "issue_text": "subprocess call - check for execution of untrusted input.", - "line_number": 991, + "line_number": 1001, "line_range": [ - 991, - 992 - ], - "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html", - "test_id": "B603", - "test_name": "subprocess_without_shell_equals_true" - }, - { - "code": " import struct\n import subprocess\n import sys\n", - "filename": "framework/scripts/wazuh_logtest.py", - "issue_confidence": "HIGH", - "issue_severity": "LOW", - "issue_text": "Consider possible security implications associated with subprocess module.", - "line_number": 14, - "line_range": [ - 14 - ], - "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess", - "test_id": "B404", - "test_name": "blacklist" - }, - { - "code": " try:\n proc = subprocess.Popen([wazuh_control, \"info\"], stdout=subprocess.PIPE)\n (stdout, stderr) = proc.communicate()\n", - "filename": "framework/scripts/wazuh_logtest.py", - "issue_confidence": "HIGH", - "issue_severity": "LOW", - "issue_text": "subprocess call - check for execution of untrusted input.", - "line_number": 521, - "line_range": [ - 521 + 1001, + 1002 ], "more_info": "https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html", "test_id": "B603", @@ -164,9 +136,9 @@ "issue_confidence": "HIGH", "issue_severity": "MEDIUM", "issue_text": "Use of possibly insecure function - consider using safer ast.literal_eval.", - "line_number": 1793, + "line_number": 1796, "line_range": [ - 1793 + 1796 ], "more_info": "https://bandit.readthedocs.io/en/latest/blacklists/blacklist_calls.html#b307-eval", "test_id": "B307",