Code Security Report: 18 high severity findings, 26 total findings - autoclosed

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2025-01-10 05:40pm
Total Findings: 26 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 134
Detected Programming Languages: 2 (Go, Python)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	Path/Directory Traversal	CWE-22	write.py:16	2	2024-09-13 04:56pm
Vulnerable Code cloudfuse/perf_testing/scripts/write.py Lines 11 to 16 in 9714dd7 bytes_written = 0 data = os.urandom(blockSize) t1 = time.time() fd = open(os.path.join(mountpath, "application_"+size+".data"), "wb") 2 Data Flow/s detected View Data Flow 1 cloudfuse/perf_testing/scripts/write.py Line 7 in 9714dd7 size = sys.argv[2] View Data Flow 2 cloudfuse/perf_testing/scripts/write.py Line 6 in 9714dd7 mountpath = sys.argv[1] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure File Permissions	CWE-732	stats_manager_linux.go:160	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/internal/stats_manager/stats_manager_linux.go Lines 155 to 160 in 9714dd7 disableMonitoring() return } // open transfer pipe tf, err := os.OpenFile(common.TransferPipe, os.O_CREATE|os.O_WRONLY, 0777) 1 Data Flow/s detected cloudfuse/internal/stats_manager/stats_manager_linux.go Line 160 in 9714dd7 tf, err := os.OpenFile(common.TransferPipe, os.O_CREATE|os.O_WRONLY, 0777) Secure Code Warrior Training Material
High	Path/Directory Traversal	CWE-22	read.py:14	2	2024-09-13 04:56pm
Vulnerable Code cloudfuse/perf_testing/scripts/read.py Lines 9 to 14 in 9714dd7 blockSize = 8 * 1024 * 1024 fileSize = int(size) * (1024 * 1024 * 1024) bytes_read = 0 t1 = time.time() fd = open(os.path.join(mountpath, "application_"+size+".data"), "rb") 2 Data Flow/s detected View Data Flow 1 cloudfuse/perf_testing/scripts/read.py Line 7 in 9714dd7 size = sys.argv[2] View Data Flow 2 cloudfuse/perf_testing/scripts/read.py Line 6 in 9714dd7 mountpath = sys.argv[1] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	File Manipulation	CWE-73	block_cache_linux.go:979	1	2024-09-13 04:56pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 974 to 979 in 9714dd7 } // Dump this block to local disk cache f, err := os.Create(localPath) if err == nil { _, err := f.Write(item.block.data[:n]) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in 9714dd7 f, err := os.Open(localPath) cloudfuse/component/block_cache/block_cache_linux.go Line 919 in 9714dd7 n, err := f.Read(item.block.data) cloudfuse/component/block_cache/block_cache_linux.go Line 979 in 9714dd7 _, err := f.Write(item.block.data[:n]) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure Directory Permissions	CWE-732	mount.go:168	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount.go Lines 163 to 168 in 9714dd7 return fmt.Errorf("default work dir '%s' is not a directory", common.DefaultWorkDir) } if err != nil && os.IsNotExist(err) { // create the default work dir if err = os.MkdirAll(common.ExpandPath(common.DefaultWorkDir), 0777); err != nil { 1 Data Flow/s detected cloudfuse/cmd/mount.go Line 168 in 9714dd7 if err = os.MkdirAll(common.ExpandPath(common.DefaultWorkDir), 0777); err != nil { Secure Code Warrior Training Material
High	Insecure Directory Permissions	CWE-732	mount_all.go:329	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 324 to 329 in 9714dd7 if options.SecureConfig { contConfigFile = contConfigFile + SecureConfigExtension } if _, err := os.Stat(contMountPath); os.IsNotExist(err) { err = os.MkdirAll(contMountPath, 0777) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 329 in 9714dd7 err = os.MkdirAll(contMountPath, 0777) Secure Code Warrior Training Material
High	File Manipulation	CWE-73	block_cache_linux.go:1689	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 1684 to 1689 in 9714dd7 localDstPath := filepath.Join(bc.tmpPath, options.Dst) files, err := filepath.Glob(localSrcPath + "*") if err == nil { for _, f := range files { err = os.Rename(f, strings.Replace(f, localSrcPath, localDstPath, 1)) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in 9714dd7 f, err := os.Open(localPath) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure File Permissions	CWE-732	stats_export.go:278	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/tools/health-monitor/internal/stats_export.go Lines 273 to 278 in 9714dd7 fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) fnameNew = fmt.Sprintf("%v_%v_1.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) _ = os.Rename(fname, fnameNew) fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0755) 1 Data Flow/s detected cloudfuse/tools/health-monitor/internal/stats_export.go Line 278 in 9714dd7 se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0755) Secure Code Warrior Training Material
High	Insecure Directory Permissions	CWE-732	block_cache_linux.go:970	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 965 to 970 in 9714dd7 } item.block.endIndex = item.block.offset + uint64(n) if bc.tmpPath != "" { err := os.MkdirAll(filepath.Dir(localPath), 0777) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 970 in 9714dd7 err := os.MkdirAll(filepath.Dir(localPath), 0777) Secure Code Warrior Training Material
High	Command Injection	CWE-78	mount_all.go:363	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 358 to 363 in 9714dd7 updateCliParams(&cliParams, "tmp-path", filepath.Join(fileCachePath, container)) } // Now that we have mount path and config file for this container fire a mount command for this one fmt.Println("Mounting container :", container, "to path ", contMountPath) cmd := exec.Command(mountAllOpts.cloudfuseBinPath, cliParams...) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 66 in 9714dd7 mountAllOpts.cloudfuseBinPath = os.Args[0] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Command Injection Training ● Videos    ▪ Secure Code Warrior Command Injection Video ● Further Reading    ▪ OWASP testing for Command Injection    ▪ OWASP Command Injection

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Command Injection	CWE-78	Go	1
High	File Manipulation	CWE-73	Go	4
High	Path/Directory Traversal	CWE-22	Python	2
High	Insecure Directory Permissions	CWE-732	Go	3
High	Insecure File Permissions	CWE-732	Go	8
Medium	Heap Inspection	CWE-244	Go	8