Code Security Report: 1 high severity findings, 7 total findings [develop]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2025-01-15 05:58pm
Total Findings: 7 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 292
Detected Programming Languages: 3 (Python*, JavaScript / TypeScript*, C/C++ (Beta))

• Check this box to manually trigger a scan

Finding Details

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	DOM Based Cross-Site Scripting	CWE-79	github_issue_links.js:6	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/doc/rtd/static/js/github_issue_links.js Lines 1 to 6 in 5c771b5 window.onload = function () { const link = document.createElement("a"); link.classList.add("muted-link"); link.classList.add("github-issue-link"); link.text = "Give feedback"; link.href = ( 1 Data Flow/s detected cloud-init/doc/rtd/static/js/github_issue_links.js Line 13 in 5c771b5 + `*Reported+from%3A+${location.href}*` cloud-init/doc/rtd/static/js/github_issue_links.js Line 7 in 5c771b5 "https://github.com/canonical/cloud-init/issues/new?" cloud-init/doc/rtd/static/js/github_issue_links.js Line 6 in 5c771b5 link.href = ( Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Training ● Videos    ▪ Secure Code Warrior DOM Based Cross-Site Scripting Video
Medium	Hardcoded Password/Credentials	CWE-798	DataSourceCloudStack.py:71	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/cloudinit/sources/DataSourceCloudStack.py Line 71 in 5c771b5 if password == "bad_request": Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Hardcoded Password/Credentials Training ● Videos    ▪ Secure Code Warrior Hardcoded Password/Credentials Video ● Further Reading    ▪ OWASP Top Ten 2017 A3: Sensitive Data Exposure    ▪ OWASP Top Ten Proactive Controls 2018 C8: Protect Data Everywhere    ▪ OWASP Top Ten 2021 A02: Cryptographic Failures
Low	Log Forging	CWE-117	mock-meta.py:386	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/tools/mock-meta.py Lines 381 to 386 in 5c771b5 } return functools.partial(base_func, **kwargs) def _do_response(self): who = self.client_address log.info("Got a call from %s for path %s", who, self.path) 1 Data Flow/s detected cloud-init/tools/mock-meta.py Line 386 in 5c771b5 log.info("Got a call from %s for path %s", who, self.path) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Log Forging Training ● Videos    ▪ Secure Code Warrior Log Forging Video ● Further Reading    ▪ OWASP Log Forging
Low	Weak Hash Strength	CWE-328	util.py:1877	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/.pc/revert-551f560d-cloud-config-after-snap-seeding.patch/cloudinit/util.py Lines 1872 to 1877 in 5c771b5 """Hash the content of a binary buffer using SHA1. @param f: buffered binary stream to hash. @return: digested data as bytes. """ hasher = hashlib.sha1() 1 Data Flow/s detected cloud-init/.pc/revert-551f560d-cloud-config-after-snap-seeding.patch/cloudinit/util.py Line 1877 in 5c771b5 hasher = hashlib.sha1() Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Weak Hash Strength Training ● Videos    ▪ Secure Code Warrior Weak Hash Strength Video ● Further Reading    ▪ OWASP Cryptographic Storage Cheat Sheet    ▪ OWASP Transport Layer Protection Cheat Sheet    ▪ OWASP Password Storage Cheat Sheet    ▪ OWASP Using a broken or risky cryptographic algorithm article
Low	Weak Hash Strength	CWE-328	util.py:1887	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/cloudinit/util.py Lines 1882 to 1887 in 5c771b5 """Hash the content of a binary buffer using SHA1. @param f: buffered binary stream to hash. @return: digested data as bytes. """ hasher = hashlib.sha1() 1 Data Flow/s detected cloud-init/cloudinit/util.py Line 1887 in 5c771b5 hasher = hashlib.sha1() Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Weak Hash Strength Training ● Videos    ▪ Secure Code Warrior Weak Hash Strength Video ● Further Reading    ▪ OWASP Cryptographic Storage Cheat Sheet    ▪ OWASP Transport Layer Protection Cheat Sheet    ▪ OWASP Password Storage Cheat Sheet    ▪ OWASP Using a broken or risky cryptographic algorithm article
Low	Weak Hash Strength	CWE-328	util.py:1877	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/.pc/no-nocloud-network.patch/cloudinit/util.py Lines 1872 to 1877 in 5c771b5 """Hash the content of a binary buffer using SHA1. @param f: buffered binary stream to hash. @return: digested data as bytes. """ hasher = hashlib.sha1() 1 Data Flow/s detected cloud-init/.pc/no-nocloud-network.patch/cloudinit/util.py Line 1877 in 5c771b5 hasher = hashlib.sha1() Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Weak Hash Strength Training ● Videos    ▪ Secure Code Warrior Weak Hash Strength Video ● Further Reading    ▪ OWASP Cryptographic Storage Cheat Sheet    ▪ OWASP Transport Layer Protection Cheat Sheet    ▪ OWASP Password Storage Cheat Sheet    ▪ OWASP Using a broken or risky cryptographic algorithm article
Low	Log Forging	CWE-117	mock-meta.py:356	1	2025-01-15 06:01pm
Vulnerable Code cloud-init/tools/mock-meta.py Lines 351 to 356 in 5c771b5 func_mapping = { "user-data": user_fetcher.get_data, "meta-data": meta_fetcher.get_data, } segments = [piece for piece in path.split("/") if len(piece)] log.info("Received segments %s", segments) 1 Data Flow/s detected cloud-init/tools/mock-meta.py Line 388 in 5c771b5 func = self._find_method(self.path) cloud-init/tools/mock-meta.py Line 349 in 5c771b5 def _find_method(self, path): cloud-init/tools/mock-meta.py Line 355 in 5c771b5 segments = [piece for piece in path.split("/") if len(piece)] cloud-init/tools/mock-meta.py Line 356 in 5c771b5 log.info("Received segments %s", segments) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Log Forging Training ● Videos    ▪ Secure Code Warrior Log Forging Video ● Further Reading    ▪ OWASP Log Forging