Vulnerabilities

Table of Contents

OWASP

TODO add notes here.

  1. https://github.blog/2021-12-06-write-more-secure-code-owasp-top-10-proactive-controls/
  2. https://github.blog/2022-02-16-encoding-escaping-untrusted-data-prevent-injection-attacks/
  1. Cross Site Scripting attacks - XSS
  2. SQL injection
  3. Log Injection
    1. https://owasp.org/www-community/attacks/Log_Injection
    2. https://codeql.github.com/codeql-query-help/go/go-log-injection/

How do we identify vulnerabilities?

By looking at the Checkmarx, CodeQL and other scan reports for the application.

What is a SARIF file?

https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning

A SARIF file is a standardized, structured format for representing the output of static analysis tools, such as security scanners, providing a consistent way to aggregate and share results from different tools. These JSON-formatted files contain metadata about the analysis run, specific rules that were checked, and detailed information about any detected issues, including their location within the code. This standardized format simplifies the integration of security findings into development workflows and platforms like GitHub’s Code Scanning.

Key Features of SARIF

• Standardized Output: SARIF ensures that all static analysis tools, regardless of their origin, produce results in a common format. • Structured Data: The format uses a schema to define the structure for reporting findings, making it easy for tools to parse and understand the data. • Metadata: SARIF files include details such as the tool that generated the report, the specific rules that were applied, and the context of the analysis. • Detailed Findings: Reports can include information about the location of issues, including physical and logical locations within the code, and can even track data flow through the application. • Fingerprint Data: The format supports fingerprinting, which helps to identify when two results are logically identical even if reported from different runs, allowing for better issue tracking. • Extensibility: The SARIF schema is designed to be extensible, allowing for new scenarios and additional data to be included as needed.

Why SARIF Files Are Used

• Improved Integration: By standardizing the output, SARIF allows developers and security teams to integrate security analysis tools with IDEs and other development tools more easily. • Centralized Reporting: Platforms like GitHub use SARIF to provide a unified view of security findings across different code analysis tools, simplifying the management of vulnerabilities. • Consistent Data: The standardized format ensures that information about vulnerabilities is presented consistently, which is crucial for tracking and remediating issues.

How can I view the content of a sarif file in my local computer?

Use VS Code extension “Sarif Viewer”

Links to this note