Skip to content

Expected Issues Locations #448

New issue
New issue
Open
Open
Expected Issues Locations#448
Assignees
asharan2buff
Labels
AnalysisNeed-To-LookTech-DebtdocumentationImprovements or additions to documentationenhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed
@bperry-mf

Description

@bperry-mf
bperry-mf
opened on Nov 1, 2023

Describe the bug
I was wondering if the expected issues provided (scanner/sast/expectedIssues.csv) within the repo is current. If not, is there a separate repo or file that contain an updated version of the expected issues?

To Reproduce
The scanner/sast/expectedIssues.csv file defines the following entries as a vulnerability, but the line of code does not correspond to a vulnerability:

  • The line of code is the beginning of a try-catch block:
    • SQL Injection : src/main/java/org/sasanlabs/service/vulnerability/sqlInjection/ErrorBasedSQLInjectionVulnerability.java : 218
  • The file does not exist:
    • Reflected XXS : src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java : 60
    • Reflected XXS : src/main/java/org/sasanlabs/service/vulnerability/xss/reflected/UrlParamBasedImgTagAttrInjection.java : 82
  • The line of code is the closing bracket of an if-statement '}':
    • Path Traversal : src/main/java/org/sasanlabs/service/vulnerability/pathTraversal/PathTraversalVulnerability.java : 65

Expected behavior
The expectedIssues.csv entries to reference a line of code that contains a function call, "return" statement, or a variable assignement when applicable.

Metadata

Metadata

Assignees

Labels

AnalysisNeed-To-LookTech-DebtdocumentationImprovements or additions to documentationenhancementNew feature or requestgood first issueGood for newcomershelp wantedExtra attention is needed

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions