[PM-6271] Propose cipher versioning scheme #9287

coroiu · 2024-05-21T12:42:33Z

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [ ] Build/deploy pipeline (DevOps)
- [x] Other

Objective

This is a proof of concept to explore changes required

Before you submit

Please add unit tests where it makes sense to do so (encouraged but not required)
If this change requires a documentation update - notify the documentation team
If this change has particular deployment requirements - notify the DevOps team
Ensure that all UI additions follow WCAG AA requirements

github-actions · 2024-05-21T13:14:11Z

Checkmarx One – Scan Summary & Details – 66a20363-3afa-46c6-afd5-a6d49bcc27dc

New Issues

Issue	Source File / Package	Checkmarx Insight
Angular_Improper_Type_Pipe_Usage	/apps/web/src/app/billing/organizations/adjust-subscription.component.html: 54	Attack Vector
Angular_Improper_Type_Pipe_Usage	/apps/web/src/app/billing/organizations/adjust-subscription.component.html: 18	Attack Vector
Client_Privacy_Violation	/apps/web/src/app/auth/settings/two-factor-verify.component.html: 3	Attack Vector
Unpinned Actions Full Length Commit SHA	/build-browser.yml: 368	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Unpinned Actions Full Length Commit SHA	/build-browser.yml: 409	Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/device-trust-service.factory.ts: 82	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/device-trust-service.factory.ts: 81	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/auth-request-service.factory.ts: 54	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/login-strategy-service.factory.ts: 123	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/pin-crypto-service.factory.ts: 44	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/tools/background/service_factories/import-service.factory.ts: 58	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/platform/background/service-factories/key-generation-service.factory.ts: 23	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/user-verification-service.factory.ts: 75	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/vault/background/service_factories/collection-service.factory.ts: 37	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/cli/src/platform/services/node-env-secure-storage.service.ts: 81	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/background/service-factories/send-service.factory.ts: 50	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/cli/src/platform/services/node-env-secure-storage.service.ts: 62	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/background/service-factories/vault-timeout-service.factory.ts: 97	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/key-connector-service.factory.ts: 70	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/auth/background/service-factories/auth-service.factory.ts: 51	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/background/service-factories/vault-timeout-settings-service.factory.ts: 55	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/vault/background/service_factories/cipher-service.factory.ts: 75	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/platform/background/service-factories/crypto-service.factory.ts: 63	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/vault/background/service_factories/totp-service.factory.ts: 34	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/vault/background/service_factories/folder-service.factory.ts: 42	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/tools/background/service_factories/password-generation-service.factory.ts: 41	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/platform/background/service-factories/encrypt-service.factory.ts: 34	Attack Vector
Use_of_Broken_or_Risky_Cryptographic_Algorithm	/apps/browser/src/background/service-factories/password-generation-service.factory.ts: 41	Attack Vector

Fixed Issues

Severity	Issue	Source File / Package
	Client_DOM_Code_Injection	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Code_Injection	/apps/browser/src/autofill/services/collect-autofill-content.service.ts: 1054
	Client_DOM_Stored_XSS	/apps/web/src/connectors/sso.ts: 33
	Client_DOM_XSS	/apps/browser/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/browser/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/desktop/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/desktop/src/auth/scripts/duo.js: 285
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/common.ts: 2
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 21
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 19
	Client_DOM_XSS	/apps/web/src/connectors/sso.ts: 15
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 315
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 347
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 315
	Absolute_Path_Traversal	/apps/cli/src/commands/serve.command.ts: 347
	Angular_Improper_Type_Pipe_Usage	/apps/browser/src/vault/popup/components/fido2/fido2-use-browser-link.component.html: 1
	Client_Privacy_Violation	/apps/browser/src/background/runtime.background.ts: 313
	Client_Privacy_Violation	/apps/web/src/app/tools/reports/pages/breach-report.component.html: 14
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/apps/browser/src/auth/popup/account-switching/account.component.ts: 12
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 25
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 26
	Client_Privacy_Violation	/apps/desktop/src/auth/lock.component.html: 32
	Client_Privacy_Violation	/apps/web/src/app/auth/lock.component.html: 18
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.ts: 30
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.ts: 138
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.ts: 149
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.ts: 80
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.ts: 70
	Client_Privacy_Violation	/apps/web/src/app/auth/lock.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/auth/lock.component.html: 32
	Client_Privacy_Violation	/apps/web/src/app/auth/recover-two-factor.component.html: 37
	Client_Privacy_Violation	/apps/web/src/app/billing/shared/add-credit.component.html: 46
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 534
	Client_Privacy_Violation	/apps/web/src/connectors/webauthn-fallback.ts: 116
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
	Client_Privacy_Violation	/bitwarden_license/bit-web/src/app/auth/sso/sso.component.ts: 161
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 14
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 60
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 56
	Client_Privacy_Violation	/apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/app/tools/password-generator-history.component.html: 15
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/password-history.component.html: 12
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/view.component.html: 50
	Client_Privacy_Violation	/libs/components/src/color-password/color-password.component.ts: 14
	Client_Privacy_Violation	/apps/browser/src/tools/popup/generator/password-generator-history.component.html: 26
	Client_Privacy_Violation	/apps/browser/src/vault/popup/components/vault/password-history.component.html: 18
	Client_Privacy_Violation	/apps/desktop/src/app/tools/password-generator-history.component.html: 15
	Client_Privacy_Violation	/apps/desktop/src/vault/app/vault/password-history.component.html: 12
	Missing_HSTS_Header	/apps/cli/src/auth/commands/login.command.ts: 707
	SSRF	/libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
	SSRF	/libs/importer/src/importers/lastpass/access/services/rest-client.ts: 69
	Unpinned Actions Full Length Commit SHA	/build-browser.yml: 420
	Unpinned Actions Full Length Commit SHA	/build-browser.yml: 379
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/avatar/avatar.component.ts: 80
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/apps/desktop/src/app/components/avatar.component.ts: 75
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 18
	Angular_Usage_of_Unsafe_DOM_Sanitizer	/libs/components/src/icon/icon.component.ts: 18
	Client_DOM_Open_Redirect	/apps/browser/src/platform/popup/layout/popup-header.component.ts: 29
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/accessibility-cookie.component.html: 18
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 21
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 19
	Client_DOM_Open_Redirect	/apps/web/src/connectors/common.ts: 2
	Client_DOM_Open_Redirect	/apps/web/src/connectors/sso.ts: 15
	Client_DOM_Open_Redirect	/apps/browser/src/tools/popup/generator/password-generator-history.component.ts: 18
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/login-via-auth-request.component.ts: 52
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/login/login-via-auth-request.component.ts: 60
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/account-switching/current-account.component.ts: 35
	Client_DOM_Open_Redirect	/apps/browser/src/auth/popup/account-switching/account.component.ts: 24
	Client_DOM_Open_Redirect	/apps/browser/src/vault/popup/components/vault/password-history.component.ts: 21
	Client_DOM_Open_Redirect	/apps/browser/src/billing/popup/settings/premium.component.ts: 27
	Client_DOM_Open_Redirect	/apps/browser/src/vault/popup/components/vault/attachments.component.ts: 32
	Client_DOM_Open_Redirect	/libs/common/src/auth/iframe-component.ts: 49
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/libs/common/src/auth/webauthn-iframe.ts: 25
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/desktop/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/apps/browser/src/auth/scripts/duo.js: 277
	Client_DOM_Open_Redirect	/libs/common/src/auth/webauthn-iframe.ts: 25

More results are available on AST platform

coroiu added 2 commits May 21, 2024 14:15

wip

394d579

wip

e92741e

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[PM-6271] Propose cipher versioning scheme #9287

[PM-6271] Propose cipher versioning scheme #9287

coroiu commented May 21, 2024

github-actions bot commented May 21, 2024

[PM-6271] Propose cipher versioning scheme #9287

Are you sure you want to change the base?

[PM-6271] Propose cipher versioning scheme #9287

Conversation

coroiu commented May 21, 2024

Type of change

Objective

Before you submit

github-actions bot commented May 21, 2024

New Issues

Fixed Issues