-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Line numbers in the output doesn't match with the Line numbers in the source code #37
Comments
Hi @abhi06991, Sorry for this error. I made a change and I believe that now the numbers will be closer to correct. Can you check and tell me if it has improved? Thank you! |
Hi @htrgouvea , Thanks for working on this. But, the issue still exists, couldn't see much improvement. Some results from the latest scan - Also, just for your information, I am not using the github action for Zarn from the market place. I am manually cloning the repo and using the tool, like this (hopefully I am using the tool the right way)-
|
Hi @abhi06991, Lines 23 to 24 in 4cf284d
I believe that now this is the only reason that the lines in the findings are wrong. I can remove this functionality. We're going to lose a little bit of performance but I think it's okay. |
I commented on these resources and uploaded new code to the To do this it would be something like:
Thanks. |
Just tested this out, I guess something got messed up. Previously Zarn was showing 17 vulnerabilities, now its giving 50 vulnerabilities. Many vulnerabilities are getting duplicated with different random line numbers. Attached the output result with the comment |
@abhi06991 Could I take a look at your rules file too? Since they are custom rules, this would help me understand better. |
sure, pls check this - |
Hi @htrgouvea, I had the same issue today and the modifications in the development branch fixed it. |
Hi folks, I deployed the develop code to the main branch. @abhi06991 I believe your problem now is with the custom rules, I'm investigating more this part. |
I'll implement a different response, with more details. The lines still won't be 100% accurate, but I believe it will improve. I'll let you know soon. |
thx for your effort! Great work! |
Something not working with the main branch 1st the develpment branch from 2 days ago (looking good):
2nd the main branch from today (produces wrong output):
|
brings you to the state with correct line numbers |
@m-1-k-3 This version of the code was when I disabled the feature that ignores comment lines and blank lines, however leaving the comments lines present, the number of false positives started to increase. So I reactivated the functionality. |
Hi folks, The line number of the function that has the vulnerability remains an approximate number. This happens because ZARN removes all comments from the file, this helps to reduce the number of false positives. To help, ZARN's output now also has the line number of the variable that is possibly controlled by the attacker, the payload delivery point. This number is an exact number. I believe this can help. Thank you all. |
I understand your point but the temp fixed version shows (as far as I have seen) only FP in comments and this should be quite easy to detect and remove from the results. Wouldn't this work? |
Hi,
I was testing out this tool and works really well, its able to find the issues if the patterns from the rules config file are matched, but the line numbers that comes with the output don't match with the line number from the source code. This could be a bit frustrating for the developers/security analysts while going through the results. I am attaching the sample file that was tested and also the results that the tool gave as a zip file
Any fix regarding this would be great!
Thanks
zarn files.zip
The text was updated successfully, but these errors were encountered: