Bad sonar security rating #14949
Comments
atomfrede
added
theme: java
theme: sonar
area: enhancement 🔧
and removed
area: triage
theme: undefined
labels
deepu105
added
$$ bug-bounty $$
|
I tried to forge some logs and succeeded. Running locally you can easily see the entry has been forged as it is not colored, but inside a log file or some other tool that would not be possible. So I tried OWASP easpi to encode it, but didn't have something working here. |
|
I have managed to configured https://github.com/javabeanz/owasp-security-logging with the owasp filter documented here https://github.com/javabeanz/owasp-security-logging/wiki/Log-Forging It looks like this. Maybe we should only enabled it in production as the nice "table like" log gets broken of course. You can see how the line break is replaced by the owasp clrf filter:
Basically this requires defining the clrf filter in |
|
This issue is stale because it has been open 30 days with no activity. |
|
Keep it open |
|
This issue is stale because it has been open 30 days with no activity. |
|
Keep it open |
|
Just cloned the source code for the project and ran a sonar analysis with sonarqube-9.0.1.46107 for windows x64 with the defaults/ sonar quality gates. I don't see any security issues... Am I missing something? Is the project on sonar cloud? If it is could you provide the url? |
|
It's the generated sample app not the generator code itself. It is on sonar cloud here https://sonarcloud.io/dashboard?id=jhipster-sample-application |
So it has nothing to do with the code under https://github.com/jhipster/jhipster-sample-app ? |
|
It is exactly that project, you are right. |
|
But in fact the rating has changed from |
|
It is seriously weird... The scan I performed is a couple of hrs old and the code was checked out may be at the same time. |
|
BankAccountQueryService class is neither in master nor in main branch. I think the code comes from a different repository. |
|
This issue is stale because it has been open 30 days with no activity. |
|
Keep it open |
|
I think that https://sonarcloud.io/dashboard?id=jhipster-sample-application is failing now just on code coverage. What am I missing...? |
As I have pointed out in my last message the project has moved on, some classes were deleted and refactored so that the screenshot used as info for the issue is no longer relevant. The devs refuse to accept it apparently... :D IMHO the issue should be closed. |
|
This issue is stale because it has been open 30 days with no activity. |
|
Probably it's because the Sonar analysis is broken since June:
|
|
Coming back to this. The issue still exists, but the vulnerabilities are now minor (B). Nevertheless log forging is still possible, while I suppose a lot of people are using json based/structured logging instead of plain pattern layouts, not sure we must do something about it. We could document it more clearly in "going to production" and ignore the sonar issues. |
Overview of the issue
Because of a change in the sonar rulesets we have now just a B in terms of security in our sample application.
The issue is imho not severe (maybe we can also exclude/ignore it), but we should do something about the red quality gate.
The text was updated successfully, but these errors were encountered: