This project is submitted for CodeAlpha Task 2 - Secure Coding Review.
The goal of this task is not to build a vulnerability scanner as the main deliverable, but to:
- select a programming language and application to audit
- perform a secure code review
- identify security weaknesses
- document findings and remediation
- present safer coding recommendations and best practices
For this submission:
- Programming Language: Python
- Application Audited: Lightweight Vulnerability / CVE Scanner
- Review Method: Manual secure code inspection with remediation-focused improvements
So, the scanner is the application under review, while the real focus of the project is the secure coding review process and security improvements.
The audited application is a beginner-friendly Python scanner that performs:
- TCP port probing
- Basic banner grabbing / service detection
- Product and version extraction
- CVE lookups against the NVD 2.0 Vulnerability API
- Console and JSON reporting with severity notes
This tool is for authorized testing only. Banner-based CVE correlation gives possible matches, not confirmed vulnerabilities.
This application is suitable for a secure coding review because it handles several security-sensitive areas:
- user input validation
- network socket communication
- TLS/HTTPS handling
- untrusted remote banner data
- third-party API interaction
- security reporting logic
These areas make it a good example for identifying coding weaknesses and applying secure programming best practices.
The secure code review focused on the following:
- input validation for hosts and ports
- timeout handling for network operations
- safer banner capture and output normalization
- HTTPS/TLS request safety
- defensive error handling for external API calls
- honest and safe reporting of possible vulnerability matches
- reduction of unsafe assumptions in results presentation
The following issues were reviewed and addressed:
-
Insufficient validation of host and port input
Could lead to malformed scans, unexpected crashes, or misuse. -
Missing or weak timeout controls
Could cause the application to hang on slow or filtered targets. -
Unsafe or excessive banner reading
Remote services may return untrusted or oversized data. -
Weak handling of HTTPS/TLS probing
Improper handling can result in unstable behavior or misleading results. -
Inadequate error handling around NVD API requests
External service failures should not break the whole tool. -
Risk of overstating possible CVE matches as confirmed vulnerabilities
This is a reporting and integrity issue in security tooling. -
Poor normalization of remote output
Raw banner data may contain control characters or unreadable output. -
Potential over-scanning through large custom port lists
A lightweight tool should limit excessive scans for safety and predictability.
To make the application safer, the following improvements were applied:
- strict validation of host input
- port range validation and duplicate removal
- cap on the number of scanned ports
- timeout-based socket operations
- controlled banner read size
- normalized single-line banner output
- defensive handling of SSL/TLS exceptions
- fail-safe NVD API request handling
- use of environment variables for API keys instead of hardcoding secrets
- clearer wording such as possible CVE matches instead of confirmed findings
This project demonstrates the following secure coding principles:
- validate all external input
- treat network data as untrusted
- apply timeouts to remote operations
- minimize unnecessary exposure to remote content
- fail safely when external services are unavailable
- avoid hardcoded credentials or secrets
- avoid unsafe shell execution when Python libraries are sufficient
- communicate uncertainty honestly in security findings
vuln_cve_scanner_project/
├── scanner.py
├── README.md
├── requirements.txt
└── SECURE_CODING_REVIEW.md
The Python application selected for review.
The main review document containing:
- review objective
- audit scope
- identified issues
- remediation steps
- secure coding recommendations
- conclusion
Project overview for the internship repository.
Dependency list for the project.
- Connect to the target host on selected ports.
- Check whether the port is open.
- Capture a service banner or HTTP response header when possible.
- Parse possible product and version information.
- Query the NVD CVE API for likely matches.
- Print a triage-friendly report with severity notes.
Install dependencies:
pip install -r requirements.txtScan common ports:
python scanner.py scanme.nmap.org --topScan custom ports:
python scanner.py example.com --ports 22,80,443Write a JSON report:
python scanner.py example.com --ports 22,80,443 --json report.jsonOptional NVD API key:
export NVD_API_KEY="your_key_here"
python scanner.py example.com --ports 80,443$env:NVD_API_KEY="your_key_here"
python scanner.py example.com --ports 80,443[Port 80] http
Banner: HTTP/1.1 200 OK
Detected Product: Apache HTTP Server
Detected Version: 2.4.49
Detection Note: Detected from HTTP Server header.
Possible CVE Matches:
- CVE-2021-41773 | CRITICAL | score 9.8
This submission fits CodeAlpha Task 2: Secure Coding Review because it clearly includes:
- a selected language and application to audit
- manual review of source code for security weaknesses
- identification of vulnerabilities and risky coding practices
- remediation recommendations and safer coding measures
- written documentation of findings and improvements
The main deliverable is therefore the secure coding review, while the scanner serves as the reviewed Python application.
- add structured logging with log levels
- add retry/backoff support for API throttling
- add unit tests for parsing and validation
- improve version-to-CPE matching accuracy
- add asynchronous scanning with concurrency limits
- export HTML review summaries
If you upload this to GitHub, present it as:
CodeAlpha Internship - Task 2: Secure Coding Review of a Lightweight Vulnerability / CVE Scanner
That title makes the internship task clear and prevents it from looking like a plain vulnerability scanner project.