Static Analysis - Code Review

The past two years new standard required by Cyber security entities either on public or private sectors. we can’t use any product without passing high scan profile of static analysis.

i scanned cockpit v1 & v2 using sonarcube and both versions failed and not ready for production. and may also get worse if i used commercial code review, like veracode.

my question is there any plan for that? since cockpits aim to go commercially pro version?

Hi!

Thank you for bringing this up. Cockpit v1 was already audited by an external security agency within a customer project without any major issues.

All reported security issues for v1/v2 (mostly via https://huntr.dev) were most of the time fixed within 1-2 days after reporting.

Regarding mentioned static analysis:

For Cockpit we use https://deepsource.io. And the only security relevant findings are the use of the md5 function. But as an automated tool, the analysis scanner has no clue about the context.

The md5 function is used as a fast hashing algo to generate hashing names for caching. Totally irrelevant regarding security concerns. Still the scanner marks the usage as an issue due the usage of an insecure hashing function (for passwords). :man_shrugging:

I don’t know about your findings. But I’m happy to look at them.

Greets
Artur

sorry for being late to reply, i got flu :sneezing_face:

just now i tested the latest version and it shows passed the quality gate.

check the screenshot.

Sonarcube has its own standard and legacy code friendly, if you go for Vercode defiantly it will fail because you are using evaluation function (EVAL) in your code.

Best Regards

eval is only used in MongoLite (a SQLite based alternative to MongoDB). It should be pretty save, because the REST API only supports arrays and an input check is also done.

All security issues reported to the usage of eval in the MongoLite lib were already fixed in the past.

If you use MongoDB as Cockpits data source (what I would always recommend for enterprise/larger production projects), then the lib will never be loaded or used.

eval is just one sample case.

i really do understand what you are talking about and static analysis shouldn’t be taken to that high level of concern since it doesn’t get into code context as you mentioned previously it’s just a blind text scan.

But unfortunately we are facing war in public & private sectors especially after coronavirus period, all those companies pushing to make business, for my situation i am straggling for almost 2 years to push several projects to production and Cyber security entity refusing because of these things and we were talking to scan operaters instead of programmers.

i spent 10 months making CMS with incremental static generator with auto pushing to AWS S3 and i couldn’t deploy it to production because of this matter. :neutral_face:

anyway thank you for everything :heartpulse:

1 Like