-
Notifications
You must be signed in to change notification settings - Fork 190
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
horusec:fix - Errors reported in v2.8.0-beta.1 (#1050)
In this commit I made some changes to the code to improve the identification and generation of vulnerabilities pointed out by Horusec. * Now when Horusec identifies that there are duplicate hashes in its analysis by the same tool, all vulnerability descriptions will be grouped by the `(x/x) separator * Possible vulnerability detected:` demonstrating the amount of vulnerabilities that hash generated. * The `Details` field will be the last to be shown in each problem reported by Horusec in order to improve the experience and identification. * Tools like `DotnetCLI, BundlerAudit, Trivy, Safety, Nancy` were pointing out multiple vulnerabilities with the same hash because they couldn't find the exact line that contains the vulnerability. So an improvement has been implemented where using the `file.GetDependencyInfo` method will be a better way to identify the vulnerability * The `Trivy` tool was reporting problems finding the exact line so we noticed that when running the analysis on infrastructure configuration files the tool returns the line that has the problem, so now it can be more assertive with this improvement. * The `BundlerAudit` tool was quite complex in identifying vulnerabilities and with complex treatments, so we made an improvement so that the tool's output is in json format, so we will have better control of the information shown. * Tool versions update * horuszup/horusec-generic updated to v1.2.0 * semgrep updated to v0.85.0 version * owasp-dependency-check updated to v6.5.3 * updated trivy to v0.24.4 version * horuszup/horusec-go updated to v1.3.0 * nancy updated to version v1.0.33 * gosec updated to v2.11.0 version * horuszup/horusec-python updated to v1.0.1 version * updated bandit to v1.7.4 version * horuszup/horusec-ruby updated to v1.2.0 * Ruby updated to v3.1-alpine version * The e2e tests broke due to the joining of the hashes so now they are more assertive and I made an improvement in the test of the `Gitleaks` tool because validating that the tool was not running was not a good practice. But to run e2e tests in the `../horusec-examples-vulnerabilities` directory there must be [our test repository](https://github.com/ZupIT/horusec-examples-vulnerabilities). Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br> (cherry picked from commit 4ff44db) Signed-off-by: Wilian Gabriel <wilian.silva@zup.com.br>
- Loading branch information
1 parent
a615329
commit e8eb1ba
Showing
37 changed files
with
10,272 additions
and
564 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.