can you provide complete sample code for each security issues? #43
Comments
|
Am I correct to assume based on this issue and #42 that you're planning to consume the guides in an automated way? Can you please describe what you exactly had in mind so that we can come up with a good solution? |
|
Sure, it is inspired by bandit, which is used to find common security issues (CWE), I am thinking whether it is possible to develop similar tools (even small one) Like test report Test results:
>> Issue: [B605:start_process_with_a_shell] Starting a process with a shell, possible injection detected, security issue.
Severity: High Confidence: High
CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
Location: linuxcmd.py:38:17
More Info: https://bandit.readthedocs.io/en/1.7.4/plugins/b605_start_process_with_a_shell.html
37
38 os.system("mkdir "+fold_name)Then for the reporting purpose in #42, it is much easier to use number in the report, CWE is the common one, but I am also ok if we have plan for ERL-SWG-001 (sample) In order to make it is easy for testing (or none-erlang expert), it will be good to have some sample codes in folder some where to verify, |
there are small segment for each secure rule, is it possible to add more complete code sample?
will be good if we have one folder
<rule1>_problem.erl<rule1>_correct.erlThe text was updated successfully, but these errors were encountered: