Code Security Report: 14 high severity findings, 15 total findings [main]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2025-03-25 05:02pm
Total Findings: 15 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 140
Detected Programming Languages: 2 (Go, Python)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	File Manipulation	CWE-73	block_cache_linux.go:979	1	2024-09-13 04:56pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 974 to 979 in e7989f2 } // Dump this block to local disk cache f, err := os.Create(localPath) if err == nil { _, err := f.Write(item.block.data[:n]) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in e7989f2 f, err := os.Open(localPath) cloudfuse/component/block_cache/block_cache_linux.go Line 919 in e7989f2 n, err := f.Read(item.block.data) cloudfuse/component/block_cache/block_cache_linux.go Line 979 in e7989f2 _, err := f.Write(item.block.data[:n]) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure Directory Permissions	CWE-732	mount_all.go:343	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 338 to 343 in e7989f2 if options.SecureConfig { contConfigFile = contConfigFile + SecureConfigExtension } if _, err := os.Stat(contMountPath); os.IsNotExist(err) { err = os.MkdirAll(contMountPath, 0777) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 343 in e7989f2 err = os.MkdirAll(contMountPath, 0777) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Path/Directory Traversal	CWE-22	write.py:16	2	2025-01-15 03:31pm
Vulnerable Code cloudfuse/perf_testing/scripts/write.py Lines 11 to 16 in e7989f2 bytes_written = 0 data = os.urandom(blockSize) t1 = time.time() fd = open(os.path.join(mountpath, 'application_'+size+'.data'), 'wb') 2 Data Flow/s detected View Data Flow 1 cloudfuse/perf_testing/scripts/write.py Line 7 in e7989f2 size = sys.argv[2] View Data Flow 2 cloudfuse/perf_testing/scripts/write.py Line 6 in e7989f2 mountpath = sys.argv[1] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	File Manipulation	CWE-73	block_cache_linux.go:1689	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 1684 to 1689 in e7989f2 localDstPath := filepath.Join(bc.tmpPath, options.Dst) files, err := filepath.Glob(localSrcPath + "*") if err == nil { for _, f := range files { err = os.Rename(f, strings.Replace(f, localSrcPath, localDstPath, 1)) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in e7989f2 f, err := os.Open(localPath) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure Directory Permissions	CWE-732	block_cache_linux.go:970	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 965 to 970 in e7989f2 } item.block.endIndex = item.block.offset + uint64(n) if bc.tmpPath != "" { err := os.MkdirAll(filepath.Dir(localPath), 0755) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 970 in e7989f2 err := os.MkdirAll(filepath.Dir(localPath), 0755) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure File Permissions	CWE-732	journal.go:57	1	2025-01-23 05:07pm
Vulnerable Code cloudfuse/component/size_tracker/journal.go Lines 52 to 57 in e7989f2 err := common.CreateDefaultDirectory() if err != nil { return nil, fmt.Errorf("Failed to create default work dir [%s]", err.Error()) } f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) 1 Data Flow/s detected cloudfuse/component/size_tracker/journal.go Line 57 in e7989f2 f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Command Injection	CWE-78	mount_all.go:377	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 372 to 377 in e7989f2 updateCliParams(&cliParams, "tmp-path", filepath.Join(fileCachePath, container)) } // Now that we have mount path and config file for this container fire a mount command for this one fmt.Println("Mounting container :", container, "to path ", contMountPath) cmd := exec.Command(mountAllOpts.cloudfuseBinPath, cliParams...) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 69 in e7989f2 mountAllOpts.cloudfuseBinPath = os.Args[0] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Command Injection Training ● Videos    ▪ Secure Code Warrior Command Injection Video ● Further Reading    ▪ OWASP testing for Command Injection    ▪ OWASP Command Injection 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure File Permissions	CWE-732	base_logger.go:186	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/common/log/base_logger.go Lines 181 to 186 in e7989f2 fi, e := os.Stat(l.fileConfig.LogFile) if e == nil { l.fileConfig.currentLogSize = uint64(fi.Size()) } var err error l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) 1 Data Flow/s detected cloudfuse/common/log/base_logger.go Line 186 in e7989f2 l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure File Permissions	CWE-732	stats_export.go:278	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/tools/health-monitor/internal/stats_export.go Lines 273 to 278 in e7989f2 fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) fnameNew = fmt.Sprintf("%v_%v_1.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) _ = os.Rename(fname, fnameNew) fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 1 Data Flow/s detected cloudfuse/tools/health-monitor/internal/stats_export.go Line 278 in e7989f2 se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk
High	Insecure File Permissions	CWE-732	base_logger.go:130	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/common/log/base_logger.go Lines 125 to 130 in e7989f2 l.fileConfig.LogFile = name if l.logFileHandle != nil { if name == "stdout" { l.logFileHandle = os.Stdout } else { f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) 1 Data Flow/s detected cloudfuse/common/log/base_logger.go Line 130 in e7989f2 f, err := os.OpenFile(name, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) Secure Code Warrior Training Material 🏴 Suppress Finding ... as False Alarm ... as Acceptable Risk

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Command Injection	CWE-78	Go	1
High	File Manipulation	CWE-73	Go	3
High	Path/Directory Traversal	CWE-22	Python	2
High	Insecure Directory Permissions	CWE-732	Go	2
High	Insecure File Permissions	CWE-732	Go	6
Medium	Heap Inspection	CWE-244	Go	1