- ALM used (GitHub)
- CI system used (Azure DevOps)
- Scanner command used when applicable (SonarCloudAnalyze@1)
- Languages of the repository (C#)
I’ve been scanning an external issues report successfully in the following format but today, 30 October, the scan started failing.
{
"rules": [
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "Azure Storage Library Information Disclosure Vulnerability\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-30187 for details",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2022-30187",
"name": "[CVE-2022-30187] CWE-327",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2022-30187] CWE-327: Use of a Broken or Risky Cryptographic Algorithm - Azure.Storage.Blobs:12.11.0",
"filePath": "D:\\a\\1\\s\\src\\sc\\Feature\\FormV2\\code\\XYZ.Feature.FormV2.csproj"
}
},
{
"primaryLocation": {
"message": "[CVE-2022-30187] CWE-327: Use of a Broken or Risky Cryptographic Algorithm - Azure.Storage.Blobs:12.11.0",
"filePath": "D:\\a\\1\\s\\src\\sc\\Feature\\FormV2\\tests\\XYZ.Feature.FormV2.Tests.csproj"
}
},
{
"primaryLocation": {
"message": "[CVE-2022-30187] CWE-327: Use of a Broken or Risky Cryptographic Algorithm - Azure.Storage.Blobs:12.11.0",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Common\\code\\XYZ.Foundation.Common.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2013-1624",
"name": "[CVE-2013-1624] CWE-310",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2013-1624] CWE-310 - BouncyCastle:1.7.0",
"filePath": "D:\\a\\1\\s\\src\\sc\\XYZ.Business\\XYZ.Business.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2020-26293",
"name": "[CVE-2020-26293] CWE-79",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2020-26293] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - HtmlSanitizer:3.2.105",
"filePath": "D:\\a\\1\\s\\src\\sc\\XYZ.Business\\XYZ.Business.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. The vulnerability occurs in configurations where foreign content is allowed, i.e. either `svg` or `math` are in the list of allowed elements. In the case an application sanitizes user input with a vulnerable configuration, an attacker could bypass the sanitization and inject arbitrary HTML, including JavaScript code. Note that in the default configuration the vulnerability is not present. The vulnerability has been fixed in versions 8.0.723 and 8.1.722-beta (preview version).",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2023-44390",
"name": "[CVE-2023-44390] CWE-79",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2023-44390] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - HtmlSanitizer:3.2.105",
"filePath": "D:\\a\\1\\s\\src\\sc\\XYZ.Business\\XYZ.Business.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"ruleId": "CVE-2021-27293",
"name": "[CVE-2021-27293] CWE-697",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-27293] CWE-697: Incorrect Comparison - RestSharp:106.5.2",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Diagnostics\\code\\XYZ.Foundation.Diagnostics.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "SSH.NET is a Secure Shell (SSH) library for .NET. In versions 2020.0.0 and 2020.0.1, during an `X25519` key exchange, the client’s private key is generated with `System.Random`. `System.Random` is not a cryptographically secure random number generator, it must therefore not be used for cryptographic purposes. When establishing an SSH connection to a remote host, during the X25519 key exchange, the private key is generated with a weak random number generator whose seed can be brute forced. This allows an attacker who is able to eavesdrop on the communications to decrypt them. Version 2020.0.2 contains a patch for this issue. As a workaround, one may disable support for `curve25519-sha256` and `curve25519-sha256@libssh.org` key exchange algorithms.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2022-29245",
"name": "[CVE-2022-29245] CWE-338",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2022-29245] CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - SSH.NET:2020.0.1",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Schedulers\\code\\XYZ.Foundation.Schedulers.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Prior to version 1.3.3, a TAR file entry `../evil.txt` may be extracted in the parent directory of `destFolder`. This leads to arbitrary file write that may lead to code execution. The vulnerability was patched in version 1.3.3.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"ruleId": "CVE-2021-32840",
"name": "[CVE-2021-32840] CWE-22",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-32840] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - SharpZipLib:1.3.2",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Schedulers\\code\\XYZ.Foundation.Schedulers.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.3.0 and prior to version 1.3.3, a check was added if the destination file is under destination directory. However, it is not enforced that `destDir` ends with slash. If the `destDir` is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins with the destination directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 contains a patch for this vulnerability.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2021-32841",
"name": "[CVE-2021-32841] CWE-22",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-32841] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - SharpZipLib:1.3.2",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Schedulers\\code\\XYZ.Foundation.Schedulers.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "SharpZipLib (or #ziplib) is a Zip, GZip, Tar and BZip2 library. Starting version 1.0.0 and prior to version 1.3.3, a check was added if the destination file is under a destination directory. However, it is not enforced that `_baseDirectory` ends with slash. If the _baseDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints, the arbitrary file creation impact is limited and depends on the use case. Version 1.3.3 fixed this vulnerability.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "MEDIUM"
}
],
"ruleId": "CVE-2021-32842",
"name": "[CVE-2021-32842] CWE-22",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-32842] CWE-22 - SharpZipLib:1.3.2",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Schedulers\\code\\XYZ.Foundation.Schedulers.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"ruleId": "CVE-2021-38366",
"name": "[CVE-2021-38366] CWE-434",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-38366] CWE-434 - Sitecore.Framework.Runtime.Abstractions:7.0.0",
"filePath": "D:\\a\\1\\s\\src\\si\\Foundation\\Common\\sitecoreidentity\\XYZ.Foundation.Common.csproj"
}
},
{
"primaryLocation": {
"message": "[CVE-2021-38366] CWE-434 - Sitecore.Framework.Runtime.Commands:7.0.0",
"filePath": "D:\\a\\1\\s\\src\\si\\Foundation\\Common\\sitecoreidentity\\XYZ.Foundation.Common.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "Sitecore through 10.1, when Update Center is enabled, allows remote authenticated users to upload arbitrary files and achieve remote code execution by visiting an uploaded .aspx file at an admin/Packages URL.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"ruleId": "CVE-2021-38366",
"name": "[CVE-2021-38366] CWE-434",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2021-38366] CWE-434 - Sitecore.Plugin.IdentityServer:7.0.326",
"filePath": "D:\\a\\1\\s\\src\\si\\Foundation\\Common\\sitecoreidentity\\XYZ.Foundation.Common.csproj"
}
}
]
},
{
"cleanCodeAttribute": "TRUSTWORTHY",
"description": "YamlDotNet version 4.3.2 and earlier contains a Insecure Direct Object Reference vulnerability in The default behavior of Deserializer.Deserialize() will deserialize user-controlled types in the line \"currentType = Type.GetType(nodeEvent.Tag.Substring(1), throwOnError: false);\" and blindly instantiates them. that can result in Code execution in the context of the running process. This attack appear to be exploitable via Victim must parse a specially-crafted YAML file. This vulnerability appears to have been fixed in 5.0.0.",
"impacts": [
{
"softwareQuality": "SECURITY",
"severity": "HIGH"
}
],
"ruleId": "CVE-2018-1000210",
"name": "[CVE-2018-1000210] CWE-502 & CWE-639",
"engineId": "DependencyCheck",
"issues": [
{
"primaryLocation": {
"message": "[CVE-2018-1000210] CWE-502 & CWE-639 - YamlDotNet.Signed:4.2.1",
"filePath": "D:\\a\\1\\s\\src\\sc\\Foundation\\Api\\code\\XYZ.Foundation.Api.csproj"
}
}
]
}
]
}
I’ve noticed that the example in the documentation is now using the following format, Which I thought was a deprecated format.
[https://docs.sonarcloud.io/enriching/generic-issue-data/#example]
{ "issues": [
{
"engineId": "test",
"ruleId": "rule1",
"severity":"BLOCKER",
"type":"CODE_SMELL",
"primaryLocation": {
"message": "fully-fleshed issue",
"filePath": "sources/A.java",
"textRange": {
"startLine": 30,
"endLine": 30,
"startColumn": 9,
"endColumn": 14
}
},
"effortMinutes": 90,
"secondaryLocations": [
{
"message": "cross-file 2ndary location",
"filePath": "sources/B.java",
"textRange": {
"startLine": 10,
"endLine": 10,
"startColumn": 6,
"endColumn": 38
}
}
]
},
{
"engineId": "test",
"ruleId": "rule2",
"severity": "INFO",
"type": "BUG",
"primaryLocation": {
"message": "minimal issue raised at file level",
"filePath": "sources/Measure.java"
}
}
]}