I’m currently using SonarQube Community Edition(9.9.5) and have encountered several security and code quality issues in Python, Ruby, YAML, and PowerShell code that are not being detected by the default rules. These issues were identified by Fortify but not by SonarQube. I am wondering if there are existing rules for the following issues:
Python :
1.
import xml.etree.ElementTree as ET
root = ET.ElementTree(ET.fromstring(data)).getroot()"
security team recommends use defusexml.
2.authentication and/or authorisation mechanisms to prevent malicious attackers from gaining unauthorised access to these critical functions.
3. there is not explicit timeout set when using the Requests library. As a result, the default value of None is used, meaning that the request will wait indefinitely until the server responds.
4. Security team observed that some of the file stream resources were not released the files by properly using the close() function.
file = open(filename)
content = open(filename, “r”).read()
Ruby:
1.The Security team observed that several commands are used without the absolute path to their binaries across multiple files
dateValue=
date -R
signature=`echo -en “${stringToSign}”
- The send function and its variants allow programmers to work around Ruby access specifiers on functions
Chef::Recipe.send(:include, Chef::Mixin::PowershellOut)
- use of weak cryptographic hashes across multiple lines.
- an empty rescue block that does not provide error handling when an exception occurs.
Yaml:
1.The security team observed that user credentials are parsed into a URL used for API authentication in GET requests
2.The security team observed that on a weak password policy for new users
"changePassOnNextLogon": false,
"passwordNeverExpires": true,
Powershell :1. Aliases can make code difficult to read, understand and make scripts hard to maintain.
'?' is an alias of 'Where-Object'
2.powershell doesn’t have SSL cert validation rule.
