1489 lines
47 KiB
JSON
1489 lines
47 KiB
JSON
|
|
{
|
|
"score": 45,
|
|
"grade": "D",
|
|
"gradeLabel": "Significant security risks",
|
|
"totalFindings": 59,
|
|
"totalDepVulns": 0,
|
|
"categories": {
|
|
"secrets": {
|
|
"label": "Secrets",
|
|
"findingCount": 0,
|
|
"deduction": 0,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 0,
|
|
"medium": 0,
|
|
"low": 0
|
|
}
|
|
},
|
|
"injection": {
|
|
"label": "Code Vulnerabilities",
|
|
"findingCount": 7,
|
|
"deduction": 15,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 0,
|
|
"medium": 7,
|
|
"low": 0
|
|
}
|
|
},
|
|
"deps": {
|
|
"label": "Dependencies",
|
|
"findingCount": 0,
|
|
"deduction": 0,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 0,
|
|
"medium": 0,
|
|
"low": 0
|
|
}
|
|
},
|
|
"auth": {
|
|
"label": "Auth & Access Control",
|
|
"findingCount": 0,
|
|
"deduction": 0,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 0,
|
|
"medium": 0,
|
|
"low": 0
|
|
}
|
|
},
|
|
"config": {
|
|
"label": "Configuration",
|
|
"findingCount": 4,
|
|
"deduction": 10,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 4,
|
|
"medium": 0,
|
|
"low": 0
|
|
}
|
|
},
|
|
"supply-chain": {
|
|
"label": "Supply Chain",
|
|
"findingCount": 36,
|
|
"deduction": 10,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 1,
|
|
"medium": 35,
|
|
"low": 0
|
|
}
|
|
},
|
|
"api": {
|
|
"label": "API Security",
|
|
"findingCount": 2,
|
|
"deduction": 10,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 2,
|
|
"medium": 0,
|
|
"low": 0
|
|
}
|
|
},
|
|
"llm": {
|
|
"label": "AI/LLM Security",
|
|
"findingCount": 10,
|
|
"deduction": 10,
|
|
"counts": {
|
|
"critical": 0,
|
|
"high": 0,
|
|
"medium": 10,
|
|
"low": 0
|
|
}
|
|
}
|
|
},
|
|
"findings": [
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 26,
|
|
"severity": "high",
|
|
"category": "supply-chain",
|
|
"rule": "GIT_PYTHON_DEP",
|
|
"title": "Git/URL Python Dependency: git+https://git.zm.is/XF/django-crud-mixins",
|
|
"description": "Installing from git/URL bypasses PyPI integrity checks.",
|
|
"fix": "Publish to PyPI or pin to a specific commit hash",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/Dockerfile",
|
|
"line": 25,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"rule": "DOCKER_RUN_AS_ROOT",
|
|
"title": "Docker: Running as Root",
|
|
"description": "No USER instruction found. Container runs as root by default.",
|
|
"fix": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"cwe": "CWE-250",
|
|
"owasp": "A05:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/Dockerfile",
|
|
"line": 27,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"rule": "DOCKER_RUN_AS_ROOT",
|
|
"title": "Docker: Running as Root",
|
|
"description": "No USER instruction found. Container runs as root by default.",
|
|
"fix": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"cwe": "CWE-250",
|
|
"owasp": "A05:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/Dockerfile",
|
|
"line": 29,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"rule": "DOCKER_RUN_AS_ROOT",
|
|
"title": "Docker: Running as Root",
|
|
"description": "No USER instruction found. Container runs as root by default.",
|
|
"fix": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"cwe": "CWE-250",
|
|
"owasp": "A05:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/Dockerfile",
|
|
"line": 30,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"rule": "DOCKER_RUN_AS_ROOT",
|
|
"title": "Docker: Running as Root",
|
|
"description": "No USER instruction found. Container runs as root by default.",
|
|
"fix": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"cwe": "CWE-250",
|
|
"owasp": "A05:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/clients/whatsapp.py",
|
|
"line": 3375,
|
|
"severity": "high",
|
|
"category": "api",
|
|
"rule": "API_UPLOAD_NO_TYPE_CHECK",
|
|
"title": "API: File Upload Without Type Validation",
|
|
"description": "File upload using original filename without type validation.",
|
|
"fix": "Validate file extension and MIME type. Generate random filenames for storage.",
|
|
"cwe": "CWE-434",
|
|
"owasp": "A04:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/clients/xmpp.py",
|
|
"line": 53,
|
|
"severity": "high",
|
|
"category": "api",
|
|
"rule": "API_UPLOAD_NO_TYPE_CHECK",
|
|
"title": "API: File Upload Without Type Validation",
|
|
"description": "File upload using original filename without type validation.",
|
|
"fix": "Validate file extension and MIME type. Generate random filenames for storage.",
|
|
"cwe": "CWE-434",
|
|
"owasp": "A04:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/app/local_settings.py",
|
|
"line": 10,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/app/local_settings.py",
|
|
"line": 44,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/app/local_settings.py",
|
|
"line": 72,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/app/settings.py",
|
|
"line": 192,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/app/settings.py",
|
|
"line": 193,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/memory/search_backend.py",
|
|
"line": 143,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/scripts/quadlet/render_units.py",
|
|
"line": 187,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"rule": "SSRF_INTERNAL_IP",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.",
|
|
"fix": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"cwe": "CWE-918",
|
|
"owasp": "A10:2021"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 1,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: wheel",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: wheel==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 2,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: uwsgi",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: uwsgi==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 3,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 4,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: pre-commit",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: pre-commit==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 6,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: crispy-bulma",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: crispy-bulma==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 9,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-rest-framework",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-rest-framework==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 10,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: uvloop",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: uvloop==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 11,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-htmx",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-htmx==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 12,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: cryptography",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: cryptography==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 13,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-debug-toolbar",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-debug-toolbar==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 14,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-debug-toolbar-template-profiler",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-debug-toolbar-template-profiler==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 15,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: orjson",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: orjson==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 16,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: msgpack",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: msgpack==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 17,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: apscheduler",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: apscheduler==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 18,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: watchfiles",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: watchfiles==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 19,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-otp",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-otp==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 20,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-two-factor-auth",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-two-factor-auth==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 21,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-otp-yubikey",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-otp-yubikey==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 22,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: phonenumbers",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: phonenumbers==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 23,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: qrcode",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: qrcode==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 24,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: pydantic",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: pydantic==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 26,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: git+https://git.zm.is/XF/django-crud-mixins",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: git+https://git.zm.is/XF/django-crud-mixins==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 29,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: redis<7",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: redis<7==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 30,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: hiredis",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: hiredis==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 31,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django-cachalot",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django-cachalot==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 32,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: django_redis",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: django_redis==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 33,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: requests",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: requests==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 34,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: signalbot",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: signalbot==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 35,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: openai",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: openai==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 36,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: aiograpi",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: aiograpi==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 37,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: aiomysql",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: aiomysql==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 38,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: slixmpp",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: slixmpp==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 39,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: neonize",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: neonize==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 40,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: watchdog",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: watchdog==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/requirements.txt",
|
|
"line": 41,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"rule": "UNPINNED_PYTHON_DEP",
|
|
"title": "Unpinned Python Dependency: uvicorn",
|
|
"description": "Python dependency without version pin. Pin to a specific version for reproducible builds.",
|
|
"fix": "Pin version: uvicorn==x.y.z",
|
|
"cwe": null,
|
|
"owasp": null
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/clients/signalapi.py",
|
|
"line": 398,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_NO_OUTPUT_FILTER",
|
|
"title": "LLM Output Without Filtering",
|
|
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
|
|
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"cwe": "CWE-200",
|
|
"owasp": "LLM02"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 726,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 731,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 745,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 1364,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 1369,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/osint.py",
|
|
"line": 1383,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_RAG_NO_VALIDATION",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"description": "User input passed directly to vector search/embedding without validation.",
|
|
"fix": "Validate and sanitize input before embedding. Limit query length.",
|
|
"cwe": "CWE-20",
|
|
"owasp": "LLM08"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/signal.py",
|
|
"line": 181,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_NO_OUTPUT_FILTER",
|
|
"title": "LLM Output Without Filtering",
|
|
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
|
|
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"cwe": "CWE-200",
|
|
"owasp": "LLM02"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/signal.py",
|
|
"line": 185,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_NO_OUTPUT_FILTER",
|
|
"title": "LLM Output Without Filtering",
|
|
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
|
|
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"cwe": "CWE-200",
|
|
"owasp": "LLM02"
|
|
},
|
|
{
|
|
"file": "/code/xf/GIA/core/views/signal.py",
|
|
"line": 188,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"rule": "LLM_NO_OUTPUT_FILTER",
|
|
"title": "LLM Output Without Filtering",
|
|
"description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.",
|
|
"fix": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"cwe": "CWE-200",
|
|
"owasp": "LLM02"
|
|
}
|
|
],
|
|
"depVulns": [],
|
|
"remediationPlan": [
|
|
{
|
|
"priority": 1,
|
|
"severity": "high",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Git/URL Python Dependency: git+https://git.zm.is/XF/django-crud-mixins",
|
|
"file": "requirements.txt:26",
|
|
"action": "Publish to PyPI or pin to a specific commit hash",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 2,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"categoryLabel": "CONFIGURATION",
|
|
"title": "Docker: Running as Root",
|
|
"file": "Dockerfile:25",
|
|
"action": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"effort": "low"
|
|
},
|
|
{
|
|
"priority": 3,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"categoryLabel": "CONFIGURATION",
|
|
"title": "Docker: Running as Root",
|
|
"file": "Dockerfile:27",
|
|
"action": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"effort": "low"
|
|
},
|
|
{
|
|
"priority": 4,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"categoryLabel": "CONFIGURATION",
|
|
"title": "Docker: Running as Root",
|
|
"file": "Dockerfile:29",
|
|
"action": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"effort": "low"
|
|
},
|
|
{
|
|
"priority": 5,
|
|
"severity": "high",
|
|
"category": "config",
|
|
"categoryLabel": "CONFIGURATION",
|
|
"title": "Docker: Running as Root",
|
|
"file": "Dockerfile:30",
|
|
"action": "Add USER nonroot before CMD/ENTRYPOINT",
|
|
"effort": "low"
|
|
},
|
|
{
|
|
"priority": 6,
|
|
"severity": "high",
|
|
"category": "api",
|
|
"categoryLabel": "API SECURITY",
|
|
"title": "API: File Upload Without Type Validation",
|
|
"file": "core/clients/whatsapp.py:3375",
|
|
"action": "Validate file extension and MIME type. Generate random filenames for storage.",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 7,
|
|
"severity": "high",
|
|
"category": "api",
|
|
"categoryLabel": "API SECURITY",
|
|
"title": "API: File Upload Without Type Validation",
|
|
"file": "core/clients/xmpp.py:53",
|
|
"action": "Validate file extension and MIME type. Generate random filenames for storage.",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 8,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "app/local_settings.py:10",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 9,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "app/local_settings.py:44",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 10,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "app/local_settings.py:72",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 11,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "app/settings.py:192",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 12,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "app/settings.py:193",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 13,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "core/memory/search_backend.py:143",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 14,
|
|
"severity": "medium",
|
|
"category": "ssrf",
|
|
"categoryLabel": "SSRF",
|
|
"title": "SSRF: Internal IP Pattern",
|
|
"file": "scripts/quadlet/render_units.py:187",
|
|
"action": "Block private IP ranges in URL validation for user-supplied URLs",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 15,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: wheel",
|
|
"file": "requirements.txt:1",
|
|
"action": "Pin version: wheel==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 16,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: uwsgi",
|
|
"file": "requirements.txt:2",
|
|
"action": "Pin version: uwsgi==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 17,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django",
|
|
"file": "requirements.txt:3",
|
|
"action": "Pin version: django==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 18,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: pre-commit",
|
|
"file": "requirements.txt:4",
|
|
"action": "Pin version: pre-commit==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 19,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: crispy-bulma",
|
|
"file": "requirements.txt:6",
|
|
"action": "Pin version: crispy-bulma==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 20,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-rest-framework",
|
|
"file": "requirements.txt:9",
|
|
"action": "Pin version: django-rest-framework==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 21,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: uvloop",
|
|
"file": "requirements.txt:10",
|
|
"action": "Pin version: uvloop==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 22,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-htmx",
|
|
"file": "requirements.txt:11",
|
|
"action": "Pin version: django-htmx==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 23,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: cryptography",
|
|
"file": "requirements.txt:12",
|
|
"action": "Pin version: cryptography==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 24,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-debug-toolbar",
|
|
"file": "requirements.txt:13",
|
|
"action": "Pin version: django-debug-toolbar==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 25,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-debug-toolbar-template-profiler",
|
|
"file": "requirements.txt:14",
|
|
"action": "Pin version: django-debug-toolbar-template-profiler==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 26,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: orjson",
|
|
"file": "requirements.txt:15",
|
|
"action": "Pin version: orjson==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 27,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: msgpack",
|
|
"file": "requirements.txt:16",
|
|
"action": "Pin version: msgpack==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 28,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: apscheduler",
|
|
"file": "requirements.txt:17",
|
|
"action": "Pin version: apscheduler==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 29,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: watchfiles",
|
|
"file": "requirements.txt:18",
|
|
"action": "Pin version: watchfiles==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 30,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-otp",
|
|
"file": "requirements.txt:19",
|
|
"action": "Pin version: django-otp==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 31,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-two-factor-auth",
|
|
"file": "requirements.txt:20",
|
|
"action": "Pin version: django-two-factor-auth==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 32,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-otp-yubikey",
|
|
"file": "requirements.txt:21",
|
|
"action": "Pin version: django-otp-yubikey==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 33,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: phonenumbers",
|
|
"file": "requirements.txt:22",
|
|
"action": "Pin version: phonenumbers==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 34,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: qrcode",
|
|
"file": "requirements.txt:23",
|
|
"action": "Pin version: qrcode==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 35,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: pydantic",
|
|
"file": "requirements.txt:24",
|
|
"action": "Pin version: pydantic==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 36,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: git+https://git.zm.is/XF/django-crud-mixins",
|
|
"file": "requirements.txt:26",
|
|
"action": "Pin version: git+https://git.zm.is/XF/django-crud-mixins==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 37,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: redis<7",
|
|
"file": "requirements.txt:29",
|
|
"action": "Pin version: redis<7==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 38,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: hiredis",
|
|
"file": "requirements.txt:30",
|
|
"action": "Pin version: hiredis==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 39,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django-cachalot",
|
|
"file": "requirements.txt:31",
|
|
"action": "Pin version: django-cachalot==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 40,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: django_redis",
|
|
"file": "requirements.txt:32",
|
|
"action": "Pin version: django_redis==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 41,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: requests",
|
|
"file": "requirements.txt:33",
|
|
"action": "Pin version: requests==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 42,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: signalbot",
|
|
"file": "requirements.txt:34",
|
|
"action": "Pin version: signalbot==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 43,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: openai",
|
|
"file": "requirements.txt:35",
|
|
"action": "Pin version: openai==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 44,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: aiograpi",
|
|
"file": "requirements.txt:36",
|
|
"action": "Pin version: aiograpi==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 45,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: aiomysql",
|
|
"file": "requirements.txt:37",
|
|
"action": "Pin version: aiomysql==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 46,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: slixmpp",
|
|
"file": "requirements.txt:38",
|
|
"action": "Pin version: slixmpp==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 47,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: neonize",
|
|
"file": "requirements.txt:39",
|
|
"action": "Pin version: neonize==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 48,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: watchdog",
|
|
"file": "requirements.txt:40",
|
|
"action": "Pin version: watchdog==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 49,
|
|
"severity": "medium",
|
|
"category": "supply-chain",
|
|
"categoryLabel": "SUPPLY CHAIN",
|
|
"title": "Unpinned Python Dependency: uvicorn",
|
|
"file": "requirements.txt:41",
|
|
"action": "Pin version: uvicorn==x.y.z",
|
|
"effort": "medium"
|
|
},
|
|
{
|
|
"priority": 50,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "LLM Output Without Filtering",
|
|
"file": "core/clients/signalapi.py:398",
|
|
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 51,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:726",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 52,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:731",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 53,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:745",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 54,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:1364",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 55,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:1369",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 56,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "RAG Pipeline Without Input Validation",
|
|
"file": "core/views/osint.py:1383",
|
|
"action": "Validate and sanitize input before embedding. Limit query length.",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 57,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "LLM Output Without Filtering",
|
|
"file": "core/views/signal.py:181",
|
|
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 58,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "LLM Output Without Filtering",
|
|
"file": "core/views/signal.py:185",
|
|
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"effort": "high"
|
|
},
|
|
{
|
|
"priority": 59,
|
|
"severity": "medium",
|
|
"category": "llm",
|
|
"categoryLabel": "AI/LLM SECURITY",
|
|
"title": "LLM Output Without Filtering",
|
|
"file": "core/views/signal.py:188",
|
|
"action": "Filter LLM output before displaying: remove PII, validate against expected format",
|
|
"effort": "high"
|
|
}
|
|
],
|
|
"recon": {
|
|
"frameworks": [
|
|
"django"
|
|
],
|
|
"languages": [
|
|
"python"
|
|
],
|
|
"apiRoutes": [
|
|
"app/urls.py",
|
|
"core/management/commands/backfill_xmpp_attachment_urls.py"
|
|
],
|
|
"authPatterns": [],
|
|
"databases": [],
|
|
"cloudProviders": [],
|
|
"frontendExposure": [],
|
|
"packageManagers": [
|
|
"pip"
|
|
],
|
|
"cicd": [],
|
|
"hasDockerfile": true,
|
|
"hasTerraform": false,
|
|
"hasKubernetes": false,
|
|
"envFiles": [],
|
|
"configFiles": []
|
|
},
|
|
"agents": [
|
|
{
|
|
"agent": "InjectionTester",
|
|
"category": "injection",
|
|
"findingCount": 0,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "AuthBypassAgent",
|
|
"category": "auth",
|
|
"findingCount": 0,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "SSRFProber",
|
|
"category": "ssrf",
|
|
"findingCount": 7,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "SupplyChainAudit",
|
|
"category": "supply-chain",
|
|
"findingCount": 36,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "ConfigAuditor",
|
|
"category": "config",
|
|
"findingCount": 4,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "LLMRedTeam",
|
|
"category": "llm",
|
|
"findingCount": 10,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "MobileScanner",
|
|
"category": "mobile",
|
|
"findingCount": 0,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "GitHistoryScanner",
|
|
"category": "history",
|
|
"findingCount": 0,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "CICDScanner",
|
|
"category": "cicd",
|
|
"findingCount": 0,
|
|
"success": true
|
|
},
|
|
{
|
|
"agent": "APIFuzzer",
|
|
"category": "api",
|
|
"findingCount": 2,
|
|
"success": true
|
|
}
|
|
]
|
|
}
|