Testing ~/snyk_goof/nodejs-goof...
Tested 564 dependencies for known issues, found 2 issues, 3 vulnerable paths.
Issues to fix by upgrading:
Upgrade adm-zip@0.4.7 to adm-zip@0.4.11 to fix
✗ Arbitrary File Write via Archive Extraction (Zip Slip) [Critical Severity]
in handlebars@4.0.14
introduced by hbs@4.0.4 > handlebars@4.0.14 and 1 other path(s)
Organization: masawai
Package manager: npm
Target file: package-lock.json
Project name: goof
Open source: no
Project path: ~/snyk_goof/nodejs-goof
Licenses: enabled
Testing ~/snyk_goof/nodejs-goof ...
✗ [High] NoSQL Injection
Path: routes/index.js, line 39
Info: Unsanitized input from the HTTP request body flows into find, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
✗ [High] NoSQL Injection
Path: routes/index.js, line 191
Info: Unsanitized input from an HTTP parameter flows into findById, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
✗ [High] NoSQL Injection
Path: routes/index.js, line 219
Info: Unsanitized input from an HTTP parameter flows into findById, where it is used in an NoSQL query. This may result in an NoSQL Injection vulnerability.
✗ [High] Hardcoded Secret
Path: app.js, line 42
Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in express-session.
✗ [High] Hardcoded Secret
Path: app.js, line 83
Info: Avoid hardcoding values that are meant to be secret. Found a hardcoded string used in here.
✔ Test completed
Organization: 8edf5cac-ca5a-41b4-a80a-4eda2b73940f
Test type: Static code analysis
Project path: ~/snyk_goof/nodejs-goof
Summary:
5 Code issues found
5 [High]
$ snyk iac test terraform/s3/ --severity-threshold=high
実行結果から、34つの問題が見つけることができました。
Snyk Infrastructure as Code
✔ Test completed.
Issues
High Severity Issues: 34
(省略)
[High] S3 Bucket is publicly readable and writable
Info: That this S3 bucket is publicly writeable without any authentication
or authorization. . That you may be leaking sensitive information to
members of the public and this data could be modified without your
knowledge.
Rule: https://security.snyk.io/rules/cloud/SNYK-CC-TF-19
Path: input > resource > aws_s3_bucket[writable] > acl
File: s3_cis.tf
Resolve: Set the `acl` attribute to `private`, or remove the attribute
-------------------------------------------------------
Test Summary
Organization: masawai
Project name: snyk-labs/infrastructure-as-code-goof
✔ Files without issues: 7
✗ Files with issues: 9
Ignored issues: 0
Total issues: 34 [ 0 critical, 34 high, 0 medium, 0 low ]
-------------------------------------------------------
コメント