Giters

ZupIT / horusec

Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command.

Home Page:https://horusec.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerability critical in temporary folder horusec

risonaldomoura opened this issue · comments

commented

What happened:
The result from horusec analysis is ever 47 possible vulnerabilities. Looking vulnerability log, can see that this vulnerabilities is in horusec folder and not in my code. This is confuse for me, because this folder is temporary and create to self horusec.

What you expected to happen:
Horusec analysis show only vulnerabilities in my code, and not horusec temporary folder.

How to reproduce it (as minimally and precisely as possible):
Run jenkins pipeline and configure stage Horusec in Jenkinsfile the way:

stage('Horusec') {
            steps {
                script {
                    withCredentials([usernamePassword(credentialsId: 'macos', passwordVariable: 'pass', usernameVariable: 'user')]) {
                        remote.name = "$user"
                        remote.host = "192.168.0.196"
                        remote.user = "$user"
                        remote.password = "$pass"
                        remote.allowAnyHosts = true
                        remote.pty = true
                    }
                    sshCommand remote: remote, command: "curl -fsSL 'https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh' | bash -s latest" , sudo: true
                    sh 'horusec start -p="./" -e="true"'
                }
            }
        }

note: I'm using withCredentials method because have a sudo command in the script install.sh from horusec.

Anything else we need to know?:
The environment is a docker container and kubernetes. Jenkins is a image docker using a agent for run pipeline with horusec analysis.

Environment:

horusec version
Version: v2.8.0
Git commit: df32c1c
Built: Wed Jun 08 13:57:08 2022
Distribution: normal

docker version
Version: 4.0.1 (68347)

kubernetes version
Version: v1.21.4

Agent Operational System
Version: macOS Monterey 12.4

  • Others:

Part of the vulnerabilities log:

Language: Leaks
Severity: CRITICAL
Line: 12552
Column: 2240
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /Users/rosinaldomoura/jenkins-agent/workspace/deploy_ios/horusec
Code: AAAAACWACMAQwTBOTTOMLAYER_MRLASTWIDTHBZbsTlEFENAOUGToAAKuVkFBackbone.View.prototypeBlocks.Sources.Co
RuleID: HS-LEAKS-2
Type: Vulnerability
ReferenceHash: 166ca00a2d9e250b1296bda89390dc84dfec52f0c7a4f49ec4e2c3c0bbc679e5
Details: (1/1) * Possible vulnerability detected: AWS Secret Key
When use AWS Secret Key is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-798 (https://cwe.mitre.org/data/definitions/798.html) advisory.

==================================================================================

Language: Leaks
Severity: CRITICAL
Line: 12531
Column: 14328
SecurityTool: HorusecEngine
Confidence: MEDIUM
File: /Users/rosinaldomoura/jenkins-agent/workspace/deploy_ios/horusec
Code: Twitter Secret KeyTypeStringResolverUNI_SUR_HIGH_STARTUNKNOWN_SETTING_%dUNREGISTER_SERVICEUNSPEC_REA
RuleID: HS-LEAKS-7
Type: Vulnerability
ReferenceHash: f100d931332bc1543292c2f653f70f343abe80fad32aa2a38d35831c104832b2
Details: (1/1) * Possible vulnerability detected: Twitter Client ID
When use Twitter Client ID is recommended use vault or environment variable encrypted for the best security. For more information checkout the CWE-312 (https://cwe.mitre.org/data/definitions/312.html) advisory.

==================================================================================

In this analysis, a total of 47 possible vulnerabilities were found and we classified them into:
Total of Vulnerability CRITICAL is: 47

==================================================================================


time="2022-06-15T14:52:31-03:00" level=warning msg="{HORUSEC_CLI} No authorization token was found, your code it is not going to be sent to horusec. Please enter a token with the -a flag to configure and save your analysis"

time="2022-06-15T14:52:31-03:00" level=warning msg="{HORUSEC_CLI} 47 VULNERABILITIES WERE FOUND IN YOUR CODE SENT TO HORUSEC, TO SEE MORE DETAILS USE THE LOG LEVEL AS DEBUG AND TRY AGAIN"

time="2022-06-15T14:52:31-03:00" level=warning msg="{HORUSEC_CLI} Horusec not show info vulnerabilities in this analysis, to see info vulnerabilities add option \"--information-severity=true\". For more details use (horusec start --help) command."
Error: analysis finished with blocking vulnerabilities

[Pipeline] }
[Pipeline] // script
[Pipeline] }
[Pipeline] // stage
[Pipeline] }
[Pipeline] // withEnv
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
ERROR: script returned exit code 1
Finished: FAILURE
commented

hello @risonaldomoura tnks for your contribuition

As I understand from the report, it is encountering problems in the horusec binary which is in the same folder where you are trying to parse, try changing your command to
horusec start -p . -e true -i="**/horusec, **/.horusec/**"
So the analysis will ignore this binary and the .horusec folder