Code Security Report: 16 high severity findings, 22 total findings [main]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2025-02-26 03:25pm
Total Findings: 22 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 138
Detected Programming Languages: 2 (Go, Python)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	File Manipulation	CWE-73	block_cache_linux.go:979	1	2024-09-13 04:56pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 974 to 979 in 90e2ef9 } // Dump this block to local disk cache f, err := os.Create(localPath) if err == nil { _, err := f.Write(item.block.data[:n]) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in 90e2ef9 f, err := os.Open(localPath) cloudfuse/component/block_cache/block_cache_linux.go Line 919 in 90e2ef9 n, err := f.Read(item.block.data) cloudfuse/component/block_cache/block_cache_linux.go Line 979 in 90e2ef9 _, err := f.Write(item.block.data[:n]) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure Directory Permissions	CWE-732	mount_all.go:343	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 338 to 343 in 90e2ef9 if options.SecureConfig { contConfigFile = contConfigFile + SecureConfigExtension } if _, err := os.Stat(contMountPath); os.IsNotExist(err) { err = os.MkdirAll(contMountPath, 0777) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 343 in 90e2ef9 err = os.MkdirAll(contMountPath, 0777) Secure Code Warrior Training Material
High	Path/Directory Traversal	CWE-22	write.py:16	2	2025-01-15 03:31pm
Vulnerable Code cloudfuse/perf_testing/scripts/write.py Lines 11 to 16 in 90e2ef9 bytes_written = 0 data = os.urandom(blockSize) t1 = time.time() fd = open(os.path.join(mountpath, 'application_'+size+'.data'), 'wb') 2 Data Flow/s detected View Data Flow 1 cloudfuse/perf_testing/scripts/write.py Line 7 in 90e2ef9 size = sys.argv[2] View Data Flow 2 cloudfuse/perf_testing/scripts/write.py Line 6 in 90e2ef9 mountpath = sys.argv[1] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	File Manipulation	CWE-73	block_cache_linux.go:1689	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 1684 to 1689 in 90e2ef9 localDstPath := filepath.Join(bc.tmpPath, options.Dst) files, err := filepath.Glob(localSrcPath + "*") if err == nil { for _, f := range files { err = os.Rename(f, strings.Replace(f, localSrcPath, localDstPath, 1)) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in 90e2ef9 f, err := os.Open(localPath) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure Directory Permissions	CWE-732	block_cache_linux.go:970	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 965 to 970 in 90e2ef9 } item.block.endIndex = item.block.offset + uint64(n) if bc.tmpPath != "" { err := os.MkdirAll(filepath.Dir(localPath), 0755) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 970 in 90e2ef9 err := os.MkdirAll(filepath.Dir(localPath), 0755) Secure Code Warrior Training Material
High	Insecure File Permissions	CWE-732	journal.go:57	1	2025-01-23 05:07pm
Vulnerable Code cloudfuse/component/size_tracker/journal.go Lines 52 to 57 in 90e2ef9 err := common.CreateDefaultDirectory() if err != nil { return nil, fmt.Errorf("Failed to create default work dir [%s]", err.Error()) } f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) 1 Data Flow/s detected cloudfuse/component/size_tracker/journal.go Line 57 in 90e2ef9 f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) Secure Code Warrior Training Material
High	Command Injection	CWE-78	mount_all.go:377	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 372 to 377 in 90e2ef9 updateCliParams(&cliParams, "tmp-path", filepath.Join(fileCachePath, container)) } // Now that we have mount path and config file for this container fire a mount command for this one fmt.Println("Mounting container :", container, "to path ", contMountPath) cmd := exec.Command(mountAllOpts.cloudfuseBinPath, cliParams...) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 69 in 90e2ef9 mountAllOpts.cloudfuseBinPath = os.Args[0] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Command Injection Training ● Videos    ▪ Secure Code Warrior Command Injection Video ● Further Reading    ▪ OWASP testing for Command Injection    ▪ OWASP Command Injection
High	Insecure File Permissions	CWE-732	base_logger.go:186	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/common/log/base_logger.go Lines 181 to 186 in 90e2ef9 fi, e := os.Stat(l.fileConfig.LogFile) if e == nil { l.fileConfig.currentLogSize = uint64(fi.Size()) } var err error l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) 1 Data Flow/s detected cloudfuse/common/log/base_logger.go Line 186 in 90e2ef9 l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) Secure Code Warrior Training Material
High	Insecure File Permissions	CWE-732	stats_export.go:278	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/tools/health-monitor/internal/stats_export.go Lines 273 to 278 in 90e2ef9 fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) fnameNew = fmt.Sprintf("%v_%v_1.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) _ = os.Rename(fname, fnameNew) fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 1 Data Flow/s detected cloudfuse/tools/health-monitor/internal/stats_export.go Line 278 in 90e2ef9 se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) Secure Code Warrior Training Material
High	File Manipulation	CWE-73	service_windows.go:102	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/service_windows.go Lines 97 to 102 in 90e2ef9 SuggestFor: []string{"uninst", "uninstal"}, Example: "cloudfuse service uninstall", FlagErrorHandling: cobra.ExitOnError, RunE: func(cmd *cobra.Command, args []string) error { startupPath := filepath.Join(os.Getenv("APPDATA"), "Microsoft", "Windows", "Start Menu", "Programs", "Startup", StartupName) err := os.Remove(startupPath) 1 Data Flow/s detected cloudfuse/cmd/service_windows.go Line 101 in 90e2ef9 startupPath := filepath.Join(os.Getenv("APPDATA"), "Microsoft", "Windows", "Start Menu", "Programs", "Startup", StartupName) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Command Injection	CWE-78	Go	1
High	File Manipulation	CWE-73	Go	4
High	Path/Directory Traversal	CWE-22	Python	2
High	Insecure Directory Permissions	CWE-732	Go	3
High	Insecure File Permissions	CWE-732	Go	6
Medium	Heap Inspection	CWE-244	Go	5
Low	Weak Hash Strength	CWE-916	Go	1