OSV-Scanner
💎Vulnerabiltiies to be discovered
The next vulnerabilities should be discovered in this sections:
VULN-PILLOW-OOB
⚙️OSV-Scanner setup
If you didn't set up the
Use
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Use
docker exec --interactive --tty static-analysers bash to enter the container where the CLI application is contained.⚙️Coder setup
If you didn't set up the
Access this link to interact with the application's web user interface. Use the
static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.Access this link to interact with the application's web user interface. Use the
ossfortress password for login.📚OSV-Scanner documentation
The OSV-Scanner documentation is available here.
Steps
Scanning for vulnerabilities
- Based on your knowledge about Sand Castle, find out all files listing the dependencies of the application.
- For each of them, create an OSV-Scanner command to scan it and to output the results in a SARIF file,
/root/analysis/<listing_id>.sarif.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.
Validating the reported warnings
- Validate in the code that functions related to the reported vulnerabilities are called. Use the Coder instance in the Docker infrastructure to review the results.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.
Ignoring the false positives with a configuration file
- Create an OSV-Scanner configuration file in
/root/analysis/osv-scanner.conf - Specify the configuration file to the previously constructed OSV-Scanner command.
- Using the configuration file, ignore all vulnerabilities that don't apply for the codebase of Sand Castle. For each of them, specify the reason.
🚧Solution
To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.