OSV-Scanner

💎Vulnerabiltiies to be discovered

The next vulnerabilities should be discovered in this sections:

• UBUSEC-PILLOW-OOB

⚙️OSV-Scanner setup

If you didn't set up the static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.

Use docker exec --interactive --tty static-analysers bash to enter the container where the CLI application is contained.

⚙️Coder setup

If you didn't set up the static-analysis profile's infrastructure, please do so by running the command docker-compose --profile static-analysis up.

Access this link to interact with the application's web user interface. Use the oss-fortress password for login.

📚OSV-Scanner documentation

The OSV-Scanner documentation is available here.

Steps

Scanning for vulnerabilities

1. Based on your knowledge about Ubuntu Portrait, find out all files listing the dependencies of the application.
2. For each of them, create an OSV-Scanner command to scan it and to output the results in a SARIF file, /root/analysis/<listing_id>.sarif.

🚧Solution

To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.

Validating the reported warnings

1. Validate in the code that functions related to the reported vulnerabilities are called. Use the Coder instance in the Docker infrastructure to review the results.

🚧Solution

To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.

Ignoring the false positives with a configuration file

1. Create an OSV-Scanner configuration file in /root/analysis/osv-scanner.conf
2. Specify the configuration file to the previously constructed OSV-Scanner command.
3. Using the configuration file, ignore all vulnerabilities that don't apply for the codebase of Ubuntu Portrait. For each of them, specify the reason.

🚧Solution

To display the solution of this task, enter the text i-surrender-to-the-code-security-gods in the field below.