Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/zricethezav-gitleaks-8.x/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/zricethezav-gitleaks-8.x/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/ossf-scorecard-action-digest/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/ossf-scorecard-action-digest/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/github-codeql-action-digest/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/renovate/github-codeql-action-digest/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• Update actions/checkout action to v3.5.3
• Update aquasecurity/trivy-action action to v0.11.2
• Update github/codeql-action action to v2.20.4
• Update ossf/scorecard-action action to v2.2.0
• Update step-security/harden-runner action to v2.4.1

⚠ Dependency Lookup Warnings ⚠

• Renovate failed to look up the following dependencies: Could not determine new digest for update (datasource: github-tags).

Files affected: .github/workflows/trivy.yml

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting String near e, },

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Report

Results

• [ERROR] [CVE-2022-24823] CVE-2022-24823 - Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-httpprior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's ownjava.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir\(...\) to set the directory to something that is only readable by the current user.

Suppressed Results

Nothing here.

Rules information

- CVE-2022-24823 [undefined] 

> Medium severity - CVE-2022-24823 Exposure of Resource to Wrong Sphere vulnerability in pkg:maven/io.netty/[email protected]

Describe the Feature Request

The issues created when the issue-test.yaml workflow runs are needed for testing purposes but will clutter the issues.
These issues should be removed automatically within a short time.

Describe the Use Case

Keep the issues list from getting cluttered with the expected output of the issues generation tests.

Describe Preferred Solution

Use a popular existing action solution with good reviews.

Describe Alternatives

No response

Related Code

No response

Additional Information

No response

Describe the User Story

As an OWASP Dependency Check user,
So that I can see vulnerability issues found by scheduled GitHub actions that run OWASP Dependency Check,
I want to have an action that will post SARIF results to an issue in my repo.

Acceptance Criteria

• A scheduled action runs sarif-to-issue and creates an issue in a repo
• The API for the action does not require the user to pre-calculate any inputs. They should be available from the action context.
• [ ]

Definition of Done

• Acceptance criteria met
• Usability tests passed - this user story should be easy to use by real users
• Code refactored for clarity - code must be clean, self-documenting code
• Dependency Rule followed - higher-level code should not depend directly on lower-level code
• Source code merged
• Unit test coverage of our code > 90%
• Security reviewed and reported - includes vulnerability and compliance scanning
• Code quality checks passed
• Build process updated if needed
• API documentation updated if needed

Additional Information

No response

Related Feature Request

No response

Report

Results

• [ERROR] [js/xss] Cross-site scripting vulnerability due to \[user-provided value\]\(1\).
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss.js#L4
  • https://github.com/tomwillis608/sarif-to-issue-action/blob/issue/7/add-an-action/examples/Xss2.js#L4

Suppressed Results

Nothing here.

Rules information

- js/xss [error] 

> Client-side cross-site scripting

Describe the User Story

As an engineer using OWASP Dependency Check (ODC) in my CI system,
So that I can see what vulnerability findings are in my repository,
I want to see ODC findings in an issue.

Acceptance Criteria

• Given an ODC dialect SARIF file exists
  When the action is run on that file
  Then the file is formatted correctly and added to the issue

Definition of Done

• Acceptance criteria met
• Usability tests passed - this user story should be easy to use by real users
• Code refactored for clarity - code must be clean, self-documenting code
• Dependency Rule followed - higher-level code should not depend directly on lower-level code
• Source code merged
• Unit test coverage of our code > 90%
• Security reviewed and reported - includes vulnerability and compliance scanning
• Code quality checks passed
• Build process updated if needed
• API documentation updated if needed

Additional Information

Support for OWASP dependency-check

To make an OWASP dependency-check SARIF file work for the converter,
you need to add an expected defaultConfiguration element to each rules object.

jq '.runs[].tool.driver.rules[] |= . +
  {"defaultConfiguration": { "level": "error"}}' test/fixtures/odc.sarif >odc-mod.sarif

Related Feature Request

No response