colin
/
ploughshares
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ploughshares/scan-results.md

86 lines
3.1 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Ploughshares Security and Code Quality Scan Results
## Deployment Status
**Application successfully deployed**
- Web application running at http://localhost:5001
- API documentation available at http://localhost:5001/api-docs
## Test Results
### Functionality Tests
**All tests passed**
- Core imports verified
- API routes verified
### Code Quality Tests
**All tests passed**
- Python syntax valid
- No inappropriate print statements
### Dependency Tests
**Basic tests passed**
- requirements.txt exists
- No known vulnerable package versions in hardcoded list
## Security Scan Results
### Dependency Vulnerabilities (Safety)
⚠️ **Multiple vulnerabilities detected in dependencies**
| Package | Installed | Affected | Issue ID |
|------------|-----------|-------------------------|----------|
| flask | 2.2.2 | <2.2.5 | 55261 |
| flask | 2.2.2 | <3.1.1 | 77323 |
| requests | 2.28.1 | <2.32.2 | 71064 |
| requests | 2.28.1 | >=2.3.0,<2.31.0 | 58755 |
| gunicorn | 20.1.0 | <21.2.0 | 72780 |
| gunicorn | 20.1.0 | <22.0.0 | 71600 |
| gunicorn | 20.1.0 | <23.0.0 | 76244 |
| werkzeug | 2.3.7 | <2.3.8 | 62019 |
| werkzeug | 2.3.7 | <3.0.3 | 71594 |
| werkzeug | 2.3.7 | <3.0.6 | 73969 |
| werkzeug | 2.3.7 | <3.0.6 | 73889 |
| werkzeug | 2.3.7 | <=2.3.7 | 71595 |
| jinja2 | 3.1.2 | <3.1.3 | 64227 |
| jinja2 | 3.1.2 | <3.1.4 | 71591 |
| jinja2 | 3.1.2 | <3.1.5 | 76378 |
| jinja2 | 3.1.2 | <3.1.5 | 74735 |
| jinja2 | 3.1.2 | <3.1.6 | 75976 |
### Code Security Issues (Bandit)
**3 potential security issues detected**
1. **Hardcoded Password String** (Severity: Low, Confidence: Medium)
- Location: app.py:20
- Issue: `app.secret_key = 'supersecretkey'`
- CWE-259: Use of Hard-coded Password
2. **Binding to All Interfaces** (Severity: Medium, Confidence: Medium)
- Location: app.py:220
- Issue: `app.run(host='0.0.0.0', port=port)`
- CWE-605: Multiple Binds to the Same Port
3. **Hardcoded Password in Function Argument** (Severity: Low, Confidence: Medium)
- Location: init_db.py:6-11
- Issue: `password="testpass"` in database connection
- CWE-259: Use of Hard-coded Password
## Recommendations
### Immediate Actions
1. **Update vulnerable dependencies** to their latest secure versions
2. **Replace hardcoded secrets** with environment variables
3. **Restrict network binding** in development environments
### Long-term Improvements
1. Implement **secret management** solution
2. Add **continuous security scanning** in CI/CD pipeline
3. Establish **dependency update policy**
## Next Steps
1. Run `./install-codechecks.sh` to install all required code quality tools
2. Update dependencies to secure versions
3. Address security findings
Reference in New Issue View Git Blame Copy Permalink