Code Security Report: 16 high severity findings, 22 total findings [main]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2025-03-20 06:25pm
Total Findings: 22 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 140
Detected Programming Languages: 2 (Python, Go)

• Check this box to manually trigger a scan

Most Relevant Findings

The list below presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend Application.

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	File Manipulation	CWE-73	block_cache_linux.go:979	1	2024-09-13 04:56pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 974 to 979 in b6fb163 } // Dump this block to local disk cache f, err := os.Create(localPath) if err == nil { _, err := f.Write(item.block.data[:n]) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in b6fb163 f, err := os.Open(localPath) cloudfuse/component/block_cache/block_cache_linux.go Line 919 in b6fb163 n, err := f.Read(item.block.data) cloudfuse/component/block_cache/block_cache_linux.go Line 979 in b6fb163 _, err := f.Write(item.block.data[:n]) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure Directory Permissions	CWE-732	mount_all.go:343	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 338 to 343 in b6fb163 if options.SecureConfig { contConfigFile = contConfigFile + SecureConfigExtension } if _, err := os.Stat(contMountPath); os.IsNotExist(err) { err = os.MkdirAll(contMountPath, 0777) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 343 in b6fb163 err = os.MkdirAll(contMountPath, 0777) Secure Code Warrior Training Material
High	Path/Directory Traversal	CWE-22	write.py:16	2	2025-01-15 03:31pm
Vulnerable Code cloudfuse/perf_testing/scripts/write.py Lines 11 to 16 in b6fb163 bytes_written = 0 data = os.urandom(blockSize) t1 = time.time() fd = open(os.path.join(mountpath, 'application_'+size+'.data'), 'wb') 2 Data Flow/s detected View Data Flow 1 cloudfuse/perf_testing/scripts/write.py Line 7 in b6fb163 size = sys.argv[2] View Data Flow 2 cloudfuse/perf_testing/scripts/write.py Line 6 in b6fb163 mountpath = sys.argv[1] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	File Manipulation	CWE-73	block_cache_linux.go:1689	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 1684 to 1689 in b6fb163 localDstPath := filepath.Join(bc.tmpPath, options.Dst) files, err := filepath.Glob(localSrcPath + "*") if err == nil { for _, f := range files { err = os.Rename(f, strings.Replace(f, localSrcPath, localDstPath, 1)) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 913 in b6fb163 f, err := os.Open(localPath) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet
High	Insecure Directory Permissions	CWE-732	block_cache_linux.go:970	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/component/block_cache/block_cache_linux.go Lines 965 to 970 in b6fb163 } item.block.endIndex = item.block.offset + uint64(n) if bc.tmpPath != "" { err := os.MkdirAll(filepath.Dir(localPath), 0755) 1 Data Flow/s detected cloudfuse/component/block_cache/block_cache_linux.go Line 970 in b6fb163 err := os.MkdirAll(filepath.Dir(localPath), 0755) Secure Code Warrior Training Material
High	Insecure File Permissions	CWE-732	journal.go:57	1	2025-01-23 05:07pm
Vulnerable Code cloudfuse/component/size_tracker/journal.go Lines 52 to 57 in b6fb163 err := common.CreateDefaultDirectory() if err != nil { return nil, fmt.Errorf("Failed to create default work dir [%s]", err.Error()) } f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) 1 Data Flow/s detected cloudfuse/component/size_tracker/journal.go Line 57 in b6fb163 f, err := os.OpenFile(journalFile, os.O_CREATE|os.O_RDWR, 0644) Secure Code Warrior Training Material
High	Command Injection	CWE-78	mount_all.go:377	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/mount_all.go Lines 372 to 377 in b6fb163 updateCliParams(&cliParams, "tmp-path", filepath.Join(fileCachePath, container)) } // Now that we have mount path and config file for this container fire a mount command for this one fmt.Println("Mounting container :", container, "to path ", contMountPath) cmd := exec.Command(mountAllOpts.cloudfuseBinPath, cliParams...) 1 Data Flow/s detected cloudfuse/cmd/mount_all.go Line 69 in b6fb163 mountAllOpts.cloudfuseBinPath = os.Args[0] Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Command Injection Training ● Videos    ▪ Secure Code Warrior Command Injection Video ● Further Reading    ▪ OWASP testing for Command Injection    ▪ OWASP Command Injection
High	Insecure File Permissions	CWE-732	base_logger.go:186	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/common/log/base_logger.go Lines 181 to 186 in b6fb163 fi, e := os.Stat(l.fileConfig.LogFile) if e == nil { l.fileConfig.currentLogSize = uint64(fi.Size()) } var err error l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) 1 Data Flow/s detected cloudfuse/common/log/base_logger.go Line 186 in b6fb163 l.logFileHandle, err = os.OpenFile(l.fileConfig.LogFile, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644) Secure Code Warrior Training Material
High	Insecure File Permissions	CWE-732	stats_export.go:278	1	2025-01-14 09:10pm
Vulnerable Code cloudfuse/tools/health-monitor/internal/stats_export.go Lines 273 to 278 in b6fb163 fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) fnameNew = fmt.Sprintf("%v_%v_1.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) _ = os.Rename(fname, fnameNew) fname = fmt.Sprintf("%v_%v.%v", baseName, hmcommon.Pid, hmcommon.OutputFileExtension) se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) 1 Data Flow/s detected cloudfuse/tools/health-monitor/internal/stats_export.go Line 278 in b6fb163 se.opFile, err = os.OpenFile(fname, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) Secure Code Warrior Training Material
High	File Manipulation	CWE-73	service_windows.go:98	1	2024-04-02 02:23pm
Vulnerable Code cloudfuse/cmd/service_windows.go Lines 93 to 98 in b6fb163 SuggestFor: []string{"uninst", "uninstal"}, Example: "cloudfuse service uninstall", FlagErrorHandling: cobra.ExitOnError, RunE: func(cmd *cobra.Command, args []string) error { startupPath := filepath.Join(os.Getenv("APPDATA"), "Microsoft", "Windows", "Start Menu", "Programs", "Startup", StartupName) err := os.Remove(startupPath) 1 Data Flow/s detected cloudfuse/cmd/service_windows.go Line 97 in b6fb163 startupPath := filepath.Join(os.Getenv("APPDATA"), "Microsoft", "Windows", "Start Menu", "Programs", "Startup", StartupName) Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior File Manipulation Training ● Videos    ▪ Secure Code Warrior File Manipulation Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet

Findings Overview

Severity	Vulnerability Type	CWE	Language	Count
High	Command Injection	CWE-78	Go	1
High	File Manipulation	CWE-73	Go	4
High	Path/Directory Traversal	CWE-22	Python	2
High	Insecure Directory Permissions	CWE-732	Go	3
High	Insecure File Permissions	CWE-732	Go	6
Medium	Heap Inspection	CWE-244	Go	5
Low	Weak Hash Strength	CWE-916	Go	1