Skip to content

Avoid false positives from the vulnerability scanner.

Paal Kvamme requested to merge kvamme62/vulnerability into master

Avoid false positives from the vulnerability scanner.

(1) Remove the --dropcache option from zgycopyc. This feature is obscure and can easily be added back when needed for performance tests.

(2) Don't build "utils" and "examples" folders from the third party ZFP tarball. We don't use them anyway. This should clear many of the red flags.

(3) Done but commented out: Patch the ZFP source code to rename a member function from access() to access_(). There is a bug in the scanner, it believe this member function is actually the ::access() from libc. Whether to include that patch or not depends on how important it is to avoid suppressions in the report. Patching the code adds a small risk and besides it is quite possible that this bug in the scanner will be fixed soon anyway.

(4) Will not fix (false positive): requirements.txt. CVE-2018-20225 only applies when --extra-index-url is used.

(5) Not done yet: sprintf_s() in timer.cpp. Dismissed because the function is only used internally and can only be passed one a fixed set of format strings. So no, it cannot be influenced by an attacker unless said attacker can call arbitrary private code. And in that case all is lost anyway. Refactoring to remove the warning is possible but doesn't seem to be worth the trouble.

Merge request reports