Comments (7)
The reason this is happening:
lib/sobelow/finding.ex
def fingerprint(%Sobelow.Finding{} = finding) do
...
[finding.type, finding.vuln_source, filename, finding.vuln_line_no]
|> :erlang.term_to_binary()
|> :erlang.md5()
|> Base.encode16()
end
:erlang.term_to_binary()
gives a different output depending on your Erlang version. The left is my local machine, right is Github action:
:jason
is already a dependency, I vote to switch to JSON for serializing the finding list because you won't have to deal with this problem. Granted it will break old sobelow-skips files, but it's already sort of broken anyway. Maybe do a 1.0 release and warn people that it's a breaking change? There's also a PR open for changing the skip file format anyway, adding a comment with each hash is a good idea - #149
Fun fact, I first ran into the binary_to_term compatibility issue when researching RCE exploits, it shows up everywhere in Elixir security!
from sobelow.
Oh that's a fun one.
One thought to avoid a breaking change but keep the idea of a fingerprint: calculate new fingerprints using :erlang.phash2
, which is stable across different architecture + ERTS versions.
The old way of calculating a fingerprint could be checked against the skip list as well, so existing skip files don't break. The same logic applies to a JSON fingerprint as well.
from sobelow.
This is very strange behavior indeed - especially if you've confirmed it's working locally but not in CI! May I ask how you're running Sobelow in your CI environment? Are you using the GitHub Action? Is it installed into the ephemeral environment or the Elixir app your testing?
EDIT: Just realized in the issue title you specific a GitLab environment - my question still largely remains the same, just ignore the GitHub Action bit 🙂 Does it have its own GitLab job to run or is it a part of a more general test suite job?
from sobelow.
I'm seeing this same issue too in Github actions.
from sobelow.
I ran a custom fork of Sobelow in Github actions that printed out the md5 hashes of the skips, so Sobelow can read the file. Something about the environment is causing the skip logic to break.
from sobelow.
That seems to have done the trick indeed @realcorvus . Generated the .sobelow-skips
file in the CI and copied that one to include in our repo.
Thanks a lot for the effort @realcorvus @houllette 🙌
from sobelow.
Someone also pointed out on the EEF Security Slack channel that we can specify a version for term_to_binary
instead of having it pick a default, which should prevent breakage between OTP versions moving forward (docs).
It may require regeneration of previously established skip files still, so maybe that isn't ideal and probably won't hold up long term - but it could be a band-aid solution while we look to make a larger change proposed by @sb8244 in #149.
from sobelow.
Related Issues (20)
- LiveView Support
- castore vsn requirement HOT 3
- CAStore error when running as standalone script HOT 7
- DevEx: consider defaulting to [FILE_PATH]:[LINE_NUMBER] format for default vulnerability output HOT 2
- Too much info in --details / -d output HOT 2
- Creating Performance Testing Suite
- Misc.BinToTerm with [:safe] option HOT 2
- (Protocol.UndefinedError) error HOT 8
- Source code with range traversal crashes sobelow HOT 6
- Update and fix warnings for new Elixir version
- Misses vector if function contains bang operator (!) HOT 1
- Better granularity of SQL injection HOT 2
- Pipeline error for sobelow HOT 2
- sobelow should not accept `# sobelow_skip` that are not needed HOT 4
- sobelow does not analyse `sigil_H` HOT 1
- (ArgumentError) ranges (first..last) expect both sides to be integers, got: 1..1.0 HOT 7
- sobelow should have better default flags HOT 2
- Sobelow does not detect when secrets are in the test env HOT 1
- `--no-router` flag for use in non-Phoenix projects HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sobelow.