Markdown scanner

[lperry022]

No description provided.

[github-actions]

🔒 OWASP Scanner Results

Vulnerabilities were detected:

### File: .github/workflows/owasp.yml

Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 15, in
main()
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 12, in main
scanner.report()
^^^^^^^^^^^^^^
AttributeError: 'VulnerabilityScanner' object has no attribute 'report'

### File: scanner/core.py

Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 15, in
main()
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 12, in main
scanner.report()
^^^^^^^^^^^^^^
AttributeError: 'VulnerabilityScanner' object has no attribute 'report'

### File: tests/test_negative.py

Traceback (most recent call last):
File "", line 198, in _run_module_as_main
File "", line 88, in _run_code
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 15, in
main()
File "/home/runner/work/owasp-scanner/owasp-scanner/scanner/main.py", line 12, in main
scanner.report()
^^^^^^^^^^^^^^
AttributeError: 'VulnerabilityScanner' object has no attribute 'report'
File tests/test_negative.py does not exist.

⛔ Please address these before merging.

[github-actions]

🔒 OWASP Scanner Results

No vulnerabilities detected.

### File: .github/workflows/owasp.yml

🔒 OWASP Scanner Results for .github/workflows/owasp.yml

✅ No vulnerabilities found.

### File: scanner/core.py

🔒 OWASP Scanner Results for scanner/core.py

✅ No vulnerabilities found.

### File: scanner/main.py

🔒 OWASP Scanner Results for scanner/main.py

✅ No vulnerabilities found.

### File: tests/test_negative.py

File tests/test_negative.py does not exist.

⚠️ File tests/test_negative.py not found

✅ Good to go.

[github-actions]

🔒 OWASP Scanner Results

No vulnerabilities detected.

### File: .github/workflows/owasp.yml

🔒 OWASP Scanner Results for .github/workflows/owasp.yml

✅ No vulnerabilities found.

### File: scanner/core.py

🔒 OWASP Scanner Results for scanner/core.py

✅ No vulnerabilities found.

### File: scanner/main.py

🔒 OWASP Scanner Results for scanner/main.py

✅ No vulnerabilities found.

### File: tests/test_negative.py

File tests/test_negative.py does not exist.

⚠️ File tests/test_negative.py not found

### File: tests/test_positive.py

🔒 OWASP Scanner Results for tests/test_positive.py

✅ No vulnerabilities found.

✅ Good to go.

[github-actions]

🔒 OWASP Scanner Results

No vulnerabilities detected.

### File: .github/workflows/owasp.yml

🔒 OWASP Scanner Results for .github/workflows/owasp.yml

✅ No vulnerabilities found.

### File: scanner/core.py

🔒 OWASP Scanner Results for scanner/core.py

✅ No vulnerabilities found.

### File: scanner/main.py

🔒 OWASP Scanner Results for scanner/main.py

✅ No vulnerabilities found.

### File: tests/test_negative.py

File tests/test_negative.py does not exist.

⚠️ File tests/test_negative.py not found

✅ Good to go.

[github-actions]

🔒 OWASP Scanner Results

Vulnerabilities were detected:

### File: .github/workflows/owasp.yml

🔒 OWASP Scanner Results for .github/workflows/owasp.yml

✅ No vulnerabilities found.

### File: scanner/core.py

🔒 OWASP Scanner Results for scanner/core.py

✅ No vulnerabilities found.

### File: scanner/main.py

🔒 OWASP Scanner Results for scanner/main.py

✅ No vulnerabilities found.

### File: tests/test_negative.py

File tests/test_negative.py does not exist.

⚠️ File tests/test_negative.py not found

### File: tests/test_positive.py

🔒 OWASP Scanner Results for tests/test_positive.py

A01: Injection (2 findings)

Summary: HIGH: 2

• Line 72 | Severity HIGH | Confidence MEDIUM
  → SQL query created via string concatenation: query = "SELECT * FROM users WHERE username = '" + user_input + "'"
• Line 76 | Severity HIGH | Confidence HIGH
  → Suspicious query passed to execute(): cursor.execute(query)

A02: Broken Access Control (2 findings)

Summary: HIGH: 1, MEDIUM: 1

• Line 30 | Severity HIGH | Confidence HIGH
  → Flask route appears without an auth decorator: @app.route("/admin")
• Line 36 | Severity MEDIUM | Confidence HIGH
  → Flask route appears without an auth decorator: @app.route("/login")

A03: Sensitive Data Exposure (5 findings)

Summary: HIGH: 5

• Line 12 | Severity HIGH | Confidence MEDIUM
  → Potential hardcoded sensitive data: SECRET_KEY = "changeme"
• Line 18 | Severity HIGH | Confidence MEDIUM
  → Potential hardcoded sensitive data: password = "SuperSecret123"
• Line 19 | Severity HIGH | Confidence MEDIUM
  → Potential hardcoded sensitive data: api_key = "sk_test_123456"
• Line 20 | Severity HIGH | Confidence HIGH
  → Weak hashing algorithm detected: hashlib.md5(b"weak")
• Line 24 | Severity HIGH | Confidence MEDIUM
  → Potential hardcoded sensitive data: default_password = "password"

A05: Security Misconfiguration (7 findings)

Summary: HIGH: 2, MEDIUM: 5

• Line 12 | Severity HIGH | Confidence HIGH
  → Hardcoded secret or credential in config context: SECRET_KEY = '***'
• Line 13 | Severity MEDIUM | Confidence MEDIUM
  → ALLOWED_HOSTS permits all hosts: ALLOWED_HOSTS = ['*']
• Line 14 | Severity MEDIUM | Confidence MEDIUM
  → Insecure cookie or transport flag: SESSION_COOKIE_SECURE = False
• Line 15 | Severity MEDIUM | Confidence MEDIUM
  → Insecure cookie or transport flag: CSRF_COOKIE_SECURE = False
• Line 18 | Severity MEDIUM | Confidence HIGH
  → Hardcoded secret or credential in config context: password = '***'
• Line 19 | Severity MEDIUM | Confidence HIGH
  → Hardcoded secret or credential in config context: api_key = '***'
• Line 79 | Severity HIGH | Confidence MEDIUM
  → Flask debug mode is enabled: app.run(debug=True)

A06: Vulnerable and Outdated Components (2 findings)

Summary: MEDIUM: 2

• Line 46 | Severity MEDIUM | Confidence LOW
  → Dependency pin detected (manual review required): flask==0.12
• Line 47 | Severity MEDIUM | Confidence LOW
  → Dependency pin detected (manual review required): django==1.11

A07: Identification and Authentication Failures (4 findings)

Summary: HIGH: 4

• Line 23 | Severity HIGH | Confidence HIGH
  → Hardcoded default username detected: username = "admin"
• Line 24 | Severity HIGH | Confidence HIGH
  → Hardcoded default password detected: default_password = "password"
• Line 25 | Severity HIGH | Confidence HIGH
  → Insecure TLS verification disabled: requests.get("https://example.com", verify=False)
• Line 36 | Severity HIGH | Confidence MEDIUM
  → Authentication-related route without explicit auth checks: @app.route("/login")

A08: Software and Data Integrity Failures (4 findings)

Summary: HIGH: 4

• Line 52 | Severity HIGH | Confidence HIGH
  → Use of dangerous dynamic evaluation: result = eval(user_code)
• Line 53 | Severity HIGH | Confidence MEDIUM
  → Unsafe YAML load detected; use yaml.safe_load(): data = yaml.load("key: value")
• Line 57 | Severity HIGH | Confidence HIGH
  → Potential unsafe deserialization via pickle: obj = pickle.load(fh)
• Line 58 | Severity HIGH | Confidence MEDIUM
  → subprocess call with shell=True detected: subprocess.run("echo hi", shell=True)

A09: Security Logging and Monitoring Failures (3 findings)

Summary: MEDIUM: 3

• Line 36 | Severity MEDIUM | Confidence LOW
  → Print used in authentication flow; prefer structured, secure logging.
• Line 63 | Severity MEDIUM | Confidence LOW
  → Exception handled with print() instead of proper logging/alerting near: except:
• Line 64 | Severity MEDIUM | Confidence MEDIUM
  → Possible secret printed to stdout: print("error:", default_password)

A10: Server-Side Request Forgery (1 findings)

Summary: HIGH: 1

• Line 68 | Severity HIGH | Confidence HIGH
  → Potential SSRF: unvalidated user-controlled URL passed to requests.*(): requests.get(url)

⛔ Please address these before merging.