I wonder if anyone has experience running the Joomla codebase through the snyk security scanner ( https://snyk.io/ )
I have created a web application based on Joomla 5, and the product owner is a large multinational organization that requires all of their applications to pass a scan from snyk.
At the moment there are over a hundred 'High' risk issues being flagged, mostly involving unsanitized input from headers being used, resulting in suggested risk of XSS / Deserialization of Untrusted Data.
The files flagged are part of the Joomla 5 core, not custom extensions or files, so I'm guessing that this data is sanitized and dealt with properly, but the snyk scanner is not recognising this, and is producing a false positive as a result. Or could it be that the Joomla core actually doesn't meet the strict coding/security standards of scanners like Snyk?
Anyone with experience using Joomla for enterprise applications and having to pass scans like snyk? Overriding these files to add santizisation that snyk recognises would be a major hassle, if it's even possible at all.
Any insights?
I have created a web application based on Joomla 5, and the product owner is a large multinational organization that requires all of their applications to pass a scan from snyk.
At the moment there are over a hundred 'High' risk issues being flagged, mostly involving unsanitized input from headers being used, resulting in suggested risk of XSS / Deserialization of Untrusted Data.
The files flagged are part of the Joomla 5 core, not custom extensions or files, so I'm guessing that this data is sanitized and dealt with properly, but the snyk scanner is not recognising this, and is producing a false positive as a result. Or could it be that the Joomla core actually doesn't meet the strict coding/security standards of scanners like Snyk?
Anyone with experience using Joomla for enterprise applications and having to pass scans like snyk? Overriding these files to add santizisation that snyk recognises would be a major hassle, if it's even possible at all.
Any insights?
Statistics: Posted by andypooz — Tue Aug 20, 2024 11:48 am