Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review and remediate June 3rd vulnerability scanning report #2622

Closed
MillenniumFalconMechanic opened this issue Jun 8, 2022 · 3 comments
Closed

Review and remediate June 3rd vulnerability scanning report #2622

MillenniumFalconMechanic opened this issue Jun 8, 2022 · 3 comments
Assignees
@NoopDog
Labels
canary Done by the Clever Canary team

Comments

@MillenniumFalconMechanic
Copy link
Contributor

MillenniumFalconMechanic commented Jun 8, 2022
edited by theathorn
Loading

From @danielsotirhos in DataBiosphere/azul#4239:

There were 9 issues identified for https://dev.singlecell.gi.ucsc.edu/explore/
The same 9 issues and 4 others were identified for https://dev.singlecell.gi.ucsc.edu/
The 4 issues unique to https://dev.singlecell.gi.ucsc.edu/ (5, 6, 12, & 13) are marked with a [*]

  1. HTTP Strict Transport Security (HSTS) Errors and Warnings

    • Level: Medium
    • To be fixed by Clever Canary

  2. Cookie Not Marked as HttpOnly

    • Level: Low
    • To be fixed by Clever Canary

  3. Cookie Not Marked as Secure

    • Level: Low
    • To be fixed by Clever Canary

  4. Insecure Frame (External

  5. Misconfigured Access-Control-Allow-Origin Header [*]

    • Level: Low
    • If this
    • Wont fix, page is intended to be accessible to everyone (e.g. dev deployments, external api callers)

  6. Passive Mixed Content over HTTPS [*]

    • Level: Low
    • To be fixed by Clever Canary

  7. Content Security Policy (CSP) NotImplemented

    • Level: Best Practice
    • To be investigated by Clever Canary

  8. Expect-CT Not Enabled

    • Level: Best Practice
    • To be investigated by Clevar Canary

  9. SameSite Cookie Not Implemented

    • Level: Best Practice
    • To be investigated by Clevar Canary

  10. Subresource Integrity (SRI) NotImplemented

    • Level: Best Practice
    • To be investigated by Clever Canary

  11. Cross-site Referrer Leakage through usage of strict-origin-when-cross-origin in Referrer-Policy

    • Level: Best Practice
    • To be investigated by Clever Canary

  12. Email Address Disclosure [*]

    • Level: Information
    • Won't fix, desired behavior.

  13. Generic Email Address Disclosure [*]

    • Level: Information
    • Won't fix, desired behavior.
@github-actions github-actions bot added the canary Done by the Clever Canary team label Jun 8, 2022
@theathorn theathorn mentioned this issue Jun 8, 2022
Closed
@theathorn theathorn changed the title Review and remediate June VSRR Review and remediate June 3rd vulnerability scanning report Jun 8, 2022
Closed
@NoopDog
Copy link
Collaborator

NoopDog commented Jul 29, 2022

Superseded by #2709

@NoopDog NoopDog closed this as completed Jul 29, 2022
@nolunwa-ucsc
Copy link

@theathorn @NoopDog is there a ticket for the following findings

HTTP Strict Transport Security (HSTS) Errors and Warnings

Level: Medium
To be fixed by Clever Canary
Cookie Not Marked as HttpOnly

Level: Low
To be fixed by Clever Canary
Cookie Not Marked as Secure

Level: Low
To be fixed by Clever Canary

Passive Mixed Content over HTTPS [*]

Level: Low
To be fixed by Clever Canary

@theathorn theathorn mentioned this issue Dec 14, 2022
Open
@theathorn
Copy link

Superseded by #2789.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NoopDog NoopDog

Labels
canary Done by the Clever Canary team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MillenniumFalconMechanic @NoopDog @theathorn @nolunwa-ucsc