kitodo-production icon indicating copy to clipboard operation
kitodo-production copied to clipboard
verified publisher icon kitodo

Fix security issues and warnings

Open stefanCCS opened this issue 1 year ago • 4 comments

Description

For KITODO.PRODUCTION the security issues which are reported on the security tab should be removed (in the meaning of "to be solved"). This is a similar task as we have done already for KITODO.PRESENTATION (see https://github.com/kitodo/kitodo-presentation/issues/893.

At this moment this issue here is just prepared with the aim to have it available for next development fund round. It might be needed to update this content here, when the next round of development fund is started.

stefanCCS avatar Aug 30 '24 11:08 stefanCCS

@solth : Please consider to create label "development fund 2025", change the label on this issue to that (2025), and assign this new label for the issue type "task for development fund".

stefanCCS avatar Aug 30 '24 11:08 stefanCCS

For KITODO.PRODUCTION the security issues which are reported on the security tab should be removed.

Your mentioned link is only available for certain persons which have the right to see them. But independent of this link: you can see all the issues if you fork the repository and enable the security scanning from GitHub. The security issues are not solved by removing them from the list they are only "hidden" and still existing and should be solved instead of ignored. Hiding them until and presenting them only on the next round of the development found is in my opinion a bad move.

henning-gerhardt avatar Aug 30 '24 12:08 henning-gerhardt

Related: #5997. Some issues are reported by both static analyzers.

2024-08-30

GitHub Code Scanning (CodeQL) currently reports 1390 issues, Coverity Scan reports 353 issues.

Codacy reports 95 issues.

2024-09-30

CodeQL reports 1405 issues.

2024-11-09

CodeQL reports 1379 issues.

2025-03-27

Coverity Scan reports 358 outstanding issues. Codacy reports 98 issues. CodeQL reports 1373 issues (40 of these are rated as high or critical security issues, 84 are rated as potential errors).

Many issues are in external code which is used by Kitodo.Production and which might simply be updated.

stweil avatar Aug 30 '24 15:08 stweil

For KITODO.PRODUCTION the security issues which are reported on the security tab should be removed.

Your mentioned link is only available for certain persons which have the right to see them. But independent of this link: you can see all the issues if you fork the repository and enable the security scanning from GitHub. The security issues are not solved by removing them from the list they are only "hidden" and still existing and should be solved instead of ignored. Hiding them until and presenting them only on the next round of the development found is in my opinion a bad move.

The purpose of this issue here, is not not intended to "hide" the issue, but to solve these (I have updated the description accordingly.

stefanCCS avatar Sep 02 '24 08:09 stefanCCS

12 votes

solth avatar Mar 27 '25 13:03 solth