| semgrep | python.flask.security.injection.nan-injection.nan-injection | ERROR | MEDIUM | unknown | proyecto/app.py | 60 | 21 | Found user input going directly into typecast for bool(), float(), or complex(). This allows an attacker to inject Python's not-a-number (NaN) into the typecast. This results in undefind behavior, particularly when doing comparisons. Either cast to a different type, or add a guard checking for all capitalizations of the string 'nan'. |
| semgrep | python.flask.security.audit.debug-enabled.debug-enabled | WARNING | HIGH | unknown | proyecto/app.py | 136 | 5 | Detected Flask app with debug=True. Do not deploy to production with this flag enabled as it will leak sensitive information. Instead, consider using Flask configuration variables or setting 'debug' using system environment variables. |
| semgrep | python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query | ERROR | LOW | unknown | proyecto/classes/account_manager.py | 38 | 13 | Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option. |
| semgrep | python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query | ERROR | LOW | unknown | proyecto/classes/account_manager.py | 54 | 17 | Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option. |
| semgrep | python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query | ERROR | LOW | unknown | proyecto/classes/account_manager.py | 60 | 17 | Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option. |
| semgrep | python.sqlalchemy.security.sqlalchemy-execute-raw-query.sqlalchemy-execute-raw-query | ERROR | LOW | unknown | proyecto/classes/account_manager.py | 75 | 17 | Avoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. In order to execute raw query safely, prepared statement should be used. SQLAlchemy provides TextualSQL to easily used prepared statement with named parameters. For complex SQL composition, use SQL Expression Language or Schema Definition Language. In most cases, SQLAlchemy ORM will be a better option. |
| semgrep | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | ERROR | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/click/_termui_impl.py | 414 | 37 | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. |
| semgrep | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | ERROR | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/click/_termui_impl.py | 514 | 79 | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. |
| semgrep | python.lang.security.audit.eval-detected.eval-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/flask/cli.py | 1005 | 13 | Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/flask/config.py | 212 | 17 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/flask/json/tag.py | 188 | 16 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/flask/sessions.py | 285 | 12 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/importlib_metadata/__init__.py | 183 | 18 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | generic.secrets.security.detected-jwt-token.detected-jwt-token | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/itsdangerous-2.2.0.dist-info/METADATA | 44 | 3 | JWT token detected |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/itsdangerous/signer.py | 45 | 12 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 41 | 7 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 42 | 7 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 73 | 20 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.audit.marshal.marshal-usage | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 79 | 25 | The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 89 | 9 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.audit.marshal.marshal-usage | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 90 | 9 | The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 156 | 16 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/jinja2/bccache.py | 165 | 16 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/debug.py | 145 | 9 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/environment.py | 1225 | 9 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.django.security.audit.xss.html-magic-method.html-magic-method | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/environment.py | 1546 | 5 | The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/environment.py | 1547 | 16 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/ext.py | 176 | 18 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/ext.py | 197 | 18 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/ext.py | 213 | 18 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/ext.py | 238 | 18 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.django.security.audit.xss.html-magic-method.html-magic-method | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 39 | 9 | The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 315 | 14 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 807 | 14 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 838 | 21 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 1043 | 12 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/filters.py | 1364 | 12 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/loaders.py | 294 | 9 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/jinja2/loaders.py | 635 | 26 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/nodes.py | 619 | 20 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/nodes.py | 1091 | 16 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/nodes.py | 1112 | 20 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/runtime.py | 375 | 20 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/runtime.py | 387 | 20 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/runtime.py | 774 | 20 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/runtime.py | 785 | 18 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.django.security.audit.xss.html-magic-method.html-magic-method | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/runtime.py | 982 | 5 | The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/utils.py | 392 | 12 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/jinja2/utils.py | 657 | 12 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.django.security.audit.xss.html-magic-method.html-magic-method | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/markupsafe/__init__.py | 10 | 9 | The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. |
| semgrep | python.django.security.audit.xss.html-magic-method.html-magic-method | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/markupsafe/__init__.py | 78 | 5 | The `__html__` method indicates to the Django template engine that the value is 'safe' for rendering. This means that normal HTML escaping will not be applied to the return value. This exposes your application to cross-site scripting (XSS) vulnerabilities. If you need to render raw HTML, consider instead using `mark_safe()` which more clearly marks the intent to render raw HTML than a class with a magic method. |
| semgrep | python.flask.security.xss.audit.explicit-unescape-with-markup.explicit-unescape-with-markup | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/markupsafe/__init__.py | 197 | 16 | Detected explicitly unescaped content using 'Markup()'. This permits the unescaped data to include unescaped HTML which could result in cross-site scripting. Ensure this data is not externally controlled, or consider rewriting to not use 'Markup()'. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/commands/__init__.py | 94 | 14 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/commands/search.py | 5 | 1 | Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 52 | 13 | Detected a python logger call with a potential hardcoded secret "Getting credentials from keyring for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 59 | 13 | Detected a python logger call with a potential hardcoded secret "Getting password from keyring for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 124 | 13 | Detected a python logger call with a potential hardcoded secret "Found credentials in url for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 140 | 17 | Detected a python logger call with a potential hardcoded secret "Found credentials in index url for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 147 | 17 | Detected a python logger call with a potential hardcoded secret "Found credentials in netrc for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 160 | 17 | Detected a python logger call with a potential hardcoded secret "Found credentials in keyring for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.lang.security.audit.logging.logger-credential-leak.python-logger-credential-disclosure | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 298 | 13 | Detected a python logger call with a potential hardcoded secret "401 Error, Credentials not correct for %s" being logged. This may lead to secret credentials being exposed. Make sure that the logger is not logging sensitive information. |
| semgrep | python.django.security.audit.unvalidated-password.unvalidated-password | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/auth.py | 314 | 17 | The password on 'keyring' is being set without validating the password. Call django.contrib.auth.password_validation.validate_password() with validation functions before setting the password. See https://docs.djangoproject.com/en/3.0/topics/auth/passwords/ for more information. |
| semgrep | python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/xmlrpc.py | 6 | 1 | Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead. |
| semgrep | python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/network/xmlrpc.py | 14 | 5 | Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead. |
| semgrep | python.lang.security.audit.insecure-file-permissions.insecure-file-permissions | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_internal/utils/unpacking.py | 98 | 5 | These permissions `$BITS` are widely permissive and grant access to more people than may be necessary. A good default is `0o644` which gives read and write access to yourself and read access to everyone else. |
| semgrep | python.lang.security.audit.insecure-transport.requests.request-session-with-http.request-session-with-http | INFO | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/cachecontrol/_cmd.py | 23 | 16 | Detected a request using 'http://'. This request will be unencrypted. Use 'https://' instead. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/cachecontrol/serialize.py | 150 | 22 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/distlib/compat.py | 43 | 5 | Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead. |
| semgrep | python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/distlib/compat.py | 83 | 5 | Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead. |
| semgrep | python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/distlib/util.py | 1437 | 29 | 'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket. |
| semgrep | python.lang.security.audit.httpsconnection-detected.httpsconnection-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/distlib/util.py | 1563 | 46 | The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pep517/in_process/_in_process.py | 89 | 15 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pep517/in_process/_in_process.py | 325 | 12 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 146 | 20 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 146 | 36 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 153 | 9 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 153 | 41 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 1462 | 13 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/pkg_resources/__init__.py | 1469 | 13 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/requests/auth.py | 154 | 24 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/requests/auth.py | 198 | 19 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py | 90 | 5 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py | 94 | 23 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py | 97 | 23 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/securetransport.py | 163 | 26 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/securetransport.py | 168 | 26 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/securetransport.py | 173 | 26 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.weak-ssl-version.weak-ssl-version | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/contrib/securetransport.py | 178 | 26 | An insecure SSL version was detected. TLS versions 1.0, 1.1, and all SSL versions are considered weak encryption and are deprecated. Use 'ssl.PROTOCOL_TLSv1_2' or higher. |
| semgrep | python.lang.security.audit.ssl-wrap-socket-is-deprecated.ssl-wrap-socket-is-deprecated | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/util/ssl_.py | 179 | 20 | 'ssl.wrap_socket()' is deprecated. This function creates an insecure socket without server name indication or hostname matching. Instead, create an SSL context using 'ssl.SSLContext()' and use that to wrap a socket. |
| semgrep | python.lang.security.audit.insecure-transport.ssl.no-set-ciphers.no-set-ciphers | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/urllib3/util/ssl_.py | 292 | 5 | The 'ssl' module disables insecure cipher suites by default. Therefore, use of 'set_ciphers()' should only be used when you have very specialized requirements. Otherwise, you risk lowering the security of the SSL channel. |
| semgrep | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pip/_vendor/webencodings/mklabels.py | 47 | 36 | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 131 | 20 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 131 | 36 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 138 | 9 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 138 | 41 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 1448 | 13 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 1455 | 13 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/pkg_resources/__init__.py | 2215 | 9 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/_distutils/command/register.py | 89 | 20 | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. |
| semgrep | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/_distutils/command/upload.py | 194 | 22 | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/_distutils/core.py | 215 | 17 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.subprocess-shell-true.subprocess-shell-true | ERROR | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/setuptools/_distutils/cygwinccompiler.py | 391 | 28 | Found 'subprocess' function 'Popen' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/_distutils/sysconfig.py | 507 | 16 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/build_meta.py | 150 | 9 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.marshal.marshal-usage | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/command/bdist_egg.py | 376 | 12 | The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/command/easy_install.py | 1047 | 16 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/command/easy_install.py | 1051 | 39 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.audit.httpsconnection-detected.httpsconnection-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/command/upload_docs.py | 170 | 20 | The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/config.py | 422 | 26 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.audit.marshal.marshal-usage | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/depends.py | 111 | 20 | The marshal module is not intended to be secure against erroneous or maliciously constructed data. Never unmarshal data received from an untrusted or unauthenticated source. See more details: https://docs.python.org/3/library/marshal.html?highlight=security |
| semgrep | python.lang.security.dangerous-globals-use.dangerous-globals-use | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/depends.py | 171 | 13 | Found non static data as an index to 'globals()'. This is extremely dangerous because it allows an attacker to execute arbitrary code on the system. Refactor your code not to use 'globals()'. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/launch.py | 32 | 5 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.audit.non-literal-import.non-literal-import | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/monkey.py | 149 | 15 | Untrusted user input in `importlib.import_module()` function allows an attacker to load arbitrary code. Avoid dynamic values in `importlib.import_module()` or use a whitelist to prevent running untrusted code. |
| semgrep | python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/package_index.py | 1096 | 16 | Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/sandbox.py | 46 | 5 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/sandbox.py | 108 | 20 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.deserialization.pickle.avoid-pickle | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/setuptools/sandbox.py | 108 | 40 | Avoid using `pickle`, which is known to lead to code execution vulnerabilities. When unpickling, the serialized data could be manipulated to run arbitrary code. Instead, consider serializing the relevant data as JSON or a similar text-based serialization format. |
| semgrep | python.lang.security.insecure-hash-algorithms.insecure-hash-algorithm-sha1 | WARNING | MEDIUM | unknown | proyecto/myenv/Lib/site-packages/werkzeug/http.py | 956 | 12 | Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead. |
| semgrep | python.lang.security.audit.httpsconnection-detected.httpsconnection-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/werkzeug/middleware/http_proxy.py | 151 | 27 | The HTTPSConnection API has changed frequently with minor releases of Python. Ensure you are using the API for your version of Python securely. For example, Python 3 versions prior to 3.4.3 will not verify SSL certificates by default. See https://docs.python.org/3/library/http.client.html#http.client.HTTPSConnection for more information. |
| semgrep | javascript.lang.security.detect-insecure-websocket.detect-insecure-websocket | ERROR | LOW | unknown | proyecto/myenv/Lib/site-packages/werkzeug/routing/rules.py | 427 | 65 | Insecure WebSocket Detected. WebSocket Secure (wss) should be used for all WebSocket connections. |
| semgrep | python.lang.security.audit.exec-detected.exec-detected | WARNING | LOW | unknown | proyecto/myenv/Lib/site-packages/werkzeug/routing/rules.py | 727 | 9 | Detected the use of exec(). exec() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources. |
| semgrep | javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp | WARNING | LOW | unknown | proyecto/reportes/class.js | 9 | 742 | RegExp() called with a `b` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS. |
| semgrep | javascript.browser.security.insecure-document-method.insecure-document-method | ERROR | LOW | unknown | proyecto/reportes/class.js | 173 | 9 | User controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities |
| semgrep | generic.secrets.security.detected-sonarqube-docs-api-key.detected-sonarqube-docs-api-key | ERROR | LOW | unknown | proyecto/sonar-project.properties | 5 | 1 | SonarQube Docs API Key detected |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion.html | 62 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion.html | 63 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion.html | 64 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion_resultado.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion_resultado.html | 39 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion_resultado.html | 40 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/conversion_resultado.html | 41 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar.html | 62 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar.html | 63 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar.html | 64 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar_resultado.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar_resultado.html | 36 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar_resultado.html | 37 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/cotizar_resultado.html | 38 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/dashboard.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/dashboard.html | 80 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/dashboard.html | 81 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/dashboard.html | 82 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/historial.html | 9 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/historial.html | 56 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/historial.html | 57 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/historial.html | 58 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/login.html | 8 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | python.django.security.django-no-csrf-token.django-no-csrf-token | WARNING | MEDIUM | unknown | proyecto/templates/login.html | 29 | 25 | Manually-created forms in django templates should specify a csrf_token to prevent CSRF attacks. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/login.html | 47 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/login.html | 48 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |
| semgrep | html.security.audit.missing-integrity.missing-integrity | WARNING | LOW | unknown | proyecto/templates/login.html | 49 | 5 | This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files. |