Safety vulnerability ID: 60379
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Scancodeio 32.5.2 includes a security fix: Reflected Cross-Site Scripting (XSS) in license endpoint.
https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj
Latest version: 34.7.0
Automate software composition analysis pipelines
--------------------
Security release: This release addresses the security issue detailed below.
We encourage all users of ScanCode.io to upgrade as soon as possible.
- GHSA-6xcx-gx7r-rccj: Reflected Cross-Site Scripting (XSS) in license endpoint
The ``license_details_view`` function was subject to cross-site scripting (XSS)
attack due to inadequate validation and sanitization of the key parameter.
The license views were migrated class-based views are the inputs are now properly
sanitized.
Credit to 0xmpij for reporting the vulnerability.
https://github.com/nexB/scancode.io/security/advisories/GHSA-6xcx-gx7r-rccj
https://github.com/nexB/scancode.io/issues/847
- Add bandit analyzer and Django "check --deploy" to the check/validation stack.
This helps to ensure that we do not introduce know code vulnerabilities and
deployment issues to the codebase.
https://github.com/nexB/scancode.io/issues/850
- Migrate the run_command function into a safer usage of the subprocess module.
Also fix various warnings returned by the bandit analyzer.
https://github.com/nexB/scancode.io/issues/850
- Replace the ``scancode.run_scancode`` function by a new ``run_scan`` that interact
with scancode-toolkit scanners without using subprocess. This new function is used
in the ``scan_package`` pipeline.
The ``SCANCODE_TOOLKIT_CLI_OPTIONS`` settings was renamed
``SCANCODE_TOOLKIT_RUN_SCAN_ARGS``. Refer to the documentation for the next "dict"
syntax.
https://github.com/nexB/scancode.io/issues/798
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application