The following issues were found
src/third_party/scons-3.1.2/scons-local-3.1.2/SCons/Platform/cygwin.py
4 issues
Line: 37
Column: 1
import sys
from . import posix
from SCons.Platform import TempFileMunge
CYGWIN_DEFAULT_PATHS = []
if sys.platform == 'win32':
CYGWIN_DEFAULT_PATHS = [
Reported by Pylint.
Line: 33
Column: 1
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
__revision__ = "src/engine/SCons/Platform/cygwin.py bee7caf9defd6e108fc2998a2520ddb36a967691 2019-12-17 02:07:09 bdeegan"
import sys
from . import posix
from SCons.Platform import TempFileMunge
Reported by Pylint.
Line: 38
Column: 1
import sys
from . import posix
from SCons.Platform import TempFileMunge
CYGWIN_DEFAULT_PATHS = []
if sys.platform == 'win32':
CYGWIN_DEFAULT_PATHS = [
r'C:\cygwin64\bin',
Reported by Pylint.
Line: 47
Column: 1
r'C:\cygwin\bin'
]
def generate(env):
posix.generate(env)
env['PROGPREFIX'] = ''
env['PROGSUFFIX'] = '.exe'
env['SHLIBPREFIX'] = ''
Reported by Pylint.
buildscripts/packager.py
4 issues
Line: 38
Suggestion:
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
import os
import re
import shutil
import subprocess
import sys
import tempfile
import time
# The MongoDB names for the architectures we support.
Reported by Bandit.
Line: 464
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
print("In %s, running %s" % (os.getcwd(), " ".join(argv)))
sys.stdout.flush()
sys.stderr.flush()
assert subprocess.Popen(argv).wait() == 0
def backtick(argv):
"""Run argv and return its output string."""
print("In %s, running %s" % (os.getcwd(), " ".join(argv)))
Reported by Bandit.
Line: 464
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
print("In %s, running %s" % (os.getcwd(), " ".join(argv)))
sys.stdout.flush()
sys.stderr.flush()
assert subprocess.Popen(argv).wait() == 0
def backtick(argv):
"""Run argv and return its output string."""
print("In %s, running %s" % (os.getcwd(), " ".join(argv)))
Reported by Bandit.
Line: 472
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
print("In %s, running %s" % (os.getcwd(), " ".join(argv)))
sys.stdout.flush()
sys.stderr.flush()
return subprocess.Popen(argv, stdout=subprocess.PIPE).communicate()[0]
def tarfile(build_os, arch, spec):
"""Return the location where we store the downloaded tarball for this package."""
return "dl/mongodb-linux-%s-%s-%s.tar.gz" % (spec.version(), build_os, arch)
Reported by Bandit.
src/mongo/db/free_mon/free_mon_processor.h
4 issues
Line: 118
Column: 71
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*/
class RegistrationRetryCounter : public RetryCounter {
public:
explicit RegistrationRetryCounter(PseudoRandom& random) : _random(random) {}
void reset() final;
bool incrementError() final;
Reported by FlawFinder.
Line: 118
Column: 53
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*/
class RegistrationRetryCounter : public RetryCounter {
public:
explicit RegistrationRetryCounter(PseudoRandom& random) : _random(random) {}
void reset() final;
bool incrementError() final;
Reported by FlawFinder.
Line: 158
Column: 48
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*/
class MetricsRetryCounter : public RetryCounter {
public:
explicit MetricsRetryCounter(PseudoRandom& random) : _random(random) {}
void reset() final;
bool incrementError() final;
Reported by FlawFinder.
Line: 158
Column: 66
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
*/
class MetricsRetryCounter : public RetryCounter {
public:
explicit MetricsRetryCounter(PseudoRandom& random) : _random(random) {}
void reset() final;
bool incrementError() final;
Reported by FlawFinder.
src/third_party/scons-3.1.2/scons-configure-cache.py
4 issues
Line: 1
Column: 1
#! /usr/bin/env python
#
# SCons - a Software Constructor
#
# Copyright (c) 2001 - 2019 The SCons Foundation
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
Reported by Pylint.
Line: 40
Column: 1
import json
import os
__revision__ = "src/script/scons-configure-cache.py bee7caf9defd6e108fc2998a2520ddb36a967691 2019-12-17 02:07:09 bdeegan"
__version__ = "3.1.2"
__build__ = "bee7caf9defd6e108fc2998a2520ddb36a967691"
Reported by Pylint.
Line: 123
Column: 8
help="show current configuration")
# Get the command line as a dict without any of the unspecified entries.
args = dict([x for x in vars(parser.parse_args()).items() if x[1]])
# It seems somewhat strange to me, but positional arguments don't get the -
# in the name changed to _, whereas optional arguments do...
cache = args['cache-dir']
if not os.path.isdir(cache):
Reported by Pylint.
Line: 150
Column: 5
print(json.dumps(config, sort_keys=True,
indent=4, separators=(',', ': ')))
# in case of the show argument, emit some stats as well
file_count = 0
for _, _, files in os.walk('.'):
file_count += len(files)
if file_count: # skip config file if it exists
file_count -= 1
print("Cache contains %s files" % file_count)
Reported by Pylint.
buildscripts/idl/idl/writer.py
4 issues
Line: 34
Column: 1
import string
from typing import List, Mapping, Union
from . import common
# Number of spaces to indent code
_INDENT_SPACE_COUNT = 4
Reported by Pylint.
Line: 125
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
def unindent(self):
# type: () -> None
"""Unindent the text by one level."""
assert self._indent > 0
self._indent -= 1
def write_line(self, msg):
# type: (str) -> None
"""Write a line to the stream, no template formattin applied."""
Reported by Bandit.
Line: 137
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
def set_template_mapping(self, template_params):
# type: (Mapping[str,str]) -> None
"""Set the current template mapping parameters for string.Template formatting."""
assert not self._template_context
self._template_context = template_params
def clear_template_mapping(self):
# type: () -> None
"""Clear the current template mapping parameters for string.Template formatting."""
Reported by Bandit.
Line: 143
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
def clear_template_mapping(self):
# type: () -> None
"""Clear the current template mapping parameters for string.Template formatting."""
assert self._template_context
self._template_context = None
def write_template(self, template):
# type: (str) -> None
"""Write a template to the stream."""
Reported by Bandit.
src/third_party/scons-3.1.2/scons-local-3.1.2/SCons/Tool/sgilink.py
4 issues
Line: 38
Column: 1
import SCons.Util
from . import link
linkers = ['CC', 'cc']
def generate(env):
"""Add Builders and construction variables for MIPSPro to an Environment."""
Reported by Pylint.
Line: 34
Column: 1
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
__revision__ = "src/engine/SCons/Tool/sgilink.py bee7caf9defd6e108fc2998a2520ddb36a967691 2019-12-17 02:07:09 bdeegan"
import SCons.Util
from . import link
Reported by Pylint.
Line: 45
Column: 1
def generate(env):
"""Add Builders and construction variables for MIPSPro to an Environment."""
link.generate(env)
env['LINK'] = env.Detect(linkers) or 'cc'
env['SHLINKFLAGS'] = SCons.Util.CLVar('$LINKFLAGS -shared')
# __RPATH is set to $_RPATH in the platform specification if that
# platform supports it.
Reported by Pylint.
Line: 55
Column: 1
env['RPATHSUFFIX'] = ''
env['_RPATH'] = '${_concat(RPATHPREFIX, RPATH, RPATHSUFFIX, __env__)}'
def exists(env):
return env.Detect(linkers)
# Local Variables:
# tab-width:4
# indent-tabs-mode:nil
Reported by Pylint.
src/mongo/client/sasl_aws_client_conversation.cpp
4 issues
Line: 97
Column: 33
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
awsIam::AWSCredentials SaslAWSClientConversation::_getLocalAWSCredentials() const {
// Check the environment variables
// These are set by AWS Lambda to pass in credentials and can be set by users.
StringData awsAccessKeyId = getenv("AWS_ACCESS_KEY_ID");
StringData awsSecretAccessKey = getenv("AWS_SECRET_ACCESS_KEY");
StringData awsSessionToken = getenv("AWS_SESSION_TOKEN");
if (!awsAccessKeyId.empty() && !awsSecretAccessKey.empty()) {
if (!awsSessionToken.empty()) {
Reported by FlawFinder.
Line: 98
Column: 37
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
// Check the environment variables
// These are set by AWS Lambda to pass in credentials and can be set by users.
StringData awsAccessKeyId = getenv("AWS_ACCESS_KEY_ID");
StringData awsSecretAccessKey = getenv("AWS_SECRET_ACCESS_KEY");
StringData awsSessionToken = getenv("AWS_SESSION_TOKEN");
if (!awsAccessKeyId.empty() && !awsSecretAccessKey.empty()) {
if (!awsSessionToken.empty()) {
return awsIam::AWSCredentials(awsAccessKeyId.toString(),
Reported by FlawFinder.
Line: 99
Column: 34
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
// These are set by AWS Lambda to pass in credentials and can be set by users.
StringData awsAccessKeyId = getenv("AWS_ACCESS_KEY_ID");
StringData awsSecretAccessKey = getenv("AWS_SECRET_ACCESS_KEY");
StringData awsSessionToken = getenv("AWS_SESSION_TOKEN");
if (!awsAccessKeyId.empty() && !awsSecretAccessKey.empty()) {
if (!awsSessionToken.empty()) {
return awsIam::AWSCredentials(awsAccessKeyId.toString(),
awsSecretAccessKey.toString(),
Reported by FlawFinder.
Line: 111
Column: 30
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
return awsIam::AWSCredentials(awsAccessKeyId.toString(), awsSecretAccessKey.toString());
}
StringData ecsMetadata = getenv("AWS_CONTAINER_CREDENTIALS_RELATIVE_URI");
if (!ecsMetadata.empty()) {
return _getEcsCredentials(ecsMetadata);
}
return _getEc2Credentials();
Reported by FlawFinder.
src/third_party/pcre-8.42/pcre_stringpiece.h
4 issues
Line: 58
Column: 12
CWE codes:
126
namespace pcrecpp {
using std::memcmp;
using std::strlen;
using std::string;
class PCRECPP_EXP_DEFN StringPiece {
private:
const char* ptr_;
Reported by FlawFinder.
Line: 73
Column: 43
CWE codes:
126
StringPiece()
: ptr_(NULL), length_(0) { }
StringPiece(const char* str)
: ptr_(str), length_(static_cast<int>(strlen(ptr_))) { }
StringPiece(const unsigned char* str)
: ptr_(reinterpret_cast<const char*>(str)),
length_(static_cast<int>(strlen(ptr_))) { }
StringPiece(const string& str)
: ptr_(str.data()), length_(static_cast<int>(str.size())) { }
Reported by FlawFinder.
Line: 76
Column: 32
CWE codes:
126
: ptr_(str), length_(static_cast<int>(strlen(ptr_))) { }
StringPiece(const unsigned char* str)
: ptr_(reinterpret_cast<const char*>(str)),
length_(static_cast<int>(strlen(ptr_))) { }
StringPiece(const string& str)
: ptr_(str.data()), length_(static_cast<int>(str.size())) { }
StringPiece(const char* offset, int len)
: ptr_(offset), length_(len) { }
Reported by FlawFinder.
Line: 96
Column: 32
CWE codes:
126
void set(const char* buffer, int len) { ptr_ = buffer; length_ = len; }
void set(const char* str) {
ptr_ = str;
length_ = static_cast<int>(strlen(str));
}
void set(const void* buffer, int len) {
ptr_ = reinterpret_cast<const char*>(buffer);
length_ = len;
}
Reported by FlawFinder.
src/third_party/mozjs-60/include/jsapi.h
4 issues
Line: 813
Column: 91
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
} /* namespace JS */
extern JS_PUBLIC_API(bool)
JS_StrictlyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_LooselyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
Reported by FlawFinder.
Line: 816
Column: 90
CWE codes:
126
Suggestion:
This function is often discouraged by most C++ coding standards in favor of its safer alternatives provided since C++14. Consider using a form of this function that checks the second iterator before potentially overflowing it
JS_StrictlyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_LooselyEqual(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* equal);
extern JS_PUBLIC_API(bool)
JS_SameValue(JSContext* cx, JS::Handle<JS::Value> v1, JS::Handle<JS::Value> v2, bool* same);
/** True iff fun is the global eval function. */
Reported by FlawFinder.
Line: 4990
Column: 16
CWE codes:
126
size_t length() const {
if (!mBytes)
return 0;
return strlen(mBytes);
}
private:
char* mBytes;
MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
Reported by FlawFinder.
Line: 5415
Column: 52
CWE codes:
126
}
void initBorrowedMessage(const char* messageArg) {
MOZ_ASSERT(!message_);
message_ = JS::ConstUTF8CharsZ(messageArg, strlen(messageArg));
}
JSString* newMessageString(JSContext* cx);
private:
Reported by FlawFinder.
src/third_party/mozjs-60/include/double-conversion/utils.h
4 issues
Line: 312
Column: 15
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
// Compile time assertion: sizeof(Dest) == sizeof(Source)
// A compile error here means your Dest and Source have different sizes.
DOUBLE_CONVERSION_UNUSED
typedef char VerifySizesAreEqual[sizeof(Dest) == sizeof(Source) ? 1 : -1];
Dest dest;
memmove(&dest, &source, sizeof(dest));
return dest;
}
Reported by FlawFinder.
Line: 160
Column: 19
CWE codes:
126
inline int StrLength(const char* string) {
size_t length = strlen(string);
ASSERT(length == static_cast<size_t>(static_cast<int>(length)));
return static_cast<int>(length);
}
// This is a simplified version of V8's Vector class.
Reported by FlawFinder.
Line: 248
Column: 38
CWE codes:
126
// builder. The input string must have enough characters.
void AddSubstring(const char* s, int n) {
ASSERT(!is_finalized() && position_ + n < buffer_.length());
ASSERT(static_cast<size_t>(n) <= strlen(s));
memmove(&buffer_[position_], s, n * kCharSize);
position_ += n;
}
Reported by FlawFinder.
Line: 268
Column: 12
CWE codes:
126
buffer_[position_] = '\0';
// Make sure nobody managed to add a 0-character to the
// buffer while building the string.
ASSERT(strlen(buffer_.start()) == static_cast<size_t>(position_));
position_ = -1;
ASSERT(is_finalized());
return buffer_.start();
}
Reported by FlawFinder.