This is a migrated thread and some comments may be shown as answers.

Kiuwan security issues on files Kendo 2020.2.513

3 Answers 331 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
Francisco
Top achievements
Rank 1
Francisco asked on 04 Dec 2020, 06:59 AM

I have been doing a static code analysis of my entire project with the KIUWAN tool

This tool has found some security issues in some Kendo JS files

I would like to know if they are false positives or if it can be justified in some way that there are no security problems

Problems found (the most important are the first 3):

  • Do not update control vars in 'for' loop body Maintainability Control flow
  • Potential denial-of-service attack through malicious regular expression(ReDoS)
  • Never use JavaScript 'history' object or navigation-based positioning
  • Avoid unused local variable 
  • Avoid accessing unreliable variable properties 
  • Standard pseudo-random number generators cannot withstand cryptographic attacks

    The details of the analysis are in the attached file (a zip with a pdf file)

Kendo version: 2020.2.513

 

3 Answers, 1 is accepted

Sort by
0
Plamen
Telerik team
answered on 07 Dec 2020, 11:27 AM

Hi,

Thank you for getting in touch with us.

We will need some time to inspect the issues and will contact us as soon as we have more information about them. Please excuse us for this answer delay in advance.

Regards,
Plamen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Plamen
Telerik team
answered on 10 Dec 2020, 06:59 AM

Hi,

We have inspected the issues detected by the tool and can confirm that they are false positive.

If you need more information or have any concrete concerns please submit a support ticket so we could discuss them further.

Regards,
Plamen
Progress Telerik

Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

0
Francisco
Top achievements
Rank 1
answered on 10 Dec 2020, 07:09 AM

Thank you

We will consider the creation of the Support Ticket

Tags
General Discussions
Asked by
Francisco
Top achievements
Rank 1
Answers by
Plamen
Telerik team
Francisco
Top achievements
Rank 1
Share this question
or