Advertisement

Snyk Security Issues Reported in Joomla 5 Core

Discussion regarding Joomla! 5.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Post Reply
User avatar
andypooz
Joomla! Guru
Joomla! Guru
Posts: 729
Joined: Sat Dec 30, 2006 3:03 pm
Location: London, UK
Contact:

Snyk Security Issues Reported in Joomla 5 Core

Post by andypooz » Tue Aug 20, 2024 11:48 am

I wonder if anyone has experience running the Joomla codebase through the snyk security scanner ( https://snyk.io/ )
I have created a web application based on Joomla 5, and the product owner is a large multinational organization that requires all of their applications to pass a scan from snyk.
At the moment there are over a hundred 'High' risk issues being flagged, mostly involving unsanitized input from headers being used, resulting in suggested risk of XSS / Deserialization of Untrusted Data.
The files flagged are part of the Joomla 5 core, not custom extensions or files, so I'm guessing that this data is sanitized and dealt with properly, but the snyk scanner is not recognising this, and is producing a false positive as a result. Or could it be that the Joomla core actually doesn't meet the strict coding/security standards of scanners like Snyk?
Anyone with experience using Joomla for enterprise applications and having to pass scans like snyk? Overriding these files to add santizisation that snyk recognises would be a major hassle, if it's even possible at all.
Any insights?
Andy Hickey
Bespoke Joomla Extension Developer
http://www.netamity.com

Advertisement
User avatar
abernyte
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4196
Joined: Fri May 15, 2009 2:01 pm
Location: Écosse - Scozia - Escocia - Škotija -स्कॉटलैंड

Re: Snyk Security Issues Reported in Joomla 5 Core

Post by abernyte » Tue Aug 20, 2024 3:33 pm

You might want to refer this to the JSST [email protected] for their view.
"Those who expect to reap the blessings of freedom must, like men, undergo the fatigue of supporting it." Thomas Paine

Advertisement

Post Reply

Return to “Security in Joomla! 5.x”