Skip to content

weakness passes don't exclude vendored / minified third-party code #95

Description

@mdavistffhrtporg

Found scanning Apple's WebInspectorUI (AttackMap 0.3.1).

2 of 3 ReDoS hits were in vendored third-party libraries under
UserInterface/External/ (CodeMirror, three.js) — not Apple's own code. The
per-file weakness passes (crypto, web-hardening, novel-vuln) run on vendored /
minified code, producing noise about bugs in dependencies the project doesn't
maintain.

The taint engine already skips node_modules, but nothing skips External/,
vendor/, third_party/, or *.min.js.

Fix

  • Add is_vendored_file() to srcpaths.py (node_modules, vendor, vendored,
    third_party/third-party, external/externals, bower_components, *.min.js),
    honoring ATTACKMAP_INCLUDE_VENDORED.
  • Gate the per-file weakness passes on it (like the taint: exclude test files from sink scanning by default #67 test-file exclusion),
    and extend the taint indexer's skip-dirs.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions