scalr / cookbooks Goto Github PK

Greetings,

I am a security researcher, who is looking for security smells in Chef scripts. I found instances where the HTTP protocol is used instead of HTTPS (HTTP with TLS). According to the Common Weakness Enumeration organization this is a security weakness (https://cwe.mitre.org/data/definitions/319.html). I was wondering why HTTP is used? Is it because of lack of tool support?

I am trying to find out if developers are forced to adopt bad practices due to lack of tool support when it comes to the HTTPS protocol. Maybe it is due to dependency on a resource that uses HTTP?

Any feedback is appreciated.

Source:

1. https://github.com/Scalr/cookbooks/blob/master/cookbooks/percona/recipes/repo.rb

Greetings,

I am a security researcher, who is looking for security smells in Chef scripts.
I found instances where certain keywords such as TODO, HACK, FIXME, bug repository IDs, in comments within Chef scripts.
According to the Common Weakness Enumeration organization this is a security weakness
(CWE-546: Suspicious Comment https://cwe.mitre.org/data/definitions/546.html).

I am trying to find out if you agree with the findings. I think it is possible to have a nuanced perspective. Any feedback is appreciated.

Source:

1. https://github.com/Scalr/cookbooks/blob/master/cookbooks/apt/providers/repository.rb