94 lines
5.3 KiB
JSON
94 lines
5.3 KiB
JSON
[
|
|
{
|
|
"level": "critical",
|
|
"role": "Rex",
|
|
"location": "entrypoint.sh:40 (舊版)",
|
|
"suggestion": "舊版程式碼中的 `zip -r \"$(basename \"$PWD\").$RELEASE_VERSION.zip\" $RELEASE_FOLDER/*` 存在嚴重的命令注入風險。`$RELEASE_FOLDER/*` 未被引用 (unquoted),若 `$RELEASE_FOLDER` 包含惡意檔案名稱(例如含有特殊字元、命令替換),或檔案數量過多導致參數列表溢出,可能導致任意命令執行或服務阻斷。新版程式碼透過 `(cd \"$RELEASE_FOLDER\"; zip -qr \"$archive_path\" .)` 的方式,安全地切換目錄並壓縮當前目錄內容,有效避免了此類風險,這是非常重要的安全改進。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "warning",
|
|
"role": "Zara",
|
|
"location": "b/entrypoint.sh:66",
|
|
"suggestion": "新增的 `file_count=\"$(find \"$RELEASE_FOLDER\" -type f | wc -l | tr -d ' ')\"` 指令會對 `$RELEASE_FOLDER` 進行一次完整的檔案系統遍歷以計算檔案數量。對於包含大量檔案或深層目錄的資料夾,這會增加額外的 I/O 開銷和執行時間,可能在壓縮前造成明顯的延遲。請評估此檔案計數是否為必要資訊,若僅用於日誌記錄,可考慮移除或採用更輕量級的估算方式,以避免不必要的效能損耗。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "warning",
|
|
"role": "Rex",
|
|
"location": "entrypoint.sh:1 (舊版)",
|
|
"suggestion": "舊版程式碼缺少 `set -euo pipefail`。`set -e` 確保指令失敗時腳本立即退出,防止在錯誤狀態下繼續執行;`set -u` 確保使用未定義變數時腳本報錯,避免潛在的意外行為或注入;`set -o pipefail` 確保管道命令的錯誤能被正確捕獲。新版程式碼已加入這些設定,顯著提升了腳本的安全性與穩定性,降低了因未預期錯誤導致的安全風險。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "warning",
|
|
"role": "Rex",
|
|
"location": "entrypoint.sh:34 (新版)",
|
|
"suggestion": "舊版程式碼在壓縮前未檢查 `$RELEASE_FOLDER` 是否為一個有效的目錄。若 `$RELEASE_FOLDER` 不存在或指向非目錄路徑,可能導致腳本執行失敗或產生非預期的行為,甚至在某些情況下可能被利用。新版程式碼已新增 `if [[ ! -d \"$RELEASE_FOLDER\" ]]` 檢查,提升了腳本的健壯性與安全性。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Leo",
|
|
"location": "entrypoint.sh:10",
|
|
"suggestion": "為新定義的函式 `log_section` 添加簡短的註解,說明其用途(例如:用於輸出帶有邊框和分隔線的區塊標題)。這有助於未來維護者快速理解函式功能。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Leo",
|
|
"location": "entrypoint.sh:14",
|
|
"suggestion": "為新定義的函式 `log_kv` 添加簡短的註解,說明其用途(例如:用於輸出鍵值對資訊,並確保對齊)。這有助於未來維護者快速理解函式功能。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Leo",
|
|
"location": "entrypoint.sh:18",
|
|
"suggestion": "為新定義的函式 `fail` 添加簡短的註解,說明其用途(例如:用於輸出錯誤訊息並以非零狀態碼退出腳本)。這有助於未來維護者快速理解函式功能。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Leo",
|
|
"location": "entrypoint.sh:22",
|
|
"suggestion": "為新定義的函式 `require_value` 添加簡短的註解,說明其用途(例如:用於檢查指定變數是否為空或 'null',若否則呼叫 `fail` 函式退出)。這有助於未來維護者快速理解函式功能。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Rex",
|
|
"location": "entrypoint.sh:38 (新版)",
|
|
"suggestion": "舊版程式碼未檢查 `zip` 命令是否存在。若執行環境中缺少 `zip` 工具,腳本將會失敗,影響可靠性。新版程式碼已加入 `command -v zip` 檢查,確保必要工具的存在,提升了腳本的可靠性,這是一個良好的安全實踐。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Aria",
|
|
"location": "entrypoint.sh:13",
|
|
"suggestion": "在 `log_kv` 函數中,`printf` 的格式字串 `%-16s` 硬編碼了鍵的寬度為 16。若鍵的字串長度超過此值,對齊效果將會失效。建議考慮動態計算最大鍵寬度,或使用更具彈性的對齊方式,以提高日誌輸出的健壯性。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Aria",
|
|
"location": "entrypoint.sh:44",
|
|
"suggestion": "建議將 `archive_name` 宣告為 `readonly`,以明確其為常數且不應被修改,增加程式碼的清晰度與維護性。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Aria",
|
|
"location": "entrypoint.sh:45",
|
|
"suggestion": "建議將 `archive_path` 宣告為 `readonly`,以明確其為常數且不應被修改,增加程式碼的清晰度與維護性。",
|
|
"reason": "false positive"
|
|
},
|
|
{
|
|
"level": "info",
|
|
"role": "Aria",
|
|
"location": "entrypoint.sh:46",
|
|
"suggestion": "建議將 `file_count` 宣告為 `readonly`,以明確其為常數且不應被修改,增加程式碼的清晰度與維護性。",
|
|
"reason": "false positive"
|
|
}
|
|
]
|