andrewmusselman opened a new issue, #661: URL: https://github.com/apache/tooling-trusted-releases/issues/661
**Audit refs:** 8.2.2 CRITICAL-004/CRITICAL-005, 8.2.2 HIGH-001 #### Description **SBOM task authorization-after-read** (`atr/tasks/sbom.py:60-156`): Functions `augment()`, `osv_scan()`, `score_qs()`, `score_tool()` read files from disk using user-supplied paths **before** verifying authorization. The file is already accessed by the time `write.as_project_committee_participant()` is called. #### Recommended fix 1. Document there is a policy that the initiator of a task must do all validation 2. Ensure `atr/docs` is read during audit **CWE:** CWE-862 / CWE-639 | **CVSS:** 8.1 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
