Skip to content

move MAX_ZIP_* to settings #14730

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mtesauro merged 1 commit into from
Apr 24, 2026

make MAX_ZIP* settings configurable

10c4133
Select commit
Loading
Failed to load commit list.
Merged

move MAX_ZIP_* to settings #14730

make MAX_ZIP* settings configurable
10c4133
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Cross-Site Scripting Analyzer succeeded Apr 22, 2026 in 42s

DryRun Security

Details

Cross-Site Scripting Analyzer Findings: 1 detected

⚠️ Potential Cross-Site Scripting dojo/tools/anchore_grype/parser.py (click for details)
Type Potential Cross-Site Scripting
Description The parser concatenates external strings (vuln_datasource, vuln_urls[], rel_datasource, rel_urls[]) directly into a finding_references string using f-strings without any escaping or sanitization. If those values originate from untrusted input (scanner output, advisories, or user-supplied data) and are later rendered into an HTML/JS context without appropriate escaping, this creates a path for XSS.
Filename dojo/tools/anchore_grype/parser.py
CodeLink

django-DefectDojo/dojo/tools/anchore_grype/parser.py

Lines 140 to 143 in 10c4133

finding_references += f"**Vulnerability Datasource:** {vuln_datasource}\n"
if vuln_urls:
if len(vuln_urls) == 1:
if vuln_urls[0] != vuln_datasource:
View more details on DryRunSecurity