Add initial Dockerfile, Pipfile.lock, and Terraform configuration for…

[CalinL]

… resource setup; include insecure code samples for security testing

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ❌ 7 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 4bb0322.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

devsecops-demo/Pipfile.lock

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
		Werkzeug safe_join() allows Windows special device names with compound extensions	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

devsecops-demo/Pipfile.lock

Package	Version	License	Issue Type
flask	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
werkzeug	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
jinja2	3.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
click	8.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
itsdangerous	2.0.1	BSD-2-Clause	Incompatible License
markupsafe	2.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
python-dotenv	0.19.0	BSD-2-Clause AND BSD-3-Clause	Incompatible License

Allowed Licenses:

MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/flask	2.0.2	Unknown	Unknown
pip/werkzeug	2.0.2	Unknown	Unknown
pip/jinja2	3.0.2	Unknown	Unknown
pip/click	8.0.1	Unknown	Unknown
pip/itsdangerous	2.0.1	Unknown	Unknown
pip/markupsafe	2.0.1	Unknown	Unknown
pip/python-dotenv	0.19.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• devsecops-demo/Pipfile.lock

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ❌ 7 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 4bb0322.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

devsecops-demo/Pipfile.lock

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
		Werkzeug safe_join() allows Windows special device names with compound extensions	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

devsecops-demo/Pipfile.lock

Package	Version	License	Issue Type
flask	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
werkzeug	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
jinja2	3.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
click	8.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
itsdangerous	2.0.1	BSD-2-Clause	Incompatible License
markupsafe	2.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
python-dotenv	0.19.0	BSD-2-Clause AND BSD-3-Clause	Incompatible License

Allowed Licenses:

MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/flask	2.0.2	Unknown	Unknown
pip/werkzeug	2.0.2	Unknown	Unknown
pip/jinja2	3.0.2	Unknown	Unknown
pip/click	8.0.1	Unknown	Unknown
pip/itsdangerous	2.0.1	Unknown	Unknown
pip/markupsafe	2.0.1	Unknown	Unknown
pip/python-dotenv	0.19.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• devsecops-demo/Pipfile.lock

In general, to fix this type of issue you replace a bare except: (or except BaseException:) with more specific exception handlers, typically except Exception: for “normal” runtime errors, and optionally separate handlers for KeyboardInterrupt and SystemExit if you need special behavior. This ensures that program termination and user interrupts are not accidentally swallowed.

For this specific file:

• At line 10, instead of except: pass, we should catch the precise error that can occur in the try block. The try block indexes into a list (xs[7] and xs[8]), so the realistic error is IndexError. Replacing the bare except: with except IndexError: preserves the idea of “ignoring out-of-range access” while no longer catching KeyboardInterrupt or SystemExit.
• The except: continue inside the loop on lines 14–16 is not highlighted by CodeQL in the prompt, so we will leave it unchanged to respect the instruction to only fix the specific reported issue.

No new imports or helper methods are needed; we just update the exception clause on line 10 inside devsecops-demo/insecure-01.py.

In general, an empty except should either (a) catch only the specific exception type you expect and handle it appropriately (log, recover, or re-raise), or (b) if you truly intend to ignore it, document that explicitly in a comment and usually still narrow the exception type. Avoid bare except: because it hides programming errors like KeyboardInterrupt and SystemExit.

For this specific code, the only realistic exception from print(xs[7]); print(xs[8]) is IndexError when accessing xs[8]. The best fix that preserves existing behavior (the script continues even if the index is out of range) is:

• Narrow the handler to except IndexError as exc:.
• Log or print a short message including the exception so that failures are visible instead of silently ignored.

We only need to modify the try/except block around lines 7–10 in devsecops-demo/insecure-01.py. No extra imports are required since a simple print is enough for this demo script.

In general, to fix “Except block directly handles BaseException”, replace bare except: with explicit except Exception: or, better, with the specific exception types you expect, and never silently swallow KeyboardInterrupt or SystemExit. If you truly must catch all exceptions, re‑raise KeyboardInterrupt and SystemExit explicitly.

For this snippet, we can preserve existing behavior (ignore only the expected runtime errors) while no longer catching BaseException:

• On lines 7–10, the code indexes into xs beyond its length. The only likely error is IndexError. Replace except: with except IndexError: and keep pass to maintain the “ignore index errors” semantics.
• On lines 14–16, the code adds 3 to elements of ys, two of which are None. That raises TypeError. Replace except: with except TypeError: and keep continue so the loop still skips problematic elements.

No new imports or helper functions are needed; we only tighten the exception types in devsecops-demo/insecure-01.py at the two bare except: sites.

To fix an unused import, remove the import statement for the unused module while leaving all other code intact. This eliminates the unnecessary dependency and satisfies the static analysis rule without altering runtime behavior.

In this specific case, remove the line import telnetlib from devsecops-demo/insecure-01.py. Keep the import ftplib line as-is, because we are not shown whether ftplib is used elsewhere in this file, and we should not modify or infer beyond the provided snippet. No new methods, definitions, or imports are required; the fix is purely the deletion of the unused telnetlib import on line 19.

To fix an unused import, the general approach is to remove the import statement for the module that is not used anywhere in the file. This reduces unnecessary dependencies and slightly improves readability and load time.

In this specific case, in devsecops-demo/insecure-01.py, line 20 (import ftplib) should be removed, because there are no references to ftplib in the file. We leave the neighboring import hashlib and import telnetlib unchanged, since hashlib is clearly used and telnetlib might be intended for future or external use (and is not the one flagged). No additional methods, imports, or definitions are required; we are only deleting the unused import line.

To fix an unused import, remove the imported name from the import statement while keeping the needed ones. Here, we should keep request and render_template (both are used) and drop make_response.

Concretely, in devsecops-demo/routes-01.py, adjust line 2 so that make_response is no longer imported. No other code changes are required because make_response is not referenced anywhere in the shown snippet. This preserves all existing functionality while eliminating the unnecessary dependency.

In general, an unused local variable should either be removed or renamed to make its intentional unusedness clear. Since the read value is not used anywhere and there is no sign that it must be evaluated for side effects, the safest, least invasive fix is to delete the assignment entirely.

For this specific case in devsecops-demo/routes-01.py, the best fix is to remove line 12:

read = bool(request.args.get('read'))

and leave the rest of the function unchanged. This preserves all existing behavior (no code was using read), eliminates the unused variable, and removes the CodeQL warning. No additional imports or definitions are required, and all changes are confined to the index function in this file.

[github-advanced-security]

templateanalyzer found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-advanced-security]

checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.