Code Security Report: 8 high severity findings, 8 total findings [develop]

[mend-for-github-com]

Code Security Report

Scan Metadata

Latest Scan: 2026-03-10 10:28pm
Total Findings: 8 | New Findings: 3 | Resolved Findings: 11
Tested Project Files: 511
Detected Programming Languages: 2 (Python*, C/C++ (Beta))

• Check this box to manually trigger a scan

Note: GitHub may take a few seconds to process actions triggered via checkboxes.
Please wait until the change is visible before continuing.

Finding Details

Severity	Vulnerability Type	CWE	File	Data Flows	Detected
High	Out of Buffer Bounds Write	CWE-787	bcc_perf_map.c:39	1	2025-01-15 05:11pm
Vulnerable Code bcc/src/cc/bcc_perf_map.c Lines 34 to 39 in df3ff48 int bcc_perf_map_nstgid(int pid) { char status_path[64]; FILE *status; snprintf(status_path, sizeof(status_path), "/proc/%d/status", pid); 1 Data Flow/s detected bcc/src/cc/bcc_perf_map.c Line 39 in df3ff48 snprintf(status_path, sizeof(status_path), "/proc/%d/status", pid); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	trace_helpers.c:311	1	2025-01-15 05:11pm
Vulnerable Code bcc/libbpf-tools/trace_helpers.c Lines 306 to 311 in df3ff48 if (!gelf_getshdr(section, &header)) continue; name = elf_strptr(e, stridx, header.sh_name); if (name && !strcmp(name, ".text")) { *addr = (uint64_t)header.sh_addr; 1 Data Flow/s detected bcc/libbpf-tools/trace_helpers.c Line 311 in df3ff48 *addr = (uint64_t)header.sh_addr; Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	bcc_proc.c:509	1	2025-01-15 05:11pm
Vulnerable Code bcc/src/cc/bcc_proc.c Lines 504 to 509 in df3ff48 const size_t mapnamelen = strlen(mapname); if (mapnamelen >= PATH_MAX) { fprintf(stderr, "Found mapped library path is too long\n"); break; } found = true; 1 Data Flow/s detected bcc/src/cc/bcc_proc.c Line 509 in df3ff48 found = true; Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	bcc_proc.c:249	4	2026-02-27 09:59pm
Vulnerable Code bcc/src/cc/bcc_proc.c Lines 244 to 249 in df3ff48 goto done; } // Try perf-<PID>.map path with global root and PID, in case it is generated // by other Process. Avoid checking mount namespace for this. memset(&mod, 0, sizeof(mod_info)); int res = snprintf(map_path, 4096, "/tmp/perf-%d.map", pid); 4 Data Flow/s detected View Data Flow 1 bcc/src/cc/bcc_proc.c Line 249 in df3ff48 int res = snprintf(map_path, 4096, "/tmp/perf-%d.map", pid); View Data Flow 2 bcc/src/cc/bcc_proc.c Line 249 in df3ff48 int res = snprintf(map_path, 4096, "/tmp/perf-%d.map", pid); View Data Flow 3 bcc/src/cc/bcc_proc.c Line 249 in df3ff48 int res = snprintf(map_path, 4096, "/tmp/perf-%d.map", pid); View more Data Flows Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Path/Directory Traversal	CWE-22	libbpf.c:1229	1	2025-01-15 05:11pm
Vulnerable Code bcc/src/cc/libbpf.c Lines 1224 to 1229 in df3ff48 int kfd = -1, res = -1; char ev_alias[256]; bool is_kprobe = strncmp("kprobe", event_type, 6) == 0; snprintf(buf, PATH_MAX, "%s/%s_events", get_tracefs_path(), event_type); kfd = open(buf, O_WRONLY | O_APPEND, 0); 1 Data Flow/s detected bcc/src/cc/libbpf.c Line 1178 in df3ff48 if (bytes <= 0 || bytes >= sizeof(buf)) { Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Path/Directory Traversal Training ● Videos    ▪ Secure Code Warrior Path/Directory Traversal Video ● Further Reading    ▪ OWASP Path Traversal    ▪ OWASP Input Validation Cheat Sheet Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	path_helpers.bpf.h:32	2	2026-03-10 10:30pm
Vulnerable Code bcc/libbpf-tools/path_helpers.bpf.h Lines 27 to 32 in df3ff48 filepart_length = bpf_probe_read_kernel_str(payload, name_len, BPF_CORE_READ(dentry, d_name.name)); if (filepart_length < 0) { *failed = 1; 2 Data Flow/s detected View Data Flow 1 bcc/libbpf-tools/path_helpers.bpf.h Line 32 in df3ff48 *failed = 1; View Data Flow 2 bcc/libbpf-tools/path_helpers.bpf.h Line 32 in df3ff48 *failed = 1; Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	trace_helpers.c:82	1	2025-01-15 05:11pm
Vulnerable Code bcc/libbpf-tools/trace_helpers.c Lines 77 to 82 in df3ff48 ksym = &ksyms->syms[ksyms->syms_sz]; /* while constructing, re-use pointer as just a plain offset */ ksym->name = (void *)(unsigned long)ksyms->strs_sz; ksym->addr = addr; memcpy(ksyms->strs + ksyms->strs_sz, name, name_len); 1 Data Flow/s detected bcc/libbpf-tools/trace_helpers.c Line 82 in df3ff48 memcpy(ksyms->strs + ksyms->strs_sz, name, name_len); Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.
High	Out of Buffer Bounds Write	CWE-787	syscall_helpers.c:37	1	2026-03-02 08:19pm
Vulnerable Code bcc/libbpf-tools/syscall_helpers.c Lines 32 to 37 in df3ff48 if (*end != '\t') { warn("bad input: %s (expected <num>\t<name>)\n", buf); return NULL; } *number = x; 1 Data Flow/s detected bcc/libbpf-tools/syscall_helpers.c Line 37 in df3ff48 *number = x; Secure Code Warrior Training Material ● Training    ▪ Secure Code Warrior Out of Buffer Bounds Write Training ● Videos    ▪ Secure Code Warrior Out of Buffer Bounds Write Video Suppress Finding ... as False Alarm ... as Acceptable Risk Note: GitHub may take a few seconds to process actions triggered via checkboxes. Please wait until the change is visible before continuing.