I ran the tool on the "vulnerable.module" which is full of security holes. I was surprised it didn't find any issues. https://github.com/greggles/vulnerable

It also didn't find any issues in the 6.x-2.1 of http://drupal.org/node/891694 though that was an XSS issue in FAPI elements - http://drupal.org/node/1182968 - not sure if SCR is meant to find that quite.

I'll keep running it on other modules.

Comments

solotandem’s picture

solotandem commented

I downloaded the vulnerable code, ran it through the reviews, and got a whole bunch of logged items, mostly "Unclear." If visit the settings page and lower the log threshold from the default of "Fail" to "Unclear," does this change the output? I had a couple of "Fails" too.

If you add '#options' to the $type array in secure_code_review_callback_form(), it will catch those in vulnerable_user_fapi_form(). I need to commit this to the code.

Thanks.