Cryptographic APIs misuses

[misterAnderson90]

I'm a PhD student interested in finding security vulnerabilities in open source projects.

We found a total of 02 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on NextcloudServices (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).

Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve NextcloudServices security, and the quality of the reports of static analysis tools.

[0xf104a]

Hello and sorry for the long response. Thank you very much for your work. You can send issues that you have found by my email [email protected].
My public PGP key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v4.10.10
Comment: https://openpgpjs.org

xjMEYpJGUxYJKwYBBAHaRw8BAQdALFACagUvoduUyREytnrBCgF52H05c6SQ
MjpmOmF4SBbNLXRvZGRvdEBwcm90b25tYWlsLmNvbSA8dG9kZG90QHByb3Rv
bm1haWwuY29tPsKPBBAWCgAgBQJikkZTBgsJBwgDAgQVCAoCBBYCAQACGQEC
GwMCHgEAIQkQKxoypGy1ZlwWIQQ+QHvwMtYI/xvqHJErGjKkbLVmXNE+APwN
Owmgo+qeqXUatWGzv4pvM/qa5Cj5/F2SHFDa50v5NQEA9LhY68B4q1PjmsMA
smqnSVDtsksnSl2wEEndTBLTgArOOARikkZTEgorBgEEAZdVAQUBAQdAsASW
pqpl+pLpf897P39NiRTy1HegM0h2MNcXbCGAESYDAQgHwngEGBYIAAkFAmKS
RlMCGwwAIQkQKxoypGy1ZlwWIQQ+QHvwMtYI/xvqHJErGjKkbLVmXACoAQDk
TQ0YXYU+c/AqE4yfpRD6lfqTcskKfiNiFOrlshRRYAEA3h2r7xsTeJhRoWI2
MZZIzL8dTWcfVGuBDf+U1h3/mQs=
=osF8
-----END PGP PUBLIC KEY BLOCK-----

[misterAnderson90]

Hello @Andrewerr,

I just sent you an e-mail with the documented gists. Please let me know your perceptions about these warnings.