┌─────────────┐
│ Scan Status │
└─────────────┘
Scanning 250 files tracked by git with 7 Code rules:
Scanning 9 files with 7 bash rules.
┌──────────────────┐
│ 81 Code Findings │
└──────────────────┘
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/ap_update.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
8┆ apmode --ssid=${UPDATE_AP_SSID}
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/app_init.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
44┆ mkdir -p /tmp/modules/${MODULE_DIR}
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/fsck_mount_mmc.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
5┆ mount /dev/$MDEV /tmp/mnt/sdcard/
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/led_blink.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
6┆ echo ${GPIO_NUM} > /sys/class/gpio/export
⋮┆----------------------------------------
8┆ echo ${GPIO_NUM} > /sys/class/gpio/gpio${GPIO_NUM}/value
⋮┆----------------------------------------
14┆ usleep ${DELAY_MS}000
⋮┆----------------------------------------
16┆ usleep ${DELAY_MS}000
⋮┆----------------------------------------
23┆ echo ${GPIO_NUM} > /sys/class/gpio/unexport
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/rec_init.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
11┆ led_blink.sh ${LED_GPIO_NUM} &
⋮┆----------------------------------------
15┆ mkdir -p /tmp/modules/${MODULE_DIR}
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/sd_update.sh
external.semgrep-rules.bash.lang.correctness.unquoted-command-substitution-in-command
The result of command substitution $(...) or `...`, if unquoted, is split on whitespace or
other separators specified by the IFS variable. You should surround it with double quotes to
avoid splitting the result.
225┆ echo "[sd_update.sh] retry_count:"$((retry_count++))
⋮┆----------------------------------------
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
32┆ count=`ls $FW_DIR`
⋮┆----------------------------------------
41┆ sh $UPGRADE_FILE
⋮┆----------------------------------------
46┆ diff -b $APP_VER_FILE $VERSION_FILE > /dev/null
⋮┆----------------------------------------
60┆ cp $MD5_INFO $TMP_MD5_INFO
⋮┆----------------------------------------
67┆ output=`grep $filename $TMP_MD5_INFO`
⋮┆----------------------------------------
71┆ cp $1 /tmp
⋮┆----------------------------------------
72┆ output=`md5sum /tmp/$filename`
⋮┆----------------------------------------
77┆ retry_count=$(($retry_count+1))
⋮┆----------------------------------------
92┆ flashcp -v $1 $2 > /dev/null
⋮┆----------------------------------------
96┆ retry_count=$(($retry_count+1))
⋮┆----------------------------------------
109┆ result=$(funCopy $1)
⋮┆----------------------------------------
113┆ result=$(funFlashcp /tmp/$filename $2)
⋮┆----------------------------------------
124┆ rm -f /tmp/$filename
⋮┆----------------------------------------
152┆ funUpgrade $BOOT /dev/mtd0
⋮┆----------------------------------------
157┆ funUpgrade $TAG /dev/mtd1
⋮┆----------------------------------------
162┆ funUpgrade $KERNEL /dev/mtd2
⋮┆----------------------------------------
167┆ funUpgrade $ROOTFS /dev/mtd3
⋮┆----------------------------------------
172┆ funUpgrade $RECOVERY /dev/mtd4
⋮┆----------------------------------------
177┆ funUpgrade $SYSTEM /dev/mtd5
⋮┆----------------------------------------
184┆ result=$(funCopy $FW_DIR/$MCU_FW_011)
⋮┆----------------------------------------
192┆ result=$(funCopy $FW_DIR/$MCU_FW_031)
⋮┆----------------------------------------
211┆ mcuisp $MCU_TMP_PATH
⋮┆----------------------------------------
215┆ profile_ver=`cat $FW_DIR/$MCU_VER`
⋮┆----------------------------------------
217┆ echo "[sd_update.sh] current version:"$curr_ver
⋮┆----------------------------------------
218┆ echo "[sd_update.sh] profile version:"$profile_ver
⋮┆----------------------------------------
233┆ mcuisp $MCU_BACKUP_PATH
⋮┆----------------------------------------
235┆ profile_ver=`cat $MCU_BACKUP_PATH/$MCU_VER`
⋮┆----------------------------------------
236┆ echo "[sd_update.sh] profile version:"$profile_ver
⋮┆----------------------------------------
251┆ mcuisp $MCU_SYS_PATH
⋮┆----------------------------------------
253┆ profile_ver=`cat $MCU_SYS_PATH/$MCU_VER`
⋮┆----------------------------------------
254┆ echo "[sd_update.sh] profile version:"$profile_ver
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/tf_update.sh
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
23┆ unzip ${UPDATE_PACK_FILE_PATH} -d /tmp/
⋮┆----------------------------------------
32┆ cd ${UPDATE_DIR_PATH}
⋮┆----------------------------------------
33┆ md5sum -c ${UPDATE_FW_MD5_NAME}
⋮┆----------------------------------------
49┆ echo "Current version: "${FWINFO_CURRENT}
⋮┆----------------------------------------
50┆ echo "Target version: "${FWINFO_TO}
⋮┆----------------------------------------
73┆ tag_generator --tag_path=/dev/mtdblock1 --update --fwinfo=${FWINFO_TO}
⋮┆----------------------------------------
80┆ echo "Update to new version: "${FWINFO_NEW}
/logs/firmware/unblob_extracted/firmware_extract/11108416-13869836.lzma_extract/lzma.uncompressed_extract/3761304-11
775640.cpio_portable_ascii_extract/usr/bin/update.sh
external.semgrep-rules.bash.lang.correctness.unquoted-command-substitution-in-command
The result of command substitution $(...) or `...`, if unquoted, is split on whitespace or
other separators specified by the IFS variable. You should surround it with double quotes to
avoid splitting the result.
215┆ echo "[update.sh] retry_count:"$((retry_count++))
⋮┆----------------------------------------
external.semgrep-rules.bash.lang.correctness.unquoted-variable-expansion-in-command
Variable expansions must be double-quoted so as to prevent being split into multiple pieces
according to whitespace or whichever separator is specified by the IFS variable. If you
really wish to split the variable's contents, you may use a variable that starts with an
underscore e.g. $_X instead of $X, and semgrep will ignore it. If what you need is an array,
consider using a proper bash array.
44┆ output=`grep $filename $FW_FILE_PATH/$UPDATE_INFO`
⋮┆----------------------------------------
46┆ output=`md5sum $1`
⋮┆----------------------------------------
60┆ flashcp -v $1 $2 > /dev/null
⋮┆----------------------------------------
64┆ retry_count=$(($retry_count+1))
⋮┆----------------------------------------
75┆ result=$(funMD5Check $1)
⋮┆----------------------------------------
79┆ result=$(funFlashcp $1 $2)
⋮┆----------------------------------------
104┆ cd $TMP_PATH
⋮┆----------------------------------------
117┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$UPGRADE_FILE
⋮┆----------------------------------------
120┆ sh $FW_FILE_PATH/$UPGRADE_FILE
⋮┆----------------------------------------
125┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$UPDATE_INFO
⋮┆----------------------------------------
128┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$KERNEL
⋮┆----------------------------------------
131┆ funUpgrade $FW_FILE_PATH/$KERNEL /dev/mtd2
⋮┆----------------------------------------
132┆ rm $FW_FILE_PATH/$KERNEL
⋮┆----------------------------------------
136┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$ROOTFS
⋮┆----------------------------------------
139┆ funUpgrade $FW_FILE_PATH/$ROOTFS /dev/mtd3
⋮┆----------------------------------------
140┆ rm $FW_FILE_PATH/$ROOTFS
⋮┆----------------------------------------
144┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$SYSTEM
⋮┆----------------------------------------
147┆ cp -r $MCU_SYS_PATH* $MCU_BACKUP_PATH
⋮┆----------------------------------------
151┆ funUpgrade $FW_FILE_PATH/$SYSTEM /dev/mtd5
⋮┆----------------------------------------
152┆ rm $FW_FILE_PATH/$SYSTEM
⋮┆----------------------------------------
159┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$MCU_FW_011
⋮┆----------------------------------------
160┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$MCU_FW_031
⋮┆----------------------------------------
161┆ tar -xzvf $FW_FILE_NAME $FW_FILE_PATH/$MCU_VER
⋮┆----------------------------------------
166┆ cp $FW_FILE_PATH/$MCU_FW_011 $MCU_TMP_PATH/$MCU_FW_011
⋮┆----------------------------------------
167┆ cp $FW_FILE_PATH/$MCU_FW_031 $MCU_TMP_PATH/$MCU_FW_031
⋮┆----------------------------------------
204┆ mcuisp $MCU_TMP_PATH
⋮┆----------------------------------------
208┆ profile_ver=`cat $FW_FILE_PATH/$MCU_VER`
⋮┆----------------------------------------
223┆ mcuisp $MCU_BACKUP_PATH
⋮┆----------------------------------------
225┆ profile_ver=`cat $MCU_BACKUP_PATH/$MCU_VER`
⋮┆----------------------------------------
240┆ mcuisp $MCU_SYS_PATH
⋮┆----------------------------------------
242┆ profile_ver=`cat $MCU_SYS_PATH/$MCU_VER`
┌──────────────┐
│ Scan Summary │
└──────────────┘
Ran 7 rules on 9 files: 81 findings.
