TA-trackme-cribl

Cribl API integration for TrackMe

Author TrackMe Limited, U.K.
Tags cloud
Version 1.0.9
Hash 180e211cd7f1405a6a1ef362263629ce
AppInspect Request ID 03cae3fa-0940-4522-a83b-0ab89367a722
Run Time 2025-11-04T21:32:35.452022
Execution Time 41

Run parameters:

Field Value
AppInspect Version 4.1.0

Analyzers:

Name Version Is Latest
dynamic-checks 1.44.0 True
retire-js 1.1.1 True
static-checks 4.1.0 True

Compatibility totals:

Status Count
Successes
118
Failures
0
Errors
0
Warnings
11
Not Applicable
96
Skipped
0

[ Warning Summary ]

Warnings are non-blocking concerns. But they are strongly recommended to be fixed.

check_for_splunk_js

File: appserver/static/js/build/entry_page.js 
256Splunk has begun gathering telemetry on apps submitted to appinspect, that utilize SplunkJS. Please ignore this warning as it has no impact to your Splunk app. Match: splunkjs/mvc

check_for_splunk_js_header_and_footer_view

File: appserver/static/js/build/entry_page.js 
256As of Splunk 6.5, this functionality is deprecated and should be removed in futureapp versions. Match: splunkjs/mvc/headerview.

check_for_python_script_existence 

180 Python files found. Update these Python scripts to be cross-compatible with Python 2 and 3 for Splunk Enterprise 8.0. See https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration for more information. If you've finished your update, please disregard this message.

check_props_conf_has_no_prohibited_characters_in_sourcetypes

File: default/props.conf 
24Found a special character in [(?::){0}cribl:custom_commands:*] stanza in props.conf. Sourcetype names containing <>?&# might not be visible. Rename the stanza to not contain any special characters.

check_python_sdk_version

File: lib/splunklib/__init__.py 
35Splunk SDK for Python detected (version 2.1.1). No action required at this time.

check_for_possible_threading

File: lib/solnlib/splunkenv.py 
346The following line contains subprocess.Popen usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/modular_input/modinput.py 
139The following line contains subprocess.Popen usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/splunkenv.py 
349The following line contains subprocess.Popen.communicate usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/concurrent/thread_pool.py 
166The following line contains questionable usage `threading.Thread.start` in loop. Use threading and multiprocessing with discretion.
File: lib/solnlib/modular_input/modinput.py 
139The following line contains subprocess.Popen.communicate usage. Use threading and multiprocessing with discretion.

check_hostnames_and_ips

File: lib/PySocks-1.7.1.dist-info/METADATA 
70PUBLIC IP 5.5.5.5 is found in lib/PySocks-1.7.1.dist-info/METADATA:70
File: appserver/static/js/build/assets/DashboardPage-BlpUrPDM.css 
1PUBLIC IP 1.49.255.68 is found in appserver/static/js/build/assets/DashboardPage-BlpUrPDM.css:1

check_for_existence_of_python_code_block_in_mako_template

File: appserver/templates/base.html 
Detected use of a third-party Mako template, which poses a critical security risk by allowing arbitrary Python code execution. Remove custom Mako templates.

check_for_insecure_http_calls_in_python

File: lib/cribl_libs.py 
175Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}
File: bin/cribl.py 
337Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_token"]; Keyword arguments, {}
File: bin/cribl.py 
345Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_ssl_certificate_path", "?"]; Keyword arguments, {}
File: bin/cribl.py 
344Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_ssl_verify", "?"]; Keyword arguments, {}
File: bin/cribl.py 
344Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_ssl_verify", "?"]; Keyword arguments, {}
File: lib/cribl_libs.py 
167Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}
File: bin/cribl.py 
307Insecure HTTP Connection found Match: requests.get Positional arguments, ["rbac_roles"]; Keyword arguments, {}
File: bin/cribl.py 
337Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_token"]; Keyword arguments, {}
File: bin/cribl.py 
307Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["rbac_roles"]; Keyword arguments, {}
File: bin/cribl.py 
345Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_ssl_certificate_path", "?"]; Keyword arguments, {}
File: lib/cribl_libs.py 
183Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}

check_for_supported_tls

File: bin/cribl.py 
745Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/solnlib/rest.py 
58Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/cribl_libs.py 
167Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
380Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/ta_trackme_cribl_rh_account_handler.py 
51Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/splunktaucclib/legacy/rest.py 
61Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
728Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/cribl_libs.py 
175Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
684Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
376Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
775Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
721Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/solnlib/splunk_rest_client.py 
153Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
701Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.

check_ucc_dependencies

File: lib/solnlib/__init__.py 
59Detected solnlib (version 7.0.0). No action required.
File: lib/splunktaucclib/__init__.py 
17Detected splunktaucclib (version 8.0.0). No action required.

[ Full Report ]

Checks related to JavaScript usage.

[
success
]
check_for_vulnerable_javascript_library_usage - Detect usage of JavaScript libraries with known vulnerabilities.

Splunk Packaging Toolkit (SLIM) validation This group uses slim to extend the cloud checks for improved auto-vetting.

[
success
]
check_for_nested_apps - Check that nested apps do not exist as they are not valid for self-service install.
[
success
]
check_for_nested_archives - Check that nested archives do not exist as they are not valid for self-service install.
[
success
]
check_that_app_passes_slim_validation_for_cloud - Check that apps can be validated by SLIM or reject, since invalid apps can't be installed in Classic Splunk Cloud.

Malware, viruses, malicious content, user security standards (dynamic checks)

[
success
]
check_for_viruses - Check that the app does not include viruses.

Splunk app packaging standards These checks validate that a Splunk app has been correctly packaged, and can be provided safely for package validation.

[
success
]
check_package_compression - Check that the package is compressed correctly.
[
success
]
check_that_extracted_splunk_app_contains_default_app_conf_file - Check that the extracted Splunk App contains a default/app.conf file.
[
success
]
check_that_extracted_splunk_app_does_not_contain_files_with_invalid_permissions - Check that the extracted Splunk App does not contain any files with incorrect permissions. Files must have the owner's permissions include read and write (600).
[
success
]
check_that_extracted_splunk_app_does_not_contain_invalid_directories - Check that the extracted Splunk App does not contain any directories with incorrect permissions. Directories and subdirectories must have the owner's permissions set to r/w/x (700).
[
success
]
check_that_extracted_splunk_app_does_not_contain_prohibited_directories_or_files - Check that the extracted Splunk App does not contain any directories or files that start with a ., or directories that start with __MACOSX.
[
success
]
check_that_splunk_app_package_does_not_contain_files_outside_of_app - Check that the Splunk App package does not contain any non-app files. Files within a valid app folder or valid dependencies within a .dependencies folder are permitted, all other files are not.
[
success
]
check_that_splunk_app_package_extracts_to_visible_directory - Check that the compressed artifact extracts to a directory that does not start with a . character.
[
success
]
check_that_splunk_app_package_has_read_permission - Check that the Splunk app provided does not contain incorrect permissions. Packages must have the owner's read permission set to r (400).
[
not_applicable
]
check_that_splunk_app_package_has_valid_static_dependencies - Check that the Splunk App package contains only valid dependencies. Dependencies are valid if a .dependencies directory contains only valid app packages inside. 
No ../.dependencies folder found. Please check that the Splunk App package contains only valid dependencies.
[
success
]
check_that_splunk_app_package_name_does_not_start_with_period - Check that the Splunk app provided does not start with a . character.
[
success
]
check_that_splunk_app_package_valid_compressed_file - Check that the Splunk app provided a valid compressed file.
[
not_applicable
]
check_that_splunk_app_package_with_static_dependencies_has_exactly_one_app_folder - Check that the Splunk App package with a .dependencies directory also contains exactly one valid app folder. 
No ../.dependencies folder found. Please add a .dependencies directory with an valid app folder.
[
success
]
check_version_is_valid_semver - Check that the extracted Splunk App contains a default/app.conf file that contains an [id] or [launcher] stanza with a version property that is formatted as Semantic Versioning 2.0.0 (https://semver.org/).
[
success
]
check_that_extracted_splunk_app_does_not_contains_only_app_conf_file - Check that the extracted Splunk App does not contain only app.conf
[
not_applicable
]
check_that_splunk_app_package_with_static_dependencies_has_app_manifest - Check that the Splunk App package with a .dependencies directory also contains an app folder with an app.manifest. 
No ../.dependencies folder found. Please add a .dependencies directory that contains an app folder with an app.manifest.

Authentication.conf file standards Ensure that bindDNpassword is not specified. For more, see authentication.conf.

[
not_applicable
]
check_role_map_should_not_map_splunk_system_role - Check that all map roles defined in authentication.conf do not map to splunk-system-role. 
authentication.conf does not exist
[
not_applicable
]
check_saml_auth_should_not_turn_off_signed_assertion - Check that saml-* stanzas in authentication.conf do not turn off signedAssertion property. 
authentication.conf does not exist
[
not_applicable
]
check_scripted_authentication_has_valid_python_version_property - Check that all the scripted authentications defined in authentication.conf explicitly set the python.version to one of: python3, python3.7, python3.9 as required. 
authentication.conf does not exist
[
success
]
check_for_o11y_roles - Check that authorize.conf does not contain any o11y role stanzas. O11y role is one of o11y_admin, o11y_power, o11y_read_only or o11y_usage.

Authorize.conf file standards Ensure that the authorize configuration file located in the /default folder is well-formed and valid. For more, see authorize.conf.

[
success
]
check_authorize_conf_capability_not_modified - Check that authorize.conf does not contain any modified capabilities.
[
success
]
check_authorize_conf_has_no_o11y_capabilities - Checks that authorize.conf has no capabilities starting with o11y_.
[
success
]
check_authorize_conf_role_names - Checks that roles defined in authorize.conf match the specification.
[
success
]
check_delete_indexes_allowed - Check that roles do not permit deletion of events from the internal indexes.
[
success
]
check_authorize_conf_has_no_user_configurable_stanza - Check that authorize.conf does not contain [commands:user_configurable] stanza. This configuration can be used to disable nsjail, which is prohibited in Splunk Cloud.

Binary file standards

[
success
]
check_idx_binary_compatibility - Checks that binaries that are distributed to the IDX tier of a distributed Splunk platform deployment are compatible with aarch64.
[
not_applicable
]
check_requires_adobe_flash - Check that the app does not use Adobe Flash files. 
Didn't find any flash files.

Cloud operations simple application check This group serves to help validate simple applications in an effort to try and automate the validation process for cloud operations.

[
not_applicable
]
check_alert_actions_conf_for_alert_execute_cmd_properties - Check that commands referenced in the alert.execute.cmd property of all alert actions are checked for compliance with Splunk Cloud security policy. Prevent alert_actions.conf from being used to execute malicious commands. 
alert_actions.conf does not exist
[
success
]
check_authorize_conf_admin_all_objects_privileges - Check that authorize.conf does not grant excessive administrative permissions to the user. Prevent roles from gaining unauthorized permissions.
[
success
]
check_command_scripts_exist_for_cloud - Check that custom search commands have an executable or script per stanza.
[
success
]
check_default_data_ui_file_allow_list - Check that directories under data/ui contain only allowed files. Ensure unnecessary, unwanted files are not bundled in the app inappropriately.
[
not_applicable
]
check_distsearch_conf_for_concerning_replicated_file_size - Check if concerningReplicatedFileSize in distsearch.conf is larger than 50 MB. 
distsearch.conf does not exist
[
success
]
check_import_roles_and_grantable_roles_for_builtin_roles - Check that authorize.conf does not contain importRoles and grantableRoles for any built-in roles. Modifying the inheritance of the default roles in Splunk can have potentially severe consequences, including privilege escalation.
[
not_applicable
]
check_indexes_conf_only_uses_splunk_db_variable - Check that indexes defined in indexes.conf use relative paths starting with $SPLUNK_DB 
indexes.conf does not exist
[
not_applicable
]
check_inputs_conf_batch_has_required_attributes - Check that batch input has required attributes. The following key/value pair is required for batch inputs: move_policy = sinkhole 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_batch - Check that batch inputs access files in a permitted way. To be permissible, the batch input must be either application specific (i.e. any file in the subtree of $SPLUNK_HOME/etc/apps/<my_app>) or belong to the subtree of $SPLUNK_HOME/var/spool and not include .stash or .stash_new files. 
inputs.conf does not exist
[
not_applicable
]
check_lookups_allow_list - Check that lookups/ contains only approved file types (.csv, .csv.default, .csv.gz, .csv.tgz, .kmz) or files formatted as valid csv. Ensure malicious files are not passed off as lookup files. 
The `lookups` directory does not exist.
[
success
]
check_metadata_allow_list - Check that the metadata/ directories only contain default.meta and local.meta files and do not contain any subdirectories. Ensure malicious files are not passed off as metadata files.
[
not_applicable
]
check_scripted_inputs_cmd_path_pattern - Check the cmd path pattern of scripted input defined in inputs.conf. 
`inputs.conf` does not exist.
[
not_applicable
]
check_scripted_inputs_python_version - Check that python version is set to one of: python3, python3.7, python3.9 as required for scripted inputs defined in inputs.conf. 
inputs.conf does not exist
[
success
]
check_setup_xml - Check that setup.xml does not exist in the app default or local folders.
[
not_applicable
]
check_stanza_of_authentication_conf - Check that only role-mapping stanza is allowed in authentication.conf as long as it doesn't map users to a cloud-internal role. 
authentication.conf does not exist
[
success
]
check_static_directory_file_allow_list - Check that the static/ directory does not contains any subdirectories and contains only known file types. Ensure malicious files are not passed off as metadata files.
[
not_applicable
]
check_audit_conf_deny_list - Check that the app does not create audit. 
audit.conf does not exist
[
success
]
check_authorize_conf_for_tokens_auth - Check that authorize.conf does not contain a [tokens_auth] stanza
[
not_applicable
]
check_bookmarks_conf_deny_list - Check that the app does not create bookmarks. 
bookmarks.conf does not exist
[
not_applicable
]
check_datatypesbnf_conf_deny_list - Check that the app does not create datatypesbnf. 
datatypesbnf.conf does not exist
[
not_applicable
]
check_default_mode_conf_deny_list - Check that the app does not create default-mode. 
default-mode.conf does not exist
[
not_applicable
]
check_deploymentclient_conf_deny_list - Check that the app does not create deploymentclient. 
deploymentclient.conf does not exist
[
not_applicable
]
check_deployment_conf_deny_list - Check that the app does not create deployment. 
deployment.conf does not exist
[
not_applicable
]
check_for_index_volume_usage - Check that indexes.conf does not declare volumes. 
indexes.conf.conf does not exist
[
not_applicable
]
check_for_inputs_fifo_usage - Check that default/inputs.conf or local/inputs.conf or users/<username>/local/inputs.conf does not contain any fifo:// stanzas. 
inputs.conf.conf does not exist
[
not_applicable
]
check_health_conf_deny_list - Check that the app does not create health. 
health.conf does not exist
[
not_applicable
]
check_inputs_conf_for_fschange - Check that default/inputs.conf or local/inputs.conf or users/<username>/local/inputs.conf does not contain any fschange:// stanzas. 
inputs.conf.conf does not exist
[
not_applicable
]
check_inputs_conf_for_http_global_usage - Check that inputs.conf does not contain a [http] stanza 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_http_inputs - Apps cannot ship a configured HEC token in inputs.conf. HEC tokens must be created by stack admins via ACS. Refer: https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/UsetheHTTPEventCollectorRemove [http://] stanza from inputs.conf. 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_remote_queue_monitor - Check that inputs.conf does not have any remote_queue inputs. 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_splunk_tcp - Check that default/inputs.conf or local/inputs.conf or users/<username>/local/inputs.conf does not contain any splunktcp:// stanzas. 
inputs.conf.conf does not exist
[
not_applicable
]
check_inputs_conf_for_splunktcptoken - Check that inputs.conf does not contain a splunktcptoken stanza. 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_ssl - Check that inputs.conf does not have any SSL inputs. 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_for_tcp - Check that default/inputs.conf or local/inputs.conf or users/<username>/local/inputs.conf does not contain any tcp:// stanzas. 
inputs.conf.conf does not exist
[
not_applicable
]
check_inputs_conf_for_udp - Check that inputs.conf does not have any UDP inputs. 
inputs.conf does not exist
[
not_applicable
]
check_instance_cfg_conf_deny_list - Check that the app does not create instance.cfg. 
instance.cfg.conf does not exist
[
not_applicable
]
check_introspection_of_cloud_filesystem - Check that the app does not create crawl. 
crawl.conf does not exist
[
success
]
check_java_sdk_version - Check that Splunk SDK for Java is up-to-date.
[
not_applicable
]
check_literals_conf_deny_list - Check that the app does not create literals. 
literals.conf does not exist
[
not_applicable
]
check_messages_conf_deny_list - Check that the app does not create messages. 
messages.conf does not exist
[
not_applicable
]
check_modular_inputs_scripts_exist_for_cloud - Check that there is a script file in bin/ for each modular input defined in README/inputs.conf.spec. 
No `inputs.conf.spec` was detected.
[
not_applicable
]
check_passwords_conf_deny_list - Check that the app does not create passwords. 
passwords.conf does not exist
[
not_applicable
]
check_pubsub_conf_deny_list - Check that the app does not create pubsub. 
pubsub.conf does not exist
[
not_applicable
]
check_segmenters_conf_deny_list - Check that app does not contain segmenters.conf with Splunk-defined stanza. 
segmenters.conf does not exist
[
not_applicable
]
check_serverclass_conf_deny_list - Check that the app does not create serverclass. 
serverclass.conf does not exist
[
not_applicable
]
check_serverclass_seed_xml_conf_deny_list - Check that the app does not create serverclass.seed.xml. 
serverclass.seed.xml.conf does not exist
[
not_applicable
]
check_source_classifier_conf_deny_list - Check that the app does not create source-classifier. 
source-classifier.conf does not exist
[
not_applicable
]
check_sourcetypes_conf_deny_list - Check that the app does not create sourcetypes. 
sourcetypes.conf does not exist
[
not_applicable
]
check_splunk_launch_conf_deny_list - Check that the app does not create splunk-launch. 
splunk-launch.conf does not exist
[
not_applicable
]
check_telemetry_conf_deny_list - Check that the app does not create telemetry. 
telemetry.conf does not exist
[
success
]
check_that_app_contains_any_windows_specific_components - Check that the app contains MS Windows specific components, which will not function correctly in Splunk Cloud whose OS should be Linux x64.
[
success
]
check_that_no_configurations_of_default_source_type_in_props_conf - Check that the app does not contain configurations of default source type in props.conf, which will overwrite the configurations in system/default/props.conf and may affect other apps.
[
not_applicable
]
check_transforms_conf_for_external_cmd - Check that transforms.conf does not contain any transforms with malicious command scripts specified by external_cmd=<string> attribute. 
`default/transforms.conf` does not exist.
[
not_applicable
]
check_user_seed_conf_deny_list - Check that the app does not create user-seed. 
user-seed.conf does not exist
[
not_applicable
]
check_wmi_conf_deny_list - Check that the app does not create wmi. 
wmi.conf does not exist
[
not_applicable
]
check_workload_pools_conf_deny_list - Check that the app does not create workload_pools. 
workload_pools.conf does not exist
[
not_applicable
]
check_workload_rules_conf_deny_list - Check that the app does not create workload_rules. 
workload_rules.conf does not exist

Checking for Front-end Libraries This check looks for various front-end libraries inside of apps. As of 03/23/2022, we are looking at Splunk UI, and it's predecessor, SplunkJS. This is currently an INFORMATIONAL Check. Updated on 04/17/2023 This check now is expanded to look for several other critical front-end libraries. 1. We have expanded the regex matching to be more inline with all the UDF Packages https://splunkui.splunk.com/Packages/dashboard-docs/?path=%2FFAQ 2. We have added a few other critical packages (@splunk/react-search, @splunk/react-time-range, @splunk/search-job, @splunk/ui-utils, @splunk/splunk-utils, @splunk/moment) 3. We have expanded the regex matching to be more inline with more of the Visualizations packages.

[
success
]
check_for_splunk_dashboard_core - Check that @splunk/dashboard-core is being used.
[
success
]
check_for_splunk_frontend_utility_components - Check for usage of utility components.
[
warning
]
check_for_splunk_js - Check that SplunkJS is being used.
File: appserver/static/js/build/entry_page.js 
256Splunk has begun gathering telemetry on apps submitted to appinspect, that utilize SplunkJS. Please ignore this warning as it has no impact to your Splunk app. Match: splunkjs/mvc
[
success
]
check_for_splunk_sui - Check that SUI is being used.
[
success
]
check_for_splunk_visualizations - Check that @splunk/visualizations is being used.

Check for git conflict related issue

[
success
]
check_for_git_merge_conflict_in_app - Check no git merge conflict is present

ITSI module verification

[
success
]
check_for_itsi_modules - Check that the app does not contain an ITSI module.

JavaScript file standards

[
not_applicable
]
check_javascript_sdk_version - Check that Splunk SDK for JavaScript is up-to-date. 
Splunk SDK for JavaScript not found.
[
success
]
check_for_telemetry_metrics_in_javascript - Check for usages of telemetry metrics in JavaScript
[
success
]
check_telemetry_endpoint_usage_in_javascript - Check that app does not use REST endpoint to collect and send telemetry data.

jQuery vulnerabilities

[
success
]
check_hotlinking_splunk_web_libraries - Check that the app files are not importing files directly from the search head.
[
success
]
check_html_dashboards - Check for HTML dashboards, which are deprecated.
[
success
]
check_simplexml_standards_version - Check that the dashboards in your app have a valid version attribute.

Limits.conf file standards Ensure that /default/limits.conf or local/limits.conf file is omitted. When included in the app, the limits.conf file changes the limits that are placed on the system for hardware use and memory consumption, which is a task that should be handled by Splunk administrators and not by Splunk app developers. For more, see limits.conf.

[
not_applicable
]
check_limits_conf - Check that default/limits.conf or local/limits.conf or users/<username>/local/limits/conf has not been included. 
limits.conf does not exist

Outputs.conf file standards Ensure that the outputs.conf file located in the /default folder of the app is well-formed and valid. For more, see outputs.conf.

[
not_applicable
]
check_if_outputs_conf_exists - Check that forwarding enabled in 'outputs.conf' is failed in cloud 
outputs.conf does not exist

SPL2-specific checks This group includes checks for validating SPL2 files.

[
not_applicable
]
check_run_as_owner - Check that no SPL2 modules have @run_as_owner; annotation enabled. 
data/spl2 does not exist
[
success
]
check_spl2_usage - Check if the app contains any SPL2 code.

Deprecated features from Splunk Enterprise 10.0.0 The following features should not be supported in Splunk 10.0.0 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
not_applicable
]
check_for_js_in_saved_searches_action_script - Check that savedsearch.conf stanzas do not set action.script.filename to a JS script. 
savedsearches.conf does not exist
[
not_applicable
]
check_invoking_bundled_node - Check that there are no invocations of a Splunk NodeJS binary in any of the app files. 
No invocations of bundled NodeJS binary found.
[
not_applicable
]
check_js_custom_alert_actions - Check that each custom alert action is not calling a JS script, which requires a Splunk NodeJS Binary. 
alert_actions.conf does not exist
[
success
]
check_js_use_in_custom_search_commands - Check that there are no custom search commands that invoke a JS script.
[
not_applicable
]
check_js_use_in_modular_inputs - Check that there are no modular inputs invoking a JS script. 
No `inputs.conf.spec` file exists.
[
not_applicable
]
check_js_use_in_scripted_inputs - Check that there are no scripted inputs invoking a JS script. 
inputs.conf does not exist
[
success
]
check_for_outdated_ssl_tls - Connections using ssl3, tls1.0, tls1.1 are deprecated since Splunk 10.0 due to the OpenSSL dependency being updated to 3.0. Only valid TSL/SSL version is tls1.2.

Deprecated features from Splunk Enterprise 5.0 The following features should not be supported in Splunk 5.0 or later.

[
success
]
check_deprecated_eventtype_autodiscovering - Check for use of findtypes SPL command in .conf files and SimpleXML.
[
not_applicable
]
check_for_savedsearches_used_in_eventtypes_conf - Check that saved searches are not used within event types. https://docs.splunk.com/Documentation/Splunk/5.0/ReleaseNotes/Deprecatedfeatures https://docs.splunk.com/Documentation/Splunk/7.2.5/Knowledge/Abouteventtypes 
eventtypes.conf does not exist

Deprecated features from Splunk Enterprise 6.0 The following features should not be supported in Splunk 6.0 or later.

[
not_applicable
]
check_crawl_conf_deny_list - Check that app does not contain crawl.conf as it was deprecated & removed in Splunk. 
crawl.conf does not exist
[
not_applicable
]
check_for_viewstates_conf - Check that viewstates.conf does not exist at local/viewstates.conf, default/viewstates.conf or users/<username>/local/viewstates.conf in the app. (https://docs.splunk.com/Documentation/Splunk/6.0/AdvancedDev/Migration#Viewstates_are_no_longer_supported_in_simple_XML) 
viewstates.conf does not exist

Deprecated features from Splunk Enterprise 6.1 The following features should not be supported in Splunk 6.1 or later.

[
success
]
check_for_datamodel_acceleration_endpoint_usage - Check that deprecated datamodel/acceleration is not used. https://docs.splunk.com/Documentation/Splunk/6.2.0/RESTREF/RESTknowledge

Deprecated features from Splunk Enterprise 6.2 The following features should not be supported in Splunk 6.2 or later. https://docs.splunk.com/Documentation/Splunk/6.2.0/ReleaseNotes/Deprecatedfeatures

[
success
]
check_for_dashboard_xml_list_element - Check Dashboard XML files for <list> element. <list>was deprecated in Splunk 6.2 and removed in Splunk 6.5.
[
success
]
check_for_earliest_time_and_latest_time_elements_in_dashboard_xml - Check for the deprecated <earliestTime> and <latestTime> elements in dashboard XML files.As of version 6.2 these elements are replaced by <earliest> and <latest> elements.
[
success
]
check_for_populating_search_element_in_dashboard_xml - Check for the deprecated <populatingSearch> and <populatingSavedSearch> elements in dashboard XML files.Use the <search> element instead.
[
success
]
check_for_simple_xml_row_grouping - Check for the deprecated grouping attribute of row node in Simple XML files.Use the <panel> node instead.

Deprecated features from Splunk Enterprise 6.3 These following features should not be supported in Splunk 6.3 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
not_applicable
]
check_for_run_script_alert_action - Check for use of running a script in alert action 
savedsearches.conf does not exist
[
success
]
check_for_django_bindings - Check for use of Django bindings.
[
success
]
check_for_simple_xml_chart_element_with_deprecated_option_names - Check for Simple XML <chart> panels with deprecated options charting.axisLabelsY.majorTickSize or charting.axisLabelsY.majorLabelVisibility.
[
success
]
check_for_simple_xml_option_element_with_name_previewresults - Check for the deprecated <option name='previewResults'> in Simple XML files.
[
success
]
check_for_simple_xml_seed_element - Check for the deprecated <seed> option in Simple XML forms. Use the <initialValue> element instead.

Deprecated features from Splunk Enterprise 6.4 The following features should not be supported in Splunk 6.4 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
success
]
check_for_noninteger_height_option - Check that <option name="height"> uses an integer for the value.Do not use <option name="height">[value]px</option>.
[
success
]
check_for_simple_xml_single_element_with_deprecated_option_names - Check Simple XML files for <single> panels with deprecated options'additionalClass', 'afterLabel', 'beforeLabel', 'classField', 'linkFields','linkSearch', 'linkView'
[
success
]
check_web_conf_for_simple_xml_force_flash_charting - Check that web.conf does not use the simple_xml_force_flash_chartingproperty.
[
success
]
check_web_conf_for_simple_xml_module_render - Check that web.conf does not use the simple_xml_module_renderproperty.
[
success
]
check_for_splunk_js_d3chartview - Checks that views are not importing d3chartview.
[
success
]
check_for_splunk_js_googlemapsview - Checks that views are not importing googlemapsview.

Deprecated features from Splunk Enterprise 6.5 The following features should not be supported in Splunk 6.5 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
success
]
check_for_dashboard_xml_option_element_with_deprecated_attribute_value - Check Dashboard XML files for <option> element with the deprecated option value "refresh.auto.interval" i.e. <option name="refresh.auto.interval">

Deprecated or removed features from Splunk Enterprise 6.6 The following features should not be supported in Splunk 6.6 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
not_applicable
]
check_for_autolb_setting_in_outputs_conf - Check removed support for setting autoLB in outputs.conf 
outputs.conf does not exist
[
success
]
check_for_app_install_endpoint - Check apps/appinstall usages
[
success
]
check_for_displayrownumbers_in_simple_xml - Check existence for displayRowNumbers option in simple xml. This option is no longer supported since Splunk 6.6.

Deprecated features from Splunk Enterprise 7.1 The following features should not be supported in Splunk 7.1 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
success
]
check_for_input_command_usage - Check for use of input SPL command in .conf files and SimpleXML.

Deprecated features from Splunk Enterprise 7.2 The following features should not be supported in Splunk 7.2 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
not_applicable
]
check_for_deprecated_literals_conf - Check deprecated literals.conf existence. 
literals.conf does not exist

Deprecated features from Splunk Enterprise 7.3 The following features should not be supported in Splunk 7.3 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
success
]
check_for_tscollect_command_usage - Check for use of tscollect SPL command in .conf files and SimpleXML.

Deprecated features from Splunk Enterprise 8.0 The following features should not be supported in Splunk 8.0.0 or later. For more, see Deprecated features and Changes for Splunk App developers.

[
success
]
check_for_advanced_xml_module_elements - Check that there is no Advanced XML, which was deprecated in Splunk Enterprise 6.3.
[
success
]
check_for_cherry_py_custom_controller_web_conf_endpoints - Check for the existence of custom CherryPy endpoints, which must be upgraded tobe Python 3-compatible for the Splunk Enterprise 8.0.
[
warning
]
check_for_python_script_existence - Check for the existence of Python scripts, which must be upgraded to be cross-compatible with Python 2 and 3 for Splunk Enterprise 8.0. 
180 Python files found. Update these Python scripts to be cross-compatible with Python 2 and 3 for Splunk Enterprise 8.0. See https://docs.splunk.com/Documentation/Splunk/latest/Python3Migration/AboutMigration for more information. If you've finished your update, please disregard this message.
[
success
]
check_for_removed_m2crypto_usage - Check for the existence of the M2Crypto package usage, which is removed in the Splunk Enterprise 8.0.

Web.conf File Standards Ensure that web.conf is safe for cloud deployment and that any exposed patterns match endpoints defined by the app - apps should not expose endpoints other than their own. Including web.conf can have adverse impacts for cloud. Allow only [endpoint:*] and [expose:*] stanzas, with expose only containing pattern= and methods= properties. - web.conf

[
success
]
check_cherrypy_controllers - Check that web.conf does not contain any custom CherryPy controllers.
[
success
]
check_web_conf - Check that web.conf only defines [endpoint:] and [expose:]stanzas, with [expose:*] only containing pattern= and methods=.

Modular inputs structure and standards Modular inputs are configured in an inputs.conf.spec file located in the /README directory of the app. For more, see Modular inputs overview, Modular inputs configuration, and Modular inputs basic example.

[
not_applicable
]
check_for_modular_inputs - Check if inputs.conf.spec includes modular inputs. 
README/inputs.conf.spec does not exist.
[
not_applicable
]
check_for_scripted_inputs - Check if inputs.conf includes scripted inputs. 
inputs.conf does not exist
[
not_applicable
]
check_inputs_conf_spec_stanzas_has_python_version_property - Check that all the modular inputs defined in inputs.conf.spec explicitly set the python.version to one of: python3, python3.7, python3.9 as required. 
No `inputs.conf.spec` file exists.

JSON file standards

[
success
]
check_validate_json_data_is_well_formed - Check that all JSON files are well-formed.

Lookup file standards Lookups add fields from an external source to events based on the values of fields that are already present in those events.

[
not_applicable
]
check_for_lookups_file_name - Check that no two files/directories under the lookups directory have this naming pattern respectively:xxx and xxx.default - with the only difference in the .default extension.During the installation of an app in Splunk Cloud, a lookup file will be temporarily renamed to append an additional.default extension to it, which will cause error if a namesake file already exists. 
lookups folder does not exist

Saved search standards Saved searches are defined in a savedsearches.conf file located in the /default and /local directory of the app. For more, see Save and share your reports and savedsearches.conf.

[
not_applicable
]
check_for_gratuitous_cron_scheduling - check that savedsearches.conf searches are cron scheduledreasonably. Less than five asterisks should be used. 
savedsearches.conf does not exist
[
not_applicable
]
check_for_real_time_saved_searches_for_cloud - Check that no real-time pre-index saved searches are being used insavedsearches.conf. Real-time pre-index saved searches are extremelysystem intensive and should be avoided. 
savedsearches.conf does not exist
[
not_applicable
]
check_for_sched_saved_searches_action_script_filename - Check that savedsearch.conf stanzas do not contain action.script.filename option 
savedsearches.conf does not exist
[
not_applicable
]
check_for_sched_saved_searches_earliest_time - Check that if a scheduled saved search in savedsearch.conf contains dispatch.earliest_time option, or if a scheduled saved search with auto summary enabled contains auto_summarize.dispatch.earliest_time option 
savedsearches.conf does not exist
[
not_applicable
]
check_for_sched_saved_searches_latest_time - Check that if a savedsearch.conf stanza contains scheduling optionsit does contain a dispatch.latest_time 
savedsearches.conf does not exist
[
not_applicable
]
check_for_saved_searches_populate_lookup - Check that savedsearch.conf stanza do not contain action.populate_lookup option`. 
savedsearches.conf does not exist

App.conf standards The app.conf file located at default/app.conf provides key application information and branding. For more, see app.conf.

[
success
]
check_custom_conf_replication - Check that custom .conf files have a a matching conf_replication_include.<conf_file_name> value in server.conf, under the [shclustering] stanza, to ensure that configurations are synchronized across Search Head Clusters.
[
success
]
check_for_default_splunk_app - Check that id attribute under the package stanza in app.conf does not match with the Splunk Default App names
[
success
]
check_for_trigger_stanza - Check that default/app.conf, local/app.conf and all users/<username>/local/app.conf don't have a reload.<CONF_FILE>, where CONF_FILE is a non-custom conf. (https://docs.splunk.com/Documentation/Splunk/latest/Admin/Appconf#.5Btriggers.5D)
[
success
]
check_for_valid_package_id - Check that the [package] stanza in app.conf has a valid id value.See https://docs.splunk.com/Documentation/Splunk/latest/Admin/Appconf for details.
[
success
]
check_for_valid_ui_label - Check that the default/app.conf or local/app.conf or users/<username>/local/app.conf contains a label key value pair in the [ui] stanza and the length is between 5 and 80 characters inclusive.
[
success
]
check_reload_trigger_for_all_custom_confs - Check that custom config files have a corresponding reload trigger in app.conf. Without a reload trigger the app will request a restart on any change to the config file, which may be a negative experience for end-users.
[
success
]
check_reload_trigger_for_meta - Check that stanzas in files under metadata folder describing custom config files have corresponding reload triggers in app.conf. Without a reload trigger the app will request a restart on any change to the config file or a corresponding stanza, which may be a negative experience for end-users.
[
not_applicable
]
check_no_install_source_checksum - Check in default/app.conf, 'local/app.conf' and each users/<username>/local/app.conf, that install_source_checksum not be set explicitly. 
`local/app.conf` does not exist.
[
not_applicable
]
check_no_install_source_local_checksum - Check in default/app.conf, 'local/app.conf' and each `users/<username/local/app.conf, that install_source_local_checksum not be set explicitly. 
`local/app.conf` does not exist.
[
success
]
check_that_setup_has_not_been_performed - Check that default/app.conf setting is_configured = False.

Directory structure standards Ensure that the directories and files in the app adhere to hierarchy standards.

[
success
]
check_that_local_does_not_exist - Check that the 'local' directory does not exist. All configuration should be in the 'default' directory.
[
success
]
check_filenames_for_spaces - Check that app has no .conf or dashboard filenames that contain spaces. Splunk software does not support such files.
[
success
]
check_that_users_does_not_exist - Check that the 'users' directory does not exist. All configuration should be in the 'default' directory.
[
success
]
check_for_local_meta - Check that the file 'local.meta' does not exist. All metadata permissions should be set in 'default.meta'.
[
success
]
check_that_app_name_config_is_valid - Check that the app name does not start with digits
[
not_applicable
]
check_that_local_passwords_conf_does_not_exist - Check that local/passwords.conf or `users//local/passwords.conf does not exist. Password files are not transferable between instances. 
The local directory does not exist.

Configuration file standards Ensure that all configuration files located in the /default folder are well-formed and valid.

[
not_applicable
]
check_collections_conf_for_specified_name_field_type - Check that the field type in field.<name> settings in collections.conf is valid. Only number, bool, string and time are allowed. 
collections.conf does not exist
[
not_applicable
]
check_collections_conf - Check if collections.conf exists. 
collections.conf does not exist
[
success
]
check_config_file_parsing_public - Check that all config files parse cleanly - no trailing whitespace after continuations, no duplicated stanzas or options.
[
success
]
check_manipulation_outside_of_app_container - Check that app conf files do not point to files outside the app container. Because hard-coded paths won't work in Splunk Cloud, we don't consider to check absolute paths.
[
success
]
check_no_default_stanzas - Check that app does not contain any .conf files that create global definitions using the [default] stanza.

Indexes.conf file standards Ensure that the index configuration file located in the /default and /local folder is well-formed and valid. For more, see indexes.conf.

[
not_applicable
]
check_coldToFrozenScript_has_valid_python_version_property - Check that all the coldToFrozenScript in indexes.conf are explicitly set the python.version to one of: python3, python3.7, python3.9 as required. 
indexes.conf does not exist
[
not_applicable
]
check_indexes_conf_properties - Check that indexes.conf only contains the required 'homePath', 'coldPath', and 'thawedPath' properties or the optional 'frozenTimePeriodInSecs', 'disabled', 'datatype' and 'repFactor' properties. All other properties are prohibited. Also, if 'repFactor' property exists, its value should be 'auto'. 
indexes.conf does not exist
[
not_applicable
]
check_lower_cased_index_names - Check that all index names consist only of lowercase characters, numbers, underscores and hyphens. They cannot begin with an underscore or hyphen, or contain the word 'kvstore'. If index names have any uppercase characters any attempts to edit the index in the UI will cause a duplicate index stanza creation which will cause many errors in Splunk. 
indexes.conf does not exist
[
not_applicable
]
check_validate_default_indexes_not_modified - Check that no default Splunk indexes are modified by the app. 
indexes.conf does not exist

Meta file standards Ensure that all meta files located in the /metadata folder are well-formed and valid.

[
success
]
check_meta_default_write_access - Check that the global write access in .meta does not allow any authenticated user to write to the knowledge objects under the application.
[
success
]
check_kos_are_accessible - Check that knowledge objects with access control restrictions defined in *.meta files are accessible to customers in Splunk Cloud.

Props Configuration file standards Ensure that all props.conf files located in the default (or local) folder are well-formed and valid. props.conf transforms.conf

[
success
]
check_pretrained_sourcetypes_have_only_allowed_transforms - Check that pretrained sourctypes in props.confhave only 'TRANSFORM-' or 'SEDCMD' settings,and that those transforms only modify the host, source, or sourcetype.
[
warning
]
check_props_conf_has_no_prohibited_characters_in_sourcetypes - Check that the sourcetypes in props.conf do not contain any special characters. Sourcetypes with names containing <>?&# might not be visible.
File: default/props.conf 
24Found a special character in [(?::){0}cribl:custom_commands:*] stanza in props.conf. Sourcetype names containing <>?&# might not be visible. Rename the stanza to not contain any special characters.
[
success
]
check_props_conf_unarchive_cmd_is_not_set - Check that props.conf does not contain unarchive_cmd settings with invalid_cause set to archive.
[
not_applicable
]
check_props_conf_has_no_ingest_eval_lookups - Check that the props.conf does not contain lookup() usage in INGEST_EVAL options. This feature is not available in Splunk Cloud. For example: [lookup1] INGEST_EVAL= status_detail=lookup("http_status.csv", json_object("status", status), json_array("status_description")) 
No INGEST_EVAL properties were declared.

Server configuration file standards Ensure that server.conf is well-formed and valid. For detailed information about the server configuration file, see server.conf.

[
success
]
check_server_conf_only_contains_custom_conf_sync_stanzas_or_diag_stanza - Check that server.conf in an app is only allowed to contain: 1. conf_replication_include. in [shclustering] stanza 2. or EXCLUDE- property in [diag] stanza,

Alert actions structure and standards Custom alert actions are defined in an alert_actions.conf file located in the /default directory of the app. For more, see Custom alert actions overview and alert_actions.conf.

[
not_applicable
]
check_for_explicit_exe_args - Check whether any custom alert actions have executable arguments. 
alert_actions.conf does not exist
[
not_applicable
]
check_alert_actions_exe_exist - Check that each custom alert action has a valid executable. If it does, further check if the executable is Python script. If it does, further check it's Python 3 compatible. 
No `alert_actions.conf` was detected.
[
success
]
check_for_payload_format - Check that each custom alert action's payload format has a value of xml or json.

Custom search command structure and standards Custom search commands are defined in a commands.conf file in the /default directory of the app. For more, see About writing custom search commands and commands.conf.

[
success
]
check_command_scripts_python_version - Check that commands.conf must explicitly define the python.version to be one of: python3, python3.7, python3.9 as required for each python-scripted custom command.

Custom workflow actions structure and standards Custom workflow actions are defined in a workflow_actions.conf file in the /default directory of the app. For more, see About lookups and workflow_actions.conf.

REST endpoints and handler standards REST endpoints are defined in a restmap.conf file in the /default and /local directory of the app. For more, see restmap.conf.

[
success
]
check_restmap_conf_exists - Check that restmap.conf file exists at default/restmap.conf, local/restmap.conf and users//local/restmap.conf` when using REST endpoints.
[
success
]
check_rest_handler_python_executable_exists - Check that python.version is set to one of: python3, python3.7, python3.9 as required, for executables in restmap.conf.
[
success
]
check_rest_handler_scripts_exist_for_cloud - Check that each stanza in restmap.conf has a matching handler script.

Data model files and configurations Data models are defined in a datamodels.conf file in the /default directory of the app. For more, see About data models and datamodels.conf.

[
not_applicable
]
check_for_datamodel_acceleration - Check that the use of accelerated data models do not occur. If data model acceleration is required, developers should provide directions in documentation for how to accelerate data models from within the Splunk Web GUI. data model acceleration 
datamodels.conf does not exist

Python file standards

[
success
]
check_all_python_files_are_well_formed - Check all python files are well-formed under python3 standard.
[
not_applicable
]
check_prohibited_python_filenames - Check that builtin modules are not overridden. 
No forbidden python files were found.
[
warning
]
check_python_sdk_version - Check that Splunk SDK for Python is up-to-date.
File: lib/splunklib/__init__.py 
35Splunk SDK for Python detected (version 2.1.1). No action required at this time.
[
success
]
check_for_compiled_python - Check that there are no .pyc or .pyo files included in the app.
[
success
]
check_for_custom_python_interpreters - Check custom python interpreters usage.
[
success
]
check_for_debugging_and_profiling - Check debugging libraries usage.
[
success
]
check_for_optional_operating_system_services - Check for features that are available on selected operating systems only.
[
warning
]
check_for_possible_threading - Check for the use of threading, and multiprocesses. Threading or process must be used with discretion and not negatively affect the Splunk installation as a whole.
File: lib/solnlib/splunkenv.py 
346The following line contains subprocess.Popen usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/modular_input/modinput.py 
139The following line contains subprocess.Popen usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/splunkenv.py 
349The following line contains subprocess.Popen.communicate usage. Use threading and multiprocessing with discretion.
File: lib/solnlib/concurrent/thread_pool.py 
166The following line contains questionable usage `threading.Thread.start` in loop. Use threading and multiprocessing with discretion.
File: lib/solnlib/modular_input/modinput.py 
139The following line contains subprocess.Popen.communicate usage. Use threading and multiprocessing with discretion.
[
success
]
check_for_program_frameworks - Check program frameworks usage.
[
success
]
check_for_python_multimedia_services - Check multimedia modules usage.
[
success
]
check_for_python_udp_network_communications - Check for UDP network communication
[
success
]
check_for_root_privilege_escalation - Check possible root privilege escalation
[
not_applicable
]
check_python_httplib2_version - Check python httplib2 version. 
Python httplib2 library not found.

addon_builder.conf standards The addon_builder.conf file located at default/addon_builder.conf provides the information about the Add-on Builder associated with the Splunk App.

[
not_applicable
]
check_for_addon_builder_version - Checks that the addon_builder.conf contains an builder version number between 4.5.0 and 4.5.1 in the [base] stanza. Ensure that apps built with Add-on Builder are maintained with an up-to-date version of Add-on Builder. 
addon_builder.conf does not exist

Malware, viruses, malicious content, user security standards (static checks)

[
warning
]
check_hostnames_and_ips - Check that no sensitive hostnames/IPs are stored in the app.
File: lib/PySocks-1.7.1.dist-info/METADATA 
70PUBLIC IP 5.5.5.5 is found in lib/PySocks-1.7.1.dist-info/METADATA:70
File: appserver/static/js/build/assets/DashboardPage-BlpUrPDM.css 
1PUBLIC IP 1.49.255.68 is found in appserver/static/js/build/assets/DashboardPage-BlpUrPDM.css:1

Operating system standards

[
success
]
check_destructive_commands - Check for the use of malicious shell commands in configuration files or shell scripts to corrupt the OS or Splunk instance. Other scripting languages are covered by other checks.
[
success
]
check_runshellscript_command - Check that runshellscript command is not used. This command is considered risky because, if used incorrectly, it can pose a security risk or potentially lose data when it runs.

Security vulnerabilities

[
not_applicable
]
check_for_camel_jars - Check for vulnerable Apache Camel dependencies. 
No pom.xml, build.gradle or build.gradle.kts file found
[
warning
]
check_for_existence_of_python_code_block_in_mako_template - Check for deprecated third-party Mako templates that allow arbitrary Python code execution through Splunk's CherryPy process, creating critical security vulnerabilities.
File: appserver/templates/base.html 
Detected use of a third-party Mako template, which poses a critical security risk by allowing arbitrary Python code execution. Remove custom Mako templates.
[
warning
]
check_for_insecure_http_calls_in_python - Check for insecure HTTP calls in Python.
File: lib/cribl_libs.py 
175Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}
File: bin/cribl.py 
337Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_token"]; Keyword arguments, {}
File: bin/cribl.py 
345Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_ssl_certificate_path", "?"]; Keyword arguments, {}
File: bin/cribl.py 
344Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_ssl_verify", "?"]; Keyword arguments, {}
File: bin/cribl.py 
344Insecure HTTP Connection found Match: requests.get Positional arguments, ["cribl_ssl_verify", "?"]; Keyword arguments, {}
File: lib/cribl_libs.py 
167Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}
File: bin/cribl.py 
307Insecure HTTP Connection found Match: requests.get Positional arguments, ["rbac_roles"]; Keyword arguments, {}
File: bin/cribl.py 
337Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_token"]; Keyword arguments, {}
File: bin/cribl.py 
307Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["rbac_roles"]; Keyword arguments, {}
File: bin/cribl.py 
345Insecure HTTP Connection found Match: requests.Session.get Positional arguments, ["cribl_ssl_certificate_path", "?"]; Keyword arguments, {}
File: lib/cribl_libs.py 
183Insecure HTTP Connection found Match: requests.post Positional arguments, ["/api/v1/auth/login"]; Keyword arguments, {"json": "?", "verify": "?", "headers": "?"}
[
success
]
check_for_sensitive_info_in_url - Check for sensitive information being exposed in transit via URL query string parameters
[
warning
]
check_for_supported_tls - Check that all outgoing connections use TLS in accordance to Splunk Cloud Platform policy.
File: bin/cribl.py 
745Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/solnlib/rest.py 
58Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/cribl_libs.py 
167Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
380Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/ta_trackme_cribl_rh_account_handler.py 
51Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/splunktaucclib/legacy/rest.py 
61Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
728Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/cribl_libs.py 
175Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
684Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
376Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
775Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
721Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: lib/solnlib/splunk_rest_client.py 
153Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.
File: bin/cribl.py 
701Ensure that the SSL certificate validation for communications with outside the Splunk Cloud stack is enabled. This can be done by specifying the relevant parameters (verify, cafile etc) to True or the certificate path.

Source code and binaries standards

[
success
]
check_for_bin_files - Check that files outside the bin/ and appserver/controllers directory do not have execute permissions. Splunk Cloud is a Linux-based platform, Splunk recommends 644 for all app files outside the bin/ directory, 644 for scripts within the bin/ directory that are invoked using an interpreter (e.g. python my_script.py or sh my_script.sh), and 755 for scripts within the bin/ directory that are invoked directly (e.g. ./my_script.sh or ./my_script).

Universal Configuration Console standards

[
warning
]
check_ucc_dependencies - Check UCC dependencies versions.
File: lib/solnlib/__init__.py 
59Detected solnlib (version 7.0.0). No action required.
File: lib/splunktaucclib/__init__.py 
17Detected splunktaucclib (version 8.0.0). No action required.

XML file standards

[
success
]
check_that_all_xml_files_are_well_formed - Check that all XML files are well-formed.