Static Code Analysis (SAST) of Open Source Software
On behalf of the German Federal Office for Information Security (BSI), we conducted a security analysis of the open-source applications Vaultwarden and Keepass, employing static code analysis and dynamic analysis (pentests). In Vaultwarden, we discovered two vulnerabilities with elevated risk potential and several other security-relevant issues. These were immediately reported to the developers and have largely been resolved. In Keepass, we also identified some security problems, although less severe. The project aims to improve the security of popular open-source software, especially for applications used by government agencies or private users. This initiative will continue with other open-source applications.
The analysis was carried out in spring/summer 2024 and published on 14.10.24.