checkmarx

问题 I am working on Github integration with Checkmarx, which is used for code safety scan. This method works just fine for the repository hosted on github.com ( External repository ), but does not work on internal repository hosted inside our company (github.XXX.com), in fact the connection always failed (cannot pass the repository authorization on Checkmarx). I have checked both repository (internal and external) settings, they look the same to me. What is the difference between these two

问题 Following are checkmarx issue details Unrestricted File Upload Source Object : req (Line No - 39) target Object : getInputStream (Line No -41) public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter { //... 38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) 39 throws AuthenticationException, IOException, ServletException 40 { 41 Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class); return

问题 Following are checkmarx issue details Unrestricted File Upload Source Object : req (Line No - 39) target Object : getInputStream (Line No -41) public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter { //... 38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) 39 throws AuthenticationException, IOException, ServletException 40 { 41 Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class); return

问题 Following are checkmarx issue details Unrestricted File Upload Source Object : req (Line No - 39) target Object : getInputStream (Line No -41) public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter { //... 38 public Authentication attemptAuthentication(HttpServletRequest req, HttpServletResponse res) 39 throws AuthenticationException, IOException, ServletException 40 { 41 Entitlements creds = new ObjectMapper().readValue(req.getInputStream(), Entitlements.class); return

来源： https://stackoverflow.com/questions/62527043/checkmarx-cannot-see-the-code-in-static-method

来源： https://stackoverflow.com/questions/62527043/checkmarx-cannot-see-the-code-in-static-method

来源： https://stackoverflow.com/questions/62527043/checkmarx-cannot-see-the-code-in-static-method

问题 I persist a value from user input request. Checkmarx complains there is Trust Boundary Violation . gets user input from element request. This element’s value flows through the code without being properly sanitized or validated and is eventually stored in the server-side Session object I also found this post online. The accepted answer is to validate it. OK, validate and sanitize private String getValidSearchPath(String searchPath) { if (!searchPath.matches("^[0-9a-zA-Z]+$")) { //using regex

问题 I have an endpoint that receives a String from the client as seen below: @GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { String y = myService.process(x); return Response.status(OK).entity(y).build(); } Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething" Then I tried this: @GET @Path("/{x}") public Response doSomething(@PathParam("x")

问题 I have an endpoint that receives a String from the client as seen below: @GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { String y = myService.process(x); return Response.status(OK).entity(y).build(); } Checkmarx complains that this element’s value then "flows through the code without being properly sanitized or validated and is eventually displayed to the user in method doSomething" Then I tried this: @GET @Path("/{x}") public Response doSomething(@PathParam("x")