fortify

问题 I have the Eclipse plugin for Fortify. But it only runs on the Java projects. We have some Java projects but they are Maven based non-Java projects. I can edit the .project file of the projects and change their type to Java to enable Fortify scanning. But is there a better way to run Fortify scans on Maven based projects? EDIT Had to do following steps as mentioned in some of the posts below Install the Maven Fortify plugin Added Maven fortify Plugin details in my application pom Ran

问题 I need to fix XXE issue .I am using transformerfactory in code. Found below fix but i can not see ACCESS_EXTERNAL_DTD attribute in my code.Reason which i got is below code will work for Java7 however i am using Java 6 .Can some one please suggest some other fix To protect a Java TransformerFactory from XXE, do this: TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); 回答1:

问题 I am using HP Fortify to address the security issues in my application. I have a piece of code as below for which Fortify throws an error. The Fortify result says: The method DownloadAttachment() in fileName .cs includes unvalidated data in an HTTP response header on line lineNo . This enables attacks such as cache-poisoning, cross-site scripting, cross-user defacement, page hijacking, cookie manipulation or open redirect. Code - public ActionResult DownloadAttachment(string fullFilePath) {

问题 I have this Controller in Java: @Controller public class AuthenticationController extends AbstractController { @RequestMapping(value = Constantes.MAPPING_AUTH_BASE_ASP, method = { RequestMethod.POST }) public String authenticate(@Valid ComunicationWithAspRequest comunicationWithAspRequest, BindingResult result, RedirectAttributes redirectAttributes, HttpSession sesion) throws Exception { ... ... ... } } When I scan my code in Fortify, the object comunicationWithAspRequest causes the Mass

问题 We're using fortify to scan java source code & it is complaining below error: Method abc() sends unvalidated data to a web browser on line 200, which can result in the browser executing malicious code. We've below code on line 200: <a href="<%= Util.getProduct(request) %>">Product</a> And Util.java hsa below code in getProduct method: String prod = request.getParameter("prod"); Can any one tell me how to fix this XSS vulnerability? Thanks! 回答1: You need to escape the output of Util.getProduct

问题 We have Fortify SCA and we are setting up regular, automated scans of our source code. Our intention is to have an alert if there is an introduced security issue. Is there a way, perhaps using FPRUtility (or some other method) to accomplish this? Ultimately I prefer something that can be easily run from the command line, but if this can also be accomplished using the GUI then I would appreciate knowing how to do that as well. 回答1: Use Audit Workbench to run a report. Choose "developer

问题 Fortify is warning me that "JsonConvert.DeserializeXmlNode(JsonString);" could allow an attacker to inject arbitrary elements or attributes into the JSON entity. Json coming into my app is unfortunately dynamic, is there anything I can do to mitigate this? Is there a better method to convert my Json to XML? It says I can "ensure all serialization to JSON is performed using a safe serialization function that delimits untrusted data within single or double quotes and escapes any special

问题 Is there any way to get Fortify to scan 3rd party dll's? I am translating .NET projects on the command line which have been prebuilt in debug mode. The command I am using is: sourceanalyzer -b mybuild -vsversion 14.0 -libdirs [project-root]/**/*.dll I note in the user guide of older versions, it specified that pdb's were not needed for 3rd party dll's but in newer versions, its states that 3rd party pdb's are required for 3rd party dll's Without scanning 3rd party dll's how useful would data

问题 I'm creating some customs rules using Fortify but I wonder if there is any way to customise that rules so they can be language specific. The reason for that is to be able to give custom descriptions in Java and in .NET about SQL injection for instance and Custom references so they can be language specific. It seems like Fortify maps custom rules by category,but the issue comes when we have two packages , one for .NET and other for Java and both of them exposes a category called Cross-Site

问题 I facing issue related to "Key Management: Hardcoded Encryption Key" for chart.js api. We are using Fortify Scanning for security purpose. How to avoid the 'Hardcoded Encryption Key'. After scanning we found the line of code that is hardcoded in chart.js. Is there any way to resolve this issue. var axisType = helpers.getValueOrDefault(valueObj.type, key === 'xAxes' ? 'category' : 'linear'); 回答1: After analysed the chart.js code file, we have found there is no hardcode encryption key . Key is