fortify

问题 Fortify is complaining about a Null Dereference when I set a field to null: String sortName = null; if (lastName != null && lastName.length() > 0) { sortName = lastName; } sortOptions.setSortField(sortName); <-- Fortify Null Dereference Fortify's analysis trace says: Assigned null: sortName Branch taken: if (lastName != null && lastName.length() > 0) Dereferenced: sortName I could try: if (sortName == null) sortOptions.setSortField(null); else sortOptions.setSortField(sortName); But that

问题 I have the below code in the controller. The parameters base64String, fileName are being sent from the browser. var fileContent = Convert.FromBase64String(base64String); return File(fileContent, contentType, fileName); How do I address the XSS threat here? The above code is based on a fix recommended here Kendo UI Grid Export to Excel / PDF not working on IE9 回答1: I'm assuming you are not returning HTML to your users (you are returning PDFs or Excel files, or something else for download by

问题 Hp fortify shows me a XML external entity injection on the below code: StringBuilder sb = new StringBuilder(); StringWriter stringWriter = new StringWriter(sb); xmlSerializer.Serialize(stringWriter, o); XmlDocument xmlDoc = new XmlDocument(); xmlDoc.LoadXml(stringWriter.ToString()); //bad code result = xmlDoc.ChildNodes[1].OuterXml; in the above it was showing the vulnerability in the following line xmlDoc.LoadXml(stringWriter.ToString()); How can I resolve this situation? 回答1: use xmlDoc

问题 I want to exclude all files that are underneath a target folder from translations and scans. I have tried to use the -exclude parameter but it doesn't seem to work. [warning]: No files were excluded as the file patterns: [**/target/**/*] specified for -exclude option did not match any files. HP Fortify Static Code Analyzer 6.42.0006 (using JVM 1.8.0_45) Processing C:/path/ProjectName/target/test/test_fortify_exclusion2.jsp Processing C:/path/ProjectName/target/test_fortify_exclusion.jsp I

问题 I'm trying to run Fortify on a Visual Studio 2008 project. The project builds successfully on its own. When I try to analyze the project with Fortify using the Visual Studio integrated controls, the project builds successfully but an error message is thrown. Here's the output from Fortify console: Fortify SCA... Running: "-show-runtime-properties" Running: "-b" "ProjectName" "-clean" Error setting VCProject Path. Abort VC project related scan Scan Failed Could not load file or assembly

问题 We have a method in our database layer which looks like this: public List<String> getNamesFromId(List<Long> idsList){ StringBuilder query = new StringBuilder(); query.append("Select first_name from person where id in ("); for (int pos = 0; pos < idsList.size(); pos++) { query.append("?"); query.append(","); } query.deleteCharAt(query.length() - 1).append(")"); try { conn = establishConnection(); pstmt = conn.prepareStatement(query.toString()); for (int i = 0; i < selections.size(); i++) {

问题 I am building an open source project (kst, v2.0.8) that uses CMake. I am using CMake v2.8.12.2 and MSVC 2008 as a compiler and am generating NMake makefiles to build it on the command line. I can get it to build successfully with this setup. These versions are mandated so I cannot currently use a later version of CMake or MSVC. I need to be able to perform a source code analysis of kst using HP's Fortify and to be able to use it from the command line it works in one of two ways: Touchless

问题 I want to run a Fortify scan against a Maven Eclipse project. Where should I start? I understand that I need to update my pom.xml file to include the Fortify plugin however do I also require to have Fortify SCA installed on my machine? (I'm running MacOS X). I have been trying to find a place to download Fortify SCA but have not been able find it. I would appreciate it if someone could share some links to point me in the right direction in getting the setup complete. 回答1: I don't think the

问题 I need to read the properties file kept in user_home folder. PropsFile = System.getProperty("user.home") + System.getProperty("file.separator")+ "x.properties"; Fortify is giving path manipulation error in this line. The number of correct values is large so blacklisting is the only way possible. So to avoid it i changed the code as below. String propsFile = null; StringBuffer sb = new StringBuffer(); String xProperties = "x.properties"; String userHome = System.getProperty("user.home"); // *

问题 Related to question: Fortify command line usage I would like to perform a nightly Fortify scan of my .NET solution, triggered by TeamCity's command line runner. I want to post up my own custom summary of the results to a web page. The key information I want is the number of issues per level of criticality. I have previously used the -f command-line switch for use with the Audit Workbench client, but the resulting .FPR file looks difficult to parse and interpret manually. I'm using Fortify