fortify

I am getting SUBSCRIPTION_JSON from client which I am converting it to String and then setting it to Model Object using gson library. On running the code on Fortify security, It is giving me Json injection error on below code with following message : Here is the error : On line 159 of ActionHelper.java, the method jsonToObject() writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.The method writes unvalidated input into JSON. This call could allow an attacker to inject arbitrary elements or attributes into the

I am working on fixing Cross site scripting issues in our code mainly in JSPS. Below is the original code //scriplet code <% String userId = request.getParameter("sid"); ...%> and in the same Jsp they have <input type = hidden name = "userID" value = "<%= userId %>" /> I have made changes to include esapi-2.1.0.jar in lib and ESAPI.properties, validation.properties in classpath. Then made below changes to scriplet code to fix the above code //scriplet code <% String userId = ESAPI.encoder().encodeForHTML(request.getParameter("sid")); ...%> I thought this would fix the issue but when I scan my

Has anyone used command line to run fortify? I tryin to incorporate fortify run in my CI build and I dont know how to do it. AspiringDevOpsGuru Since I can't add a comment, I'll have to offer this as an answer. Our company has integrated the scan process into our TFS build environment and it works pretty well. We use a series of "Invoke Process" build activities to make this happen. The entire security scan sequence is wrapped in a conditional which is exposed as an argument to the build definition. This allows us to enable or disable scans as needed. We also expose a few other things like