This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" data "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

  • 0

    Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

  • 0 in reply to 

    Thanks rhelsens. 

    I'm trying fortify on demand atm, but it doesn't produce anything for these, any thoughts?

  • 0 in reply to 

    That's surprising. What are you choosing for Audit Preference? Is it possible that you are choosing Manual and a security expert at Micro Focus is reviewing and suppressing them?

    Audit preference determines whether a security expert will manually review the scan results for overall quality and to remove false positives.  Selecting Automated audit will automatically suppress new issues identified as false positives by Fortify on Demand Scan Analytics with high confidence and publish the results without human review, which can reduce the turnaround time. We recommend a manual audit for the first scan of an application or release with major changes, with subsequent scans using automated audit for shorter turnaround times. False positive challenges can only be requested for issues introduced during a scan with manual audit.

  • 0 in reply to 

    I'm using the trial version. Maybe that's the reason? My trial has expired so I don't have access to the reports atm, and can't tell what setting I chose, though I cannot remember a setting for a manual and auto check.

  • 0 in reply to 

    For what it's worth, I was curious and scanned "similar" code using Fortify SCA on-premise scanner which found those results I posted earlier. Which is why I think these would be detected.

    The code I scanned was a single java file like this

    importjava.sql.*;
    importjava.util.*;
    class Main
    {
    public static void main(String a[])
    {
    //Creating the connection
    String url = "jdbc:oracle:thin:@localhost:1521:xe";
    String username = "system";
    String password = "12345";

    //Entering the data
    Scanner k = new Scanner(System.in);
    System.out.println("enter name");
    String name = k.next();
    String cls = k.next();

    String sql = "insert into table values('" name "')";
    Connection con=null;
    try
    {
    DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
    con = DriverManager.getConnection(url,username,password);

    Statement st = con.createStatement();
    int m = st.executeUpdate(sql);
    con.close();
    }
    catch(Exception ex)
    {
    System.err.println(ex.printStackTrace());
    }
    }
    }

  • 0 in reply to 

    Thanks. So I guess it's just the trial version for FoD that doesn't detect those.

  • 0 in reply to 
    May I ask for a favour? Could you try these files? https://github.com/Tahaei/sample-warnings
    I'm doing research on security warnings for developers, if you can help me with that I'd really appreciate it. I just need to know what output Fortify generates for these. Thanks!
  • 0   in reply to 

    See the PM I sent you.

    Based on what you are looking and your questions around the forums, I highly suggest you contact someone in Sales that can give you some personalized demonstrations and may be able to provide what you are looking for - research results for your audience.

    In asking someone to use their license to scan files on your behalf may violate the terms of their license agreement.

  • 0 in reply to   

    I did contact sales, they didn't reply though. I think I just have to remove this product from my list. Thanks anyways!

  • 0   in reply to 

    As I mentioned in my private message to you please contact me at my email for further information and I can get you in touch with someone to assist.