How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" data "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

Parents
  • Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

  • Thanks rhelsens. 

    I'm trying fortify on demand atm, but it doesn't produce anything for these, any thoughts?

  • That's surprising. What are you choosing for Audit Preference? Is it possible that you are choosing Manual and a security expert at Micro Focus is reviewing and suppressing them?

    Audit preference determines whether a security expert will manually review the scan results for overall quality and to remove false positives.  Selecting Automated audit will automatically suppress new issues identified as false positives by Fortify on Demand Scan Analytics with high confidence and publish the results without human review, which can reduce the turnaround time. We recommend a manual audit for the first scan of an application or release with major changes, with subsequent scans using automated audit for shorter turnaround times. False positive challenges can only be requested for issues introduced during a scan with manual audit.

  • I'm using the trial version. Maybe that's the reason? My trial has expired so I don't have access to the reports atm, and can't tell what setting I chose, though I cannot remember a setting for a manual and auto check.

  • For what it's worth, I was curious and scanned "similar" code using Fortify SCA on-premise scanner which found those results I posted earlier. Which is why I think these would be detected.

    The code I scanned was a single java file like this

    importjava.sql.*;
    importjava.util.*;
    class Main
    {
    public static void main(String a[])
    {
    //Creating the connection
    String url = "jdbc:oracle:thin:@localhost:1521:xe";
    String username = "system";
    String password = "12345";

    //Entering the data
    Scanner k = new Scanner(System.in);
    System.out.println("enter name");
    String name = k.next();
    String cls = k.next();

    String sql = "insert into table values('" name "')";
    Connection con=null;
    try
    {
    DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
    con = DriverManager.getConnection(url,username,password);

    Statement st = con.createStatement();
    int m = st.executeUpdate(sql);
    con.close();
    }
    catch(Exception ex)
    {
    System.err.println(ex.printStackTrace());
    }
    }
    }

Reply
  • For what it's worth, I was curious and scanned "similar" code using Fortify SCA on-premise scanner which found those results I posted earlier. Which is why I think these would be detected.

    The code I scanned was a single java file like this

    importjava.sql.*;
    importjava.util.*;
    class Main
    {
    public static void main(String a[])
    {
    //Creating the connection
    String url = "jdbc:oracle:thin:@localhost:1521:xe";
    String username = "system";
    String password = "12345";

    //Entering the data
    Scanner k = new Scanner(System.in);
    System.out.println("enter name");
    String name = k.next();
    String cls = k.next();

    String sql = "insert into table values('" name "')";
    Connection con=null;
    try
    {
    DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
    con = DriverManager.getConnection(url,username,password);

    Statement st = con.createStatement();
    int m = st.executeUpdate(sql);
    con.close();
    }
    catch(Exception ex)
    {
    System.err.println(ex.printStackTrace());
    }
    }
    }

Children