How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" data "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

Parents
  • Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

  • Thanks rhelsens. 

    I'm trying fortify on demand atm, but it doesn't produce anything for these, any thoughts?

  • That's surprising. What are you choosing for Audit Preference? Is it possible that you are choosing Manual and a security expert at Micro Focus is reviewing and suppressing them?

    Audit preference determines whether a security expert will manually review the scan results for overall quality and to remove false positives.  Selecting Automated audit will automatically suppress new issues identified as false positives by Fortify on Demand Scan Analytics with high confidence and publish the results without human review, which can reduce the turnaround time. We recommend a manual audit for the first scan of an application or release with major changes, with subsequent scans using automated audit for shorter turnaround times. False positive challenges can only be requested for issues introduced during a scan with manual audit.

  • I'm using the trial version. Maybe that's the reason? My trial has expired so I don't have access to the reports atm, and can't tell what setting I chose, though I cannot remember a setting for a manual and auto check.

  • For what it's worth, I was curious and scanned "similar" code using Fortify SCA on-premise scanner which found those results I posted earlier. Which is why I think these would be detected.

    The code I scanned was a single java file like this

    importjava.sql.*;
    importjava.util.*;
    class Main
    {
    public static void main(String a[])
    {
    //Creating the connection
    String url = "jdbc:oracle:thin:@localhost:1521:xe";
    String username = "system";
    String password = "12345";

    //Entering the data
    Scanner k = new Scanner(System.in);
    System.out.println("enter name");
    String name = k.next();
    String cls = k.next();

    String sql = "insert into table values('" name "')";
    Connection con=null;
    try
    {
    DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
    con = DriverManager.getConnection(url,username,password);

    Statement st = con.createStatement();
    int m = st.executeUpdate(sql);
    con.close();
    }
    catch(Exception ex)
    {
    System.err.println(ex.printStackTrace());
    }
    }
    }

  • Thanks. So I guess it's just the trial version for FoD that doesn't detect those.

  • May I ask for a favour? Could you try these files? https://github.com/Tahaei/sample-warnings
    I'm doing research on security warnings for developers, if you can help me with that I'd really appreciate it. I just need to know what output Fortify generates for these. Thanks!
  • See the PM I sent you.

    Based on what you are looking and your questions around the forums, I highly suggest you contact someone in Sales that can give you some personalized demonstrations and may be able to provide what you are looking for - research results for your audience.

    In asking someone to use their license to scan files on your behalf may violate the terms of their license agreement.

  • I did contact sales, they didn't reply though. I think I just have to remove this product from my list. Thanks anyways!

  • As I mentioned in my private message to you please contact me at my email for further information and I can get you in touch with someone to assist.

  • Fabulous! I just replied to that, thank you!
  • Thank you for your email. For others "following this post", I wanted to mention the Training Partner Program Micro Focus offers - . https://www.microfocus.com/training/partners/academic-training-partner-program/

    • No fee is required to be part of the program once your eligibility has been confirmed.
    • Access to the full online On-demand Training Library to help train your staff.
    • Ability to use Micro Focus course materials for staff development.
    • Access to the benefits of the PartnerNet Program – see www.partnernetprogram.com.
    • Ability to use all or parts of any existing course provided within the curriculum.
    • Ability to create new courses using parts of the material provided.
    • Ability to print your own manuals or purchase printed manuals at special reduced pricing.
    • Provision of Virtual Machines with pre-configured software environments and Micro Focus licenses to allow you to build your own as the need arises.
    • The ability to become a Testing Partner.
    • Access to the additional resources available to Training Partners.
    • Automatic membership in the TTP academic support community – www.thettp.org.
    • Become part of the growing community of academics teaching industry recognized materials to its staff and students.
Reply
  • Thank you for your email. For others "following this post", I wanted to mention the Training Partner Program Micro Focus offers - . https://www.microfocus.com/training/partners/academic-training-partner-program/

    • No fee is required to be part of the program once your eligibility has been confirmed.
    • Access to the full online On-demand Training Library to help train your staff.
    • Ability to use Micro Focus course materials for staff development.
    • Access to the benefits of the PartnerNet Program – see www.partnernetprogram.com.
    • Ability to use all or parts of any existing course provided within the curriculum.
    • Ability to create new courses using parts of the material provided.
    • Ability to print your own manuals or purchase printed manuals at special reduced pricing.
    • Provision of Virtual Machines with pre-configured software environments and Micro Focus licenses to allow you to build your own as the need arises.
    • The ability to become a Testing Partner.
    • Access to the additional resources available to Training Partners.
    • Automatic membership in the TTP academic support community – www.thettp.org.
    • Become part of the growing community of academics teaching industry recognized materials to its staff and students.
Children
No Data