Wikis - Page

OpenText Fortify Software Security Content 2023 Update 2

1 Likes

About OpenText Fortify Software Security Research

The Fortify Software Security Research team translates cutting-edge research into security intelligence that powers the Fortify product portfolio – including Fortify Static Code Analyzer (SCA) and Fortify WebInspect. Today, Fortify Software Security Content supports 1,552 vulnerability categories across 31+ languages and spans more than one million individual APIs.

Fortify Software Security Research (SSR) is pleased to announce the immediate availability of updates to Fortify Secure Coding Rulepacks (English language, version 2023.2.0), Fortify WebInspect SecureBase (available via SmartUpdate), and Fortify Premium Content.

Fortify Secure Coding Rulepacks [Fortify Static Code Analyzer]

With this release, the Fortify Secure Coding Rulepacks detect 1,329 unique categories of vulnerabilities across 31+ languages and span over one million individual APIs. In summary, this release includes the following:

Support for Dart (version supported: 2.19.6)[1]
The Dart software development kit (SDK), developed by Google, provides a strongly typed, class-based, and garbage-collected programming language for building desktop, mobile, and web applications. Dart offers versatility by allowing applications to be compiled into architecture-specific machine code, portable modules, or JavaScript, depending on the intended use case. With Dart, developers can create applications with accompanying graphical user interfaces (GUIs), making it a flexible choice for building a wide range of software solutions. Categories supported include:

  • Access Control: Database
  • Command Injection
  • Denial of Service
  • Denial of Service: Regular Expression
  • Header Manipulation
  • Insecure Transport
  • Open Redirect
  • Password Management: Empty Password
  • Password Management: Hardcoded Password
  • Path Manipulation
  • Privacy Violation
  • Resource Injection
  • Server-Side Request Forgery
  • SQL Injection
  • System Information Leak
  • System Information Leak: Internal

Initial support for Flutter (version supported: 3.7.11)[1]
Flutter, an open-source user interface (UI) SDK created by Google, harnesses the power of the Dart programming language. It provides developers with a comprehensive set of tools, libraries, and packages to facilitate the creation of cross-platform applications. With Flutter, developers can build mobile, web, and desktop applications from a single codebase, simplifying the development process and reducing time and effort. By leveraging Flutter's capabilities, developers can create visually appealing and performant applications that run seamlessly across multiple platforms. Support for Flutter includes tracking of user-supplied input, detection of all supported categories for the Dart programming language, and the following categories specifically for Flutter GUIs:

  • Privacy Violation: Shoulder Surfing
  • System Information Leak: Internal

Android 13 (API level: 33)
The Android platform is an open-source software stack designed for mobile devices. A primary component of Android is the Java API Framework, which exposes Android features to application developers. This release expands vulnerability detection in native Android applications written in Java or Kotlin that leverage Android's Java API Framework. Five new weakness categories are introduced in this release for Android applications:

  • Privacy Violation: Android Insecure Indexing
  • Privilege Management: Android Nearby Devices
  • Privilege Management: Android Notifications
  • Privilege Management: Android Read Aural Media
  • Privilege Management: Android Read Visual Media

Additional Android updates are included to support detection of existing weakness categories in the following namespaces:

  • app
  • content
  • net
  • os
  • util
  • nio
  • security
  • security.interfaces

Java SE JDK (version supported: 17)
The Java Platform, Standard Edition (SE) Java Development Kit (JDK) is a software development package containing tools and libraries used to develop Java applications and components. This release includes updated support of existing weakness categories in the following namespaces for new APIs introduced in Java SE JDK 15, 16, and 17:

  • io
  • lang
  • lang.reflect
  • net
  • nio.channels
  • util
  • util.random
  • util.stream

Improved scan coverage might include additional issues identified under the following categories:

  • Insecure Randomness
  • Insecure Randomness: Hardcoded Seed
  • Insecure Randomness: User-Controlled Seed
  • Server-Side Request Forgery
  • Setting Manipulation
  • Unsafe Reflection

Kotlin Standard Library Updates (version supported: 1.7.21)
Kotlin is a general-purpose, statically-typed language featuring Java interoperability. This release includes updated support for new standard library APIs introduced in Kotlin versions 1.6 and 1.7 targeting the Java Virtual Machine (JVM).

Secret Scanning Update
Secret Scanning is a technique to automatically search for secrets in source code and configuration files. In this context "secrets" refers to passwords, API tokens, encryption keys, and similar artifacts meant to be kept secret. This release includes updated support for secret scanning in the following categories:

  • Credential Management: Hardcoded API Credentials
  • Key Management: Hardcoded Encryption Key
  • Password Management: Hardcoded Password

Additionally, secret scanning in PowerShell scripts is now supported for the following categories:

  • Password Management: Hardcoded Password
  • Privacy Violation

Cloud Infrastructure as Code (IaC)
Infrastructure as code is the process of managing and provisioning computer resources through code, rather than various manual processes. Expanded coverage of supported technologies include Terraform configurations for deployment to Amazon Web Services (AWS) and Google Cloud Platform (GCP), as well as configurations for AWS CloudFormation. Common issues related to the configuration of these services mentioned are now reported to the developer.

AWS Terraform Configurations
Terraform is an open-source IaC tool for building, changing, and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of AWS infrastructure. In this release, we report the following additional categories for Terraform configurations:

  • AWS Terraform Misconfiguration: Aurora Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: CloudWatch Missing Customer-Managed Encryption Key
  • AWS Terraform Misconfiguration: Database Migration Service Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: DocumentDB Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: ElastiCache Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: Improper API Gateway Access Control
  • AWS Terraform Misconfiguration: Improper EC2 Network Access Control
  • AWS Terraform Misconfiguration: Improper ECR Access Control
  • AWS Terraform Misconfiguration: Improper EKS Network Access Control
  • AWS Terraform Misconfiguration: Improper ElastiCache Network Access Control
  • AWS Terraform Misconfiguration: Improper Lambda Access Control
  • AWS Terraform Misconfiguration: Improper MSK Network Access Control
  • AWS Terraform Misconfiguration: Improper Neptune Access Control
  • AWS Terraform Misconfiguration: Improper RDS Network Access Control
  • AWS Terraform Misconfiguration: Improper S3 Access Control
  • AWS Terraform Misconfiguration: Improper VPC Network Access Control
  • AWS Terraform Misconfiguration: Insecure API Gateway Storage
  • AWS Terraform Misconfiguration: Insecure API Gateway Transport
  • AWS Terraform Misconfiguration: Insecure App Sync Storage
  • AWS Terraform Misconfiguration: Insecure Athena Storage
  • AWS Terraform Misconfiguration: Insecure CloudFront Transport
  • AWS Terraform Misconfiguration: Insecure DynamoDB Storage
  • AWS Terraform Misconfiguration: Insecure EC2 Storage
  • AWS Terraform Misconfiguration: Insecure ECR Storage
  • AWS Terraform Misconfiguration: Insecure ECS Transport
  • AWS Terraform Misconfiguration: Insecure EKS Storage
  • AWS Terraform Misconfiguration: Insecure ElastiCache Storage
  • AWS Terraform Misconfiguration: Insecure Glue Storage
  • AWS Terraform Misconfiguration: Insecure Kinesis Storage
  • AWS Terraform Misconfiguration: Insecure MQ Storage
  • AWS Terraform Misconfiguration: Insecure OpenSearch Service Storage
  • AWS Terraform Misconfiguration: Insecure OpenSearch Service Transport
  • AWS Terraform Misconfiguration: Insecure RDS Transport
  • AWS Terraform Misconfiguration: Insecure S3 Storage
  • AWS Terraform Misconfiguration: Insecure SageMaker Storage
  • AWS Terraform Misconfiguration: Insufficient API Gateway Logging
  • AWS Terraform Misconfiguration: Insufficient Aurora Backup
  • AWS Terraform Misconfiguration: Insufficient CloudFront Logging
  • AWS Terraform Misconfiguration: Insufficient CloudTrail Logging
  • AWS Terraform Misconfiguration: Insufficient EC2 Logging
  • AWS Terraform Misconfiguration: Insufficient ELB Logging
  • AWS Terraform Misconfiguration: Insufficient ElastiCache Backup
  • AWS Terraform Misconfiguration: Insufficient ElastiCache Logging
  • AWS Terraform Misconfiguration: Insufficient Global Accelerator Logging
  • AWS Terraform Misconfiguration: Insufficient GuardDuty Monitoring
  • AWS Terraform Misconfiguration: Insufficient Lambda Logging
  • AWS Terraform Misconfiguration: Insufficient OpenSearch Service Logging
  • AWS Terraform Misconfiguration: Insufficient RDS Backup
  • AWS Terraform Misconfiguration: Insufficient Redshift Logging
  • AWS Terraform Misconfiguration: Insufficient S3 Backup
  • AWS Terraform Misconfiguration: MemoryDB Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: MQ Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: Neptune Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: RDS Auto-Upgrade Disabled
  • AWS Terraform Misconfiguration: Reduced CloudFront Availability
  • AWS Terraform Misconfiguration: Reduced ELB Availability
  • AWS Terraform Misconfiguration: Reduced StackSets Availability
  • AWS Terraform Misconfiguration: Weak Cognito Authentication
  • AWS Terraform Misconfiguration: Weak IAM Password Policy

GCP Terraform Configurations
Terraform is an open-source infrastructure as code tool for building, changing, and versioning cloud infrastructure. It uses its own declarative language known as HashiCorp Configuration Language (HCL). Cloud infrastructure is codified in configuration files to describe the desired state. Terraform providers support the configuration and management of GCP infrastructure. In this release, we report the following weakness categories for GCP Terraform configurations:

  • GCP Terraform Misconfiguration: Insufficient Cloud Load Balancing Logging
  • GCP Terraform Misconfiguration: Insufficient Cloud NAT Logging
  • GCP Terraform Misconfiguration: Insufficient Media CDN Logging
  • GCP Terraform Misconfiguration: Insufficient Operations Suite Logging

AWS CloudFormation Configurations
CloudFormation is a service provided by Amazon that is used to automate the provisioning and configuration of AWS resources. CloudFormation allows users to manage AWS resources using a JSON or YAML template. In this release, we report the following weakness categories for AWS CloudFormation configurations:

  • AWS CloudFormation Misconfiguration: AmazonMQ Publicly Accessible
  • AWS CloudFormation Misconfiguration: Backup Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: CloudTrail Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: DataBrew Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: DMS Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: DMS Publicly Accessible
  • AWS CloudFormation Misconfiguration: DocDB Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: DocDBElastic Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: DynamoDB Backup Disabled
  • AWS CloudFormation Misconfiguration: EC2 Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: ECR Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: EFS Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: ElastiCache Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: FinSpace Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: FSx Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: ImageBuilder Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Improper Athena Access Control
  • AWS CloudFormation Misconfiguration: Improper CodeStar Access Control
  • AWS CloudFormation Misconfiguration: Improper Cognito Access Control
  • AWS CloudFormation Misconfiguration: Improper ECS Network Access Control
  • AWS CloudFormation Misconfiguration: Improper EMR Access Control
  • AWS CloudFormation Misconfiguration: Improper KMS Access Control
  • AWS CloudFormation Misconfiguration: Improper Lambda Network Access Control
  • AWS CloudFormation Misconfiguration: Improper Lightsail Access Control
  • AWS CloudFormation Misconfiguration: Improper M2 Access Control
  • AWS CloudFormation Misconfiguration: Improper QLDB Access Control
  • AWS CloudFormation Misconfiguration: Improper RDS Access Control
  • AWS CloudFormation Misconfiguration: Improper Redshift Access Control
  • AWS CloudFormation Misconfiguration: Improper S3 Access Control
  • AWS CloudFormation Misconfiguration: Improper SageMaker Access Control
  • AWS CloudFormation Misconfiguration: Improper SageMaker Network Access Control
  • AWS CloudFormation Misconfiguration: Improper Serverless Network Access Control
  • AWS CloudFormation Misconfiguration: Improper Transfer Network Access Control
  • AWS CloudFormation Misconfiguration: Insecure API Gateway Transport
  • AWS CloudFormation Misconfiguration: Insecure CloudFront Transport
  • AWS CloudFormation Misconfiguration: Insecure DAX Storage
  • AWS CloudFormation Misconfiguration: Insecure ECR Supply Chain
  • AWS CloudFormation Misconfiguration: Insecure EFS Storage
  • AWS CloudFormation Misconfiguration: Insecure ELB Transport
  • AWS CloudFormation Misconfiguration: Insecure Elasticsearch Storage
  • AWS CloudFormation Misconfiguration: Insecure Elasticsearch Transport
  • AWS CloudFormation Misconfiguration: Insecure WorkSpaces Storage
  • AWS CloudFormation Misconfiguration: Insufficient API Gateway Logging
  • AWS CloudFormation Misconfiguration: Insufficient AppSync Logging
  • AWS CloudFormation Misconfiguration: Insufficient CloudFront Logging
  • AWS CloudFormation Misconfiguration: Insufficient CloudFront Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient CloudTrail Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient Config Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient ECR Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient ELB Logging
  • AWS CloudFormation Misconfiguration: Insufficient ElasticLoadBalancing Logging
  • AWS CloudFormation Misconfiguration: Insufficient Elasticsearch Logging
  • AWS CloudFormation Misconfiguration: Insufficient GuardDuty Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient Lambda Logging
  • AWS CloudFormation Misconfiguration: Insufficient MQ Logging
  • AWS CloudFormation Misconfiguration: Insufficient MSK Logging
  • AWS CloudFormation Misconfiguration: Insufficient OpenSearch Service Logging
  • AWS CloudFormation Misconfiguration: Insufficient RDS Monitoring
  • AWS CloudFormation Misconfiguration: Insufficient Route 53 Logging
  • AWS CloudFormation Misconfiguration: Insufficient Serverless Logging
  • AWS CloudFormation Misconfiguration: Insufficient Stack Monitoring
  • AWS CloudFormation Misconfiguration: Kinesis Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Lambda Denial of Service
  • AWS CloudFormation Misconfiguration: Location Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Logs Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: M2 Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: MemoryDB Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Neptune Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Privileged Batch Container
  • AWS CloudFormation Misconfiguration: RDS Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: RDS Publicly Accessible
  • AWS CloudFormation Misconfiguration: Redshift Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Reduced EC2 Availability
  • AWS CloudFormation Misconfiguration: Reduced ElastiCache Availability
  • AWS CloudFormation Misconfiguration: Reduced Stack Availability
  • AWS CloudFormation Misconfiguration: Rekognition Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: S3 Backup Disabled
  • AWS CloudFormation Misconfiguration: SQS Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: SageMaker Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Secrets Manager Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Serverless Denial of Service
  • AWS CloudFormation Misconfiguration: Timestream Missing Customer-Managed Encryption Key
  • AWS CloudFormation Misconfiguration: Weak API Gateway Authentication
  • AWS CloudFormation Misconfiguration: Weak Certificate Manager Authentication
  • AWS CloudFormation Misconfiguration: Weak IAM Authentication
  • AWS CloudFormation Misconfiguration: Weak Lambda Authentication
  • AWS CloudFormation Misconfiguration: Weak RDS Authentication

Customizable Password Management Regular Expressions Update
Customizable Password Management regular expressions for Salesforce Apex, Dart, and PowerShell scripts can now be specified using the following properties:

  • fortify.sca.rules.password_regex.apex
  • fortify.sca.rules.password_regex.dart
  • fortify.sca.rules.password_regex.powershell

These properties can be used to override the default regular expressions used to identify passwords when scanning Salesforce Apex source code, Dart source code, or PowerShell scripts.

OWASP Mobile Application Security Verification Standard (MASVS) v2.0.0
The OWASP MASVS v2.0.0 standard was released in April 2023 as part of the OWASP Mobile Application Security (MAS) project. It offers a baseline for mobile application security requirements, and it's intended to be used by mobile software architects, developers, and testers. OWASP MASVS 2.0 is intended to focus on the application security of the “client” mobile application running on the mobile device. As such, it should be used in combination with the OWASP ASVS to assess related server-side application security risks related to controls for remote endpoints. To support our customers in developing secure mobile applications and evaluating mobile applications for security control coverage and risk mitigation, a correlation of the Fortify Taxonomy to the OWASP MASVS v2.0.0 has been added.

Miscellaneous Errata
In this release, resources have been invested to ensure we can reduce the number of false positive issues, refactor for consistency, and improve the ability for customers to audit issues. Customers can also expect to see changes in reported issues related to the following:

Deprecation of the "Access Control" Category
The Access Control category for Salesforce Apex has been removed in this release. The lack of field-level security checks is now indirectly captured through other categories, such as Access Control: Database and SOQL Injection.

Deprecation of the "Link Injection: Auto Dial" Category
The Link Injection: Auto Dial category has been removed due to being outdated. The category was introduced to address CVE-2017-2484 where unsanitized user input in iOS apps can be exploited by attackers to auto dial phone numbers or Facetime calls. This exploit has been fixed in the iOS 10.3 update, therefore no longer relevant for current iOS apps.

Deprecated Standards Mappings
The following standards and best practices have been marked as obsolete, so that they will not show by default:

  • CWE Top 25 2019
  • CWE Top 25 2020
  • DISA STIG 4.9
  • DISA STIG 4.10
  • OWASP Top 10 2004
  • OWASP Top 10 2007
  • OWASP Top 10 2010
  • SANS Top 25 2009
  • SANS Top 25 2010
  • WASC 24 + 2

PHP Dynamic Functions[2]
The latest Fortify Static Code Analyzer includes updated PHP support, enabling the reporting of Dynamic Code Evaluation: Code Injection issues against dynamic functions that are referenced by unsanitized external input.

Java Unsafe class
Within the Java JDK there is a hidden class for performing inherently unsafe actions that are not typically available to developers that requires reflection to instantiate. Now when using the sun.misc.Unsafe class within Java projects, scan results will report any usage as Often Misused: sun.misc.Unsafe.

False Positive Improvements
Work has continued with the effort to remove false positives in this release. In addition to other improvements, customers can expect further removal of false positives in the following areas:

  • Access Control: Unenforced Sharing Rules – false positives removed in Salesforce Triggers, Visualforce pages, and components
  • Command Injection – false positives removed when flagging on regular expressions in JavaScript
  • Cookie Security: Cookie not Sent Over SSL – false positives removed in Swift when the recommended remediation is applied
  • Credential Management: Hardcoded API Credentials – false positives removed when identifying bearer tokens
  • Dead Code: Expression is Always false – false positives removed when appearing in Java switch statements
  • Dockerfile Misconfiguration: Dependency Confusion – false positives removed on "apt" and "apt-get" commands within dockerfiles
  • Log Forging (debug) – false positives removed in Salesforce Apex applications when printing HTTP request header values
  • Race Condition: Signal Handling – false positives removed in C/C++ when invoking sigaction()
  • String Termination Error – false positives removed when triggering on primitive types in C++
  • Unused Method – false positives removed in Java code where method is called by an implemented Serializable method
  • Dataflow false positives in JavaScript have been removed that might have triggered on boolean values

Category Changes
When weakness category name changes occur, analysis results when merging prior scans with new scans will result in added/removed categories.

To improve consistency, the following categories have been renamed:

  • Azure Terraform Misconfiguration: Improper CosmosDB CORS Policy now reports as Azure Terraform Misconfiguration: Improper Cosmos DB CORS Policy
  • Kubernetes Misconfiguration: Missing ServiceAccount Admission Controller now reports as Kubernetes Misconfiguration: Missing Service Account Admission Controller
  • NoSQL Injection: CosmosDB now reports as NoSQL Injection: Cosmos DB

Fortify SecureBase [Fortify WebInspect]

Fortify SecureBase combines checks for thousands of vulnerabilities with policies that guide users in the following updates available immediately via SmartUpdate:

Vulnerability Support

Insecure Deployment: Unpatched Application:
ZK Framework, an open-source Java library used to create enterprise mobile and web applications, contains a security vulnerability identified by CVE-2022-36537. Attackers can exploit this vulnerability to retrieve the content of a file located in the web context. Successful exploitation enables an attacker to obtain sensitive information or target an endpoint that might otherwise be unreachable. This release includes a check to detect this vulnerability on target servers that use affected ZK Framework versions.

Miscellaneous Errata
In this release, we invested resources to further reduce the number of false positives and improve the ability for customers to audit issues. Customers can also expect to see changes in reported findings related to the following:

Command Injection:
The checks identified by ID 11722 and 11723 have been added to use payloads that support the Out-of-band Application Security Testing (OAST) feature[3]. They reduce false positives and increase the accuracy of WebInspect scan results.

Fortify Premium Content

The research team builds, extends, and maintains a variety of resources outside our core security intelligence products.

OWASP MASVS v2.0.0
To accompany the new correlations, this release also contains a new report bundle for Fortify Software Security Center with support for OWASP MASVS v2.0.0, which is available for download from the Fortify Customer Support Portal under Premium Content.

Fortify Taxonomy: Software Security Errors
The Fortify Taxonomy site, which contains descriptions for newly added category support, is available at https://vulncat.fortify.com.
A new off-cloud version of the Fortify Taxonomy site, consistent with the above live site, is now available to customers for download from the Fortify Support Portal.

Contact Fortify Technical Support

OpenText Fortify
https://softwaresupport.softwaregrp.com/
+1 (800) 509-1800

Contact SSR

Alexander M. Hoole
Senior Manager, Software Security Research
OpenText Fortify
hoole@opentext.com
+1 (650) 427-9973

Peter Blay
Manager, Software Security Research
OpenText Fortify
pblay@opentext.com
+1 (669) 309-1634

PDF

[1] Requires Fortify Static Code Analyzer 23.1.0. For best results, use Fortify Static Code Analyzer 23.1.1.
[2] Requires SCA 23.1 and above
[3] Because the 11723 check sends a significant number of requests, it is excluded from the Standard policy. Use either the All Checks policy, customize an existing policy to include the check, or create a custom policy to run this check.

Comment List
Related
Recommended