Lieutenant Commander
Lieutenant Commander
758 views

How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" + data + "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

0 Likes
12 Replies
Vice Admiral Vice Admiral
Vice Admiral

Hi mo,

Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

System Information Leak
Poor Logging Practice: Use of System Output Stream
Password Management: Hardcoded Password

It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

So if your question is whether Fortify would detect these, I would say definitely. 

If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

 

0 Likes
Lieutenant Commander
Lieutenant Commander

Thanks rhelsens. 

I'm trying fortify on demand atm, but it doesn't produce anything for these, any thoughts?

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

That's surprising. What are you choosing for Audit Preference? Is it possible that you are choosing Manual and a security expert at Micro Focus is reviewing and suppressing them?

Audit preference determines whether a security expert will manually review the scan results for overall quality and to remove false positives.  Selecting Automated audit will automatically suppress new issues identified as false positives by Fortify on Demand Scan Analytics with high confidence and publish the results without human review, which can reduce the turnaround time. We recommend a manual audit for the first scan of an application or release with major changes, with subsequent scans using automated audit for shorter turnaround times. False positive challenges can only be requested for issues introduced during a scan with manual audit.

Lieutenant Commander
Lieutenant Commander

I'm using the trial version. Maybe that's the reason? My trial has expired so I don't have access to the reports atm, and can't tell what setting I chose, though I cannot remember a setting for a manual and auto check.

0 Likes
Vice Admiral Vice Admiral
Vice Admiral

For what it's worth, I was curious and scanned "similar" code using Fortify SCA on-premise scanner which found those results I posted earlier. Which is why I think these would be detected.

The code I scanned was a single java file like this

importjava.sql.*;
importjava.util.*;
class Main
{
public static void main(String a[])
{
//Creating the connection
String url = "jdbc:oracle:thin:@localhost:1521:xe";
String username = "system";
String password = "12345";

//Entering the data
Scanner k = new Scanner(System.in);
System.out.println("enter name");
String name = k.next();
String cls = k.next();

String sql = "insert into table values('" + name + "')";
Connection con=null;
try
{
DriverManager.registerDriver(new oracle.jdbc.OracleDriver());
con = DriverManager.getConnection(url,username,password);

Statement st = con.createStatement();
int m = st.executeUpdate(sql);
con.close();
}
catch(Exception ex)
{
System.err.println(ex.printStackTrace());
}
}
}

Lieutenant Commander
Lieutenant Commander

Thanks. So I guess it's just the trial version for FoD that doesn't detect those.

0 Likes
Lieutenant Commander
Lieutenant Commander

May I ask for a favour? Could you try these files? https://github.com/Tahaei/sample-warnings
I'm doing research on security warnings for developers, if you can help me with that I'd really appreciate it. I just need to know what output Fortify generates for these. Thanks!
Micro Focus Expert
Micro Focus Expert

See the PM I sent you.

Based on what you are looking and your questions around the forums, I highly suggest you contact someone in Sales that can give you some personalized demonstrations and may be able to provide what you are looking for - research results for your audience.

In asking someone to use their license to scan files on your behalf may violate the terms of their license agreement.

Lieutenant Commander
Lieutenant Commander

I did contact sales, they didn't reply though. I think I just have to remove this product from my list. Thanks anyways!

0 Likes
Micro Focus Expert
Micro Focus Expert

As I mentioned in my private message to you please contact me at my email for further information and I can get you in touch with someone to assist.

Lieutenant Commander
Lieutenant Commander

Fabulous! I just replied to that, thank you!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.