Absent Member.
Absent Member.
10007 views

Large number of false positives String.Empty

Jump to solution

In a large ASP.NET project there are a large number of false positives that shared sink to a legitimate vulnerability. For example, a string is initialized as a String.Empty and then later set to be a value from the database. The vulnerability is a Cross-Site Scripting: Persistent vulnerability and is legitimate. However it is listed as a shared sink to many other unrelated pieces of code that are never used in this page or related business or data access logic. The only thing remotely linking these to the legitimate vulnerability is that these other pieces of code also have strings that initialize as String.Empty.Even the Diagram shows that these supposedly shared sinks never intersect with the legitimate vulnerability. It seems Fortify SCA treats System.String.Empty as a variable that is an alias and not a value.

Example:

Class MyPage

{

String ReturnValueToUser = String.Empty

     ....logic to get string value from database, set ReturnValueToUser as that string

}

Class SomeCompletelyUnrelatedClass

{

String InternalStringNeverOutputtedToUser = String.Empty

     ....some internal logic completely unrelated in a different class

}

It seems SCA is linking these two unrelated classes and incorrectly counting SomeCompletelyUnrelatedClass in the XSS:Persistent findings based solely on it's assumption that String.Empty is a common alias for a variable instead of a value for the true variables.

Has anyone else run up against this? Is it a known issue? I am using v 6.0.38 of the scan engine with all the latest rulepacks.

0 Likes
1 Solution

Accepted Solutions
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

It looks like this might be related to bug 43037 ("possible false positive around the String.Empty syntax"). I will add your comments to the bug report.

View solution in original post

0 Likes
2 Replies
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

It looks like this might be related to bug 43037 ("possible false positive around the String.Empty syntax"). I will add your comments to the bug report.

View solution in original post

0 Likes
Commodore
Commodore

How can I see the current state from this bug?

I´m having the same problem, even when the text property of the control is set directly to string.Empty

Thanks in advance.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.