Highlighted
Absent Member.
Absent Member.
9196 views

Update to Java 7 does not eliminate parse double vulnerability

Jump to solution

After updating to Java 7, Fortify is still reporting the "parse double" vulnerability. How come?

0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Expert
Micro Focus Expert

Being a static analysis tool, SCA only looks at your source code. SCA does not know on which Java version the application will be deployed, and thus cannot know whether this specific vulnerability is relevant or not.

As such, it will always report this vulnerability independent of what Java version you use to compile or run the application. You have several options for handling these vulnerabilities in SCA/SSC:

  • To stop SCA from reporting this vulnerability altogether, you can use the -filter option to specify a filter file during the scan.
  • Alternatively, you can use a custom filter in your project template to filter out these vulnerabilities (the vulnerabilities are included in the scan, but filtered from view in AWB/SSC).
  • You can also manually suppress the relevant issues, or set the analysis to 'Not an Issue' in either AWB or SSC.

Please see the SCA User Guide for details on any of these options.

View solution in original post

0 Likes
2 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Being a static analysis tool, SCA only looks at your source code. SCA does not know on which Java version the application will be deployed, and thus cannot know whether this specific vulnerability is relevant or not.

As such, it will always report this vulnerability independent of what Java version you use to compile or run the application. You have several options for handling these vulnerabilities in SCA/SSC:

  • To stop SCA from reporting this vulnerability altogether, you can use the -filter option to specify a filter file during the scan.
  • Alternatively, you can use a custom filter in your project template to filter out these vulnerabilities (the vulnerabilities are included in the scan, but filtered from view in AWB/SSC).
  • You can also manually suppress the relevant issues, or set the analysis to 'Not an Issue' in either AWB or SSC.

Please see the SCA User Guide for details on any of these options.

View solution in original post

0 Likes
Highlighted
Absent Member.
Absent Member.

Was your question answered? If so, please mark the question as correct, so other users will know. Thanks!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.