Fortify代码扫描问题及修复
Fortify静态代码扫描常见问题及修复
1、Portability Flaw: Locale Dependent Comparison (Code Quality, Control Flow)移植性缺陷:地区依赖⽐较(代码质量,控制流)
UpperCa().equals("SCRIPT")){
return null;
}
UpperCa(Locale.ENGLISH).equals("SCRIPT")){
return null;
}
if(tag.equalsIgnoreCa("SCRIPT")){
return null;
}
高中作文2、Access Specifier Manipulation (Input Validation and Reprentation, Semantic)访问说明符操作(输⼊验证和表⽰,语义)
field.tAccessible(true);
修改为使⽤spring提供的类
import ReflectionUtils;戈登海沃德
ReflectionUtils.makeAccessible(field);
3、Poor Style: Value Never Read (Code Quality, Structural)
糟糕的风格:值从未使⽤(代码质量,结构)
4、Build Misconfiguration: External Maven Dependency Repository (Environment, Configuration)
构建错误配置:外部Maven依赖库(环境,配置)
这⼀ Maven 编译脚本依赖于外部数据源,这会导致攻击者能够将恶意代码插⼊最终产品中,或者控制编译计算机。
5、Code Correctness: Byte Array to String Conversion (Code Quality, Semantic)
代码正确性:字节数组到字符串的转换(代码质量,语义)
public class ByteSerializerUtils extends JsonSerializer<byte[]>{
@Override
public void rialize(byte[] bytes, JsonGenerator jsonGenerator, SerializerProvider rializerProvider)throws IOException, JsonProcessingException { jsonGenerator.writeString(new String(bytes));
}
}
修改为
new String(bytes,"UTF-8")
6、Code Correctness: Erroneous String Compare (Code Quality, Structural)
代码正确性:错误字符串的⽐较(代码质量,结构)
7、Dead Code: Expression is Always fal (Code Quality, Structural)
四海八荒什么意思死代码:表达式总是假的(代码质量,结构)
8、Dead Code: Unud Method (Code Quality, Structural)
死代码:未使⽤的⽅法(代码质量,结构)
9、Denial of Service: Par Double (Input Validation and Reprentation, Data Flow)拒绝服务:解析Double(输⼊验证和表⽰,数据流)
10、HTML5: Overly Permissive CORS Policy (Encapsulation, Semantic)
HTML5: 过于宽松的CORS策略(封装、语义)
程序会定义过于宽松的跨源资源共享 (CORS) 策略。
11、J2EE Bad Practices: Leftover Debug Code (Encapsulation, Structural)
J2EE Bad Practices:剩余的调试代码(封装,结构)
12、Missing Check against Null (API Abu, Control Flow)
缺少对Null的检查(API滥⽤,控制流)
13、Password Management: Password in Comment (Security Features, Structural)
密码管理:密码在评论中(安全功能,结构)
以明⽂形式在系统或系统代码中存储密码或密码详细信息可能会以⽆法轻松修复的⽅式危及系统安全。
冬虫夏草禁忌
14、Poor Error Handling: Overly Broad Catch (Errors, Structural)
糟糕的错误处理:过于宽泛的捕获(错误,结构性)
不要捕获⼴泛的异常类,例如exception、Throwable、Error或RuntimeException,除⾮是在程序或线程的最⾼层。
15、Access Control: Databa (Security Features, Data Flow)
访问控制:数据库(安全特性,数据流)
Rather than relying on the prentation layer to restrict values submitted by the ur, access control should be handled by the application and databa layers. Under no circumstances should a ur be allowed to retrieve or modify a row in the databa without the appropriate permissions. Every query that access the databa should enforce this policy, which can often be accomplished by simply including the current authenticated urname as part of the query.
访问控制应该由应⽤程序层和数据库层处理,⽽不是依赖表⽰层来限制⽤户提交的值。在任何情况下,都不允许⽤户在没有适当权限的情况下检索或修改数据库中的⾏。每个访问数据库的查询都应该执⾏此策略,通常只需将当前经过⾝份验证的⽤户名作为查询的⼀部分即可完成此策略。
16、Header Manipulation (Input Validation and Reprentation, Data Flow)
班主任工作论文报头操作(输⼊验证和表⽰,数据流)
17、Null Dereference (Code Quality, Control Flow)
空引⽤(代码质量,控制流)
18、Unrelead Resource: Streams (Code Quality, Control Flow)
未发布的资源:流(代码质量,控制流)
19、Cross-Site Scripting: Persistent (Input Validation and Reprentation, Data Flow)风险类型原因
Code Correctness: Erroneous String Compare字符串的对⽐使⽤错误⽅法
Cross-Site Scripting Web浏览器发送⾮法数据,导致浏览器执⾏恶意代码
Dead Code: Expression is Always true表达式的判断总是true
Dead Code: Unud Method没有使⽤的⽅法
HTTP Respon Splitting含有未验证的数据
J2EE Bad Practices: Leftover Debug Code在部署的Web应⽤程序中建⽴了⼀些想象不到的⼊⼝点Missing Check against Null有可能返回了null
Poor Error Handling: Empty Catch Block有些异常备忽略,可能会导致程序⽆法发现意外状况
Poor Error Handling: Overly Broad Catch Catch块可以处理的异常种类⽐较多,往往会过多的考虑不应该在此位置处理各种问题或故障⽽困扰
Poor Error Handling: Overly Broad Throws Throws了⼀个过于笼统的异常,从⽽使调⽤者很难处理和修复发⽣的错误Poor Error Handling: Return inside Finally可能会导致异常丢失
Poor Logging Practice: U of a System output stream 使⽤system.out或不是专门的⽇志记录⼯具,会导致难以监控程序的运⾏状况
Poor Style: Value Never Read没有使⽤赋给变量的值
System Information Leak: HTML Comment in JSP注释所包含的任何信息都有可能帮助攻击者了解系统并制定相应的攻击⽅案Unchecked Return Value忽略了某些⽅法的返回值
J2EE Bad Practices: Threads禁⽌在某些环境下使⽤Web应⽤程序的线程管理
JavaScript Hijacking: Ad Hoc Ajax使⽤Javascript符号传递敏感数据会存在漏洞
Denial of Service读取⽂件可能会使攻击者造成程序崩溃
System Information Leak printstackTrace()来提⽰系统数据有助于攻击者制定攻击计划
Incure Randomness产⽣的随机数不能抵挡加密攻击
Null Dereference引⽤了空指针
Unrelead Resource: Streams⽆法成功释放FileInputStream()函数分配的系统资源
Redundant Null Check引⽤了空指针
Dead Code: Unud Field没有使⽤的字段
Axis 2 Misconfiguration: Debug Information借助SOAP Monitor模块,攻击者可截取SOAP信息流
Poor Error Handling: Program Catches
nullpointerexception
可捕获NullPointException,通常来说不是⼀个好⽅法
Poor Style: Confusing Naming重复命名
Dead Code: Expression is Always fal表达式的判断总是fal
空调之父
J2EE Misconfiguration: Incomplete Error handing配置默认的错误页⾯,来处理那些未被捕获的异常
Path Manipulation攻击者可控制File路径参数,借此访问或修改其他受保护的⽂件
Poor Logging Practice: Logger Not Declared static final应该将⽇志记录器声明为固定且最终的记录器
Poor Style: Redundant Initialization没有使⽤赋给变量的值
荷兰Code Correctness: null Argument to equals()表达式obj.equals(null)将总是fal
Privacy Violation:Heap Inspection
J2EE Bad Practices:Leftover Debug Code
一针见血近义词Poor Error Handling:Overly Broad Throws
Password Management Password in Configuration File
Build Misconfiguration:External Maven Dependency
风险类型原因
Repository
风险类型原因
