This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" data "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

Parents
  • 0

    Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

  • 0 in reply to 

    Thanks rhelsens. 

    I'm trying fortify on demand atm, but it doesn't produce anything for these, any thoughts?

Reply Children
  • 0 in reply to 

    That's surprising. What are you choosing for Audit Preference? Is it possible that you are choosing Manual and a security expert at Micro Focus is reviewing and suppressing them?

    Audit preference determines whether a security expert will manually review the scan results for overall quality and to remove false positives.  Selecting Automated audit will automatically suppress new issues identified as false positives by Fortify on Demand Scan Analytics with high confidence and publish the results without human review, which can reduce the turnaround time. We recommend a manual audit for the first scan of an application or release with major changes, with subsequent scans using automated audit for shorter turnaround times. False positive challenges can only be requested for issues introduced during a scan with manual audit.