This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to trigger warnings for these? Sql injection, stack trace, and hard coded passwords

Hi,

Does anyone know whether any of these can trigger a warning in Fortify on Demand? I'm trying to figure which tool is better for me to use, these are just simple codes that I found helpful to do a quick test.

1) SQL injection

dbConnection = Utilities.getDBConnection();

sqlStatement= dbConnection.createStatement();

String query = "insert into users (status) values ('updated') where name='" data "'";

sqlStatement= dbConnection.createStatement();

Boolean result = sqlStatement.execute(query);

2) StackTrace

} catch (Exception e) {

e.printStackTrace();

}

3) Hard coded constants for db connection

return DriverManager.getConnection("jdbc:mysql://localhost/dbName", MYSQL_USERNAME, MYSQL_PASSWORD);

 

Thanks!

Parents
  • 0

    Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

Reply
  • 0

    Hi mo,

    Based on the code snippets you have provided, Fortify would likely create findings in the following categories.

    System Information Leak
    Poor Logging Practice: Use of System Output Stream
    Password Management: Hardcoded Password

    It would also very likely find that #1 is SQL Injection due to the dynamic nature of the query where you are inserting "data" by string appending.

    So if your question is whether Fortify would detect these, I would say definitely. 

    If you are not yet a customer, ask if they offer a free trial where you could try this yourself.

     

Children