Fortify - Path Manipulation
c#,security,model-view-controller,fortify
I can't make a comment because of the silly reputation rules, so I'll put this in an answer. You've shown where "path" comes from, but you don't mention where "fileName" comes from. If the value of that variable is coming from an untrusted source, then that is the cause of...
Can Fortify scan results be saved into a file?
You can run a report using Audit Work Bench or Software Security Center. PDF reports typically don't contain enough detail to see all of the information regarding a vulnerability, but if the other person doesn't have Fortify it's better than nothing. You can also try posting Fortify issues to their...
HP Fortify SQL injection issue on preparedStatement in java
java,jdbc,coding-style,fortify
if you don't use the user input as a parameter for your prepared statement but instead build your SQL command by joining strings together, you are still vulnerable to SQL injections even when using prepared statements
How to diff Fortify SCA scans
Use Audit Workbench to run a report. Choose "developer workbook" and disable all except one section. (you can choose any section you want). In the report section's additional properties, set the filter for the issues to [issue age]:new. This means the report will show ONLY issues in your FPR...
Fortify Cross Site Scripting in File
security,model-view-controller,xss,fortify
I'm assuming you are not returning HTML to your users (you are returning PDFs or Excel files, or something else for download by the browser instead of for render). The general guidelines are as follows: Set the correct Content-Type header. Set the following response header: X-Content-Type-Options: nosniff. Browsers such as...
Using Fortify SCA with Struts 2 and Spring
Struts2 is threadsafe because it creates a new action instance per request. But it's not request scoped. (If you want to implement request scope strategy in Struts2 you can read this question.) Instead it uses a default scope for the action instance. If struts2 is integrated with Spring the scope...
Fortify SCA Exclude Multiple Files
If you use the Scan Wizard and review the resultant .bat file, you can see how they are invoking sourceanalyzer. For your particular question, you can create an argument file like so: -exclude "/src/main/xyz/pqr/Abc.java" -exclude "/src/main/xyz/test/abc.xsd" -exclude "/src/test/xyz/Xyz.java" Name it something like Exclude.args and then invoke sourceanalyzer like so: sourceanalyzer.exe...
Security violation - Fortify, MVC
HP is right this is a problem but not in the way they are saying -- the threat here is that you've got an action method that will load any file the web server can read and let a visitor download it. This could easily lead to other attacks depending...
HP Fortify View Issues Created Since Last Scan
When you're looking at the issues either in Audit Workbench or Software Security Center, you'll see a drop down box called "Group By". There's an option there for "New Issue'. That will show you the issues based on when they were identified.
Fortify SSC “attack surface” options
The Audit Guide is simply a set of Filters that you can turn on and off. The "Taint from Command-Line Arguments" Audit Guide question has one filter taint:args. It shows or hides the issues based on you checking or un-checking the question in the Audit Guide. Since no SSC reports...
Cross-Site Scripting Issue
If you're using .NET 4.5 you should use the AntiXssEncoder class to HTML encode the output (System.Web.Security.AntiXss.AntiXssEncoder.HTMLEncode()). Your above code would look like: <asp:Literal ID="litParticipants" runat="server" Text='<%# AntiXssEncoder.HTMLEncode(Eval("Participants")) %>' /> You can also set the default encoder for the app to the AntiXSSEncoder in web.config like so: <httpRuntime ...encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0,...
Running fortify scan without loosing previous analysis
SCA by default merges your results with the previous scan. After the second scan, you will be able to filter on "new" issues that appeared in the second scan; or "removed" issues which have disappeared. The "removed" issues are hidden by default in the user interface. The issues that exist...
Obtaining text output from Fortify sourceanalyzer command line
c#,security,command-line,teamcity,fortify
Use the ReportGenerator utility. It was specifically designed for this purpose.
Securing a static SQL query from SQL Injection
java,mysql,prepared-statement,sql-injection,fortify
If you don't alter the SQL statements read from your file based on user input, then there is no SQL injection. On the other hand, if you don't have tight control over what can end up in this file (who can edit it?), then the whole program is a huge...