[jira] [Updated] (JENA-243) Passing along HP Fortify findings to the community

Wed, 10 Oct 2012 12:21:04 -0700 

     [ 
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Bryn Davies updated JENA-243:
-----------------------------

    Attachment: JENA-243.suggested-xss-fixes.patch

Andy,
I was hoping you might accept this patch.  It aims to escape any rendered 
content originating from a request parameter.  This should resolve any XSS 
findings of the Fortify scan.
                
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
>                 Key: JENA-243
>                 URL: https://issues.apache.org/jira/browse/JENA-243
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
>         Attachments: JENA-243.suggested-xss-fixes.patch
>
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd 
> like to pass along these findings to the community so they can be reviewed 
> and possibly addressed. I am unsure if I should submit a ticket for each 
> individual finding, submit a ticket that lumps the findings into logical 
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
>  
> It's quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to