[jira] [Updated] (JENA-243) Passing along HP Fortify findings to the community

Fri, 04 May 2012 07:33:13 -0700 

     [ 
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Brian Harris updated JENA-243:
------------------------------

    Attachment: Sanitized Fuseki Scan Findings.xlsx

Here is a spread sheet of the findings.
                
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
>                 Key: JENA-243
>                 URL: https://issues.apache.org/jira/browse/JENA-243
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
>         Attachments: Sanitized Fuseki Scan Findings.xlsx
>
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd 
> like to pass along these findings to the community so they can be reviewed 
> and possibly addressed. I am unsure if I should submit a ticket for each 
> individual finding, submit a ticket that lumps the findings into logical 
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
> Some of these are flagged as more important such as the XSS violation and 
> must be corrected prior to moving into a production environment. And, it's 
> quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to