[
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Brian Harris updated JENA-243:
------------------------------
Description:
Our customer has run an HP Fortify scan against the Fuseki code base. I'd like
to pass along these findings to the community so they can be reviewed and
possibly addressed. I am unsure if I should submit a ticket for each individual
finding, submit a ticket that lumps the findings into logical groups or submit
one large ticket.
In all - there are 123 finding that fall into the following categories:
Cross-Site Scripting: Reflected
Dead Code: Expression is Always false
Dead Code: Expression is Always true
Header Manipulation
Missing Check against Null
Null Dereference
Obsolete
Often Misused: File Upload
Poor Error Handling: Empty Catch Block
Poor Error Handling: Overly Broad Catch
Poor Logging Practice: Use of a System Output Stream
Poor Style: Identifier Contains Dollar Symbol ($)
Poor Style: Non-final Public Static Field
System Information Leak
System Information Leak: Incomplete Servlet Error Handling
Trust Boundary Violation
Unreleased Resource: Streams
It's quite possible some of these are false positives.
Any direction is greatly appreciated. Thanks!
was:
Our customer has run an HP Fortify scan against the Fuseki code base. I'd like
to pass along these findings to the community so they can be reviewed and
possibly addressed. I am unsure if I should submit a ticket for each individual
finding, submit a ticket that lumps the findings into logical groups or submit
one large ticket.
In all - there are 123 finding that fall into the following categories:
Cross-Site Scripting: Reflected
Dead Code: Expression is Always false
Dead Code: Expression is Always true
Header Manipulation
Missing Check against Null
Null Dereference
Obsolete
Often Misused: File Upload
Poor Error Handling: Empty Catch Block
Poor Error Handling: Overly Broad Catch
Poor Logging Practice: Use of a System Output Stream
Poor Style: Identifier Contains Dollar Symbol ($)
Poor Style: Non-final Public Static Field
System Information Leak
System Information Leak: Incomplete Servlet Error Handling
Trust Boundary Violation
Unreleased Resource: Streams
Some of these are flagged as more important such as the XSS violation and must
be corrected prior to moving into a production environment. And, it's quite
possible some of these are false positives.
Any direction is greatly appreciated. Thanks!
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
> Key: JENA-243
> URL: https://issues.apache.org/jira/browse/JENA-243
> Project: Apache Jena
> Issue Type: Question
> Components: Fuseki
> Affects Versions: Fuseki 0.2.1
> Reporter: Brian Harris
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd
> like to pass along these findings to the community so they can be reviewed
> and possibly addressed. I am unsure if I should submit a ticket for each
> individual finding, submit a ticket that lumps the findings into logical
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
>
> It's quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
