[
https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268449#comment-13268449
]
Andy Seaborne edited comment on JENA-243 at 5/4/12 5:00 PM:
------------------------------------------------------------
Thank you for the report. There seem to be a large number of false positives
relating to coding style.
As to the XSS category: (lines 2-8) of those only line 7 refers to code which
is not in the optional the management interface or helper apps to validate
formats.
It would be useful if you can establish the criteria for the HP Fortify report
and remove false positives.
was (Author: andy.seaborne):
Thank you for the report. There seem to be a large number of false
positives relating to coding style.
As to the XSS category: (lines 2-8):
1/ Fuseki runs standalone - there is no other Java code to
2/ of those only line 7 refers to code which is not in the optional the
management interface or helper apps to validate formats and that's for JSONP
triggered by the client request.
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
> Key: JENA-243
> URL: https://issues.apache.org/jira/browse/JENA-243
> Project: Apache Jena
> Issue Type: Question
> Components: Fuseki
> Affects Versions: Fuseki 0.2.1
> Reporter: Brian Harris
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd
> like to pass along these findings to the community so they can be reviewed
> and possibly addressed. I am unsure if I should submit a ticket for each
> individual finding, submit a ticket that lumps the findings into logical
> groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
>
> It's quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
