Fortify static code scanning common problems and fixes
- 1、Portability Flaw: Locale Dependent Comparison (Code Quality, Control Flow)
- 2、Access Specifier Manipulation (Input Validation and Representation, Semantic)
- 3、Poor Style: Value Never Read (Code Quality, Structural)
- 4、Build Misconfiguration: External Maven Dependency Repository (Environment, Configuration)
- 5、Code Correctness: Byte Array to String Conversion (Code Quality, Semantic)
- 6、Code Correctness: Erroneous String Compare (Code Quality, Structural)
- 7、Dead Code: Expression is Always false (Code Quality, Structural)
- 8、Dead Code: Unused Method (Code Quality, Structural)
- 9、Denial of Service: Parse Double (Input Validation and Representation, Data Flow)
- 10、HTML5: Overly Permissive CORS Policy (Encapsulation, Semantic)
- 11、J2EE Bad Practices: Leftover Debug Code (Encapsulation, Structural)
- 12、Missing Check against Null (API Abuse, Control Flow)
- 13、Password Management: Password in Comment (Security Features, Structural)
- 14、Poor Error Handling: Overly Broad Catch (Errors, Structural)
- 15、Access Control: Database (Security Features, Data Flow)
- 16、Header Manipulation (Input Validation and Representation, Data Flow)
- 17、Null Dereference (Code Quality, Control Flow)
- 18、Unreleased Resource: Streams (Code Quality, Control Flow)
- 19、Cross-Site Scripting: Persistent (Input Validation and Representation, Data Flow)
1、Portability Flaw: Locale Dependent Comparison (Code Quality, Control Flow)
Portability pitfalls: locale-dependent comparisons (code quality, control flow)
if (tag.toUpperCase().equals("SCRIPT")){
return null;
}
if (tag.toUpperCase(Locale.ENGLISH).equals("SCRIPT")){
return null;
}
if (tag.equalsIgnoreCase("SCRIPT")){
return null;
}
2、Access Specifier Manipulation (Input Validation and Representation, Semantic)
Access specifier operations (input validation and representation, semantics)
field.setAccessible(true);
修改为使用spring提供的类
import org.springframework.util.ReflectionUtils;
ReflectionUtils.makeAccessible(field);
3、Poor Style: Value Never Read (Code Quality, Structural)
Bad style: value is never used (code quality, structure)
4、Build Misconfiguration: External Maven Dependency Repository (Environment, Configuration)
Build Misconfiguration: External Maven dependencies (environment, configuration)
This Maven build script depends on external data sources, which can allow an attacker to insert malicious code into the final product, or take control of the build machine.
5、Code Correctness: Byte Array to String Conversion (Code Quality, Semantic)
Code correctness: byte array to string conversion (code quality, semantics)
public class ByteSerializerUtils extends JsonSerializer<byte[]>{
@Override
public void serialize(byte[] bytes, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException, JsonProcessingException {
jsonGenerator.writeString(new String(bytes));
}
}
修改为
new String(bytes,"UTF-8")
6、Code Correctness: Erroneous String Compare (Code Quality, Structural)
Code correctness: comparison of wrong strings (code quality, structure)
7、Dead Code: Expression is Always false (Code Quality, Structural)
dead code: expression is always false (code quality, structure)
8、Dead Code: Unused Method (Code Quality, Structural)
dead code: unused methods (code quality, structure)
9、Denial of Service: Parse Double (Input Validation and Representation, Data Flow)
Denial of service: parsing Double (input validation and representation, data flow)
10、HTML5: Overly Permissive CORS Policy (Encapsulation, Semantic)
HTML5: Overly permissive CORS policies (encapsulation, semantics)
Programs define overly permissive Cross-Origin Resource Sharing (CORS) policies.
11、J2EE Bad Practices: Leftover Debug Code (Encapsulation, Structural)
J2EE Bad Practices: remaining debugging code (encapsulation, structure)
12、Missing Check against Null (API Abuse, Control Flow)
Missing checks for Null (API abuse, control flow)
13、Password Management: Password in Comment (Security Features, Structural)
Password Management: Passwords in Comments (Security Functions, Structures)
Storing passwords or password details in clear text in the system or system code can compromise system security in a way that cannot be easily repaired.
14、Poor Error Handling: Overly Broad Catch (Errors, Structural)
Poor Error Handling: Overly Broad Catch (Error, Structural)
Don't catch broad exception classes such as Exception, Throwable, Error or RuntimeException except at the highest level of a program or thread.
15、Access Control: Database (Security Features, Data Flow)
访问控制:数据库(安全特性,数据流)
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
Access control should be handled by the application and database layers, rather than relying on the presentation layer to restrict the values submitted by the user. Under no circumstances should users be permitted to retrieve or modify rows in the database without the appropriate privileges. Every query that accesses the database should enforce this strategy, which can usually be done simply by including the currently authenticated username as part of the query.
16、Header Manipulation (Input Validation and Representation, Data Flow)
Header manipulation (input validation and representation, data flow)
17、Null Dereference (Code Quality, Control Flow)
Null references (code quality, control flow)
18、Unreleased Resource: Streams (Code Quality, Control Flow)
Unpublished resources: Flow (code quality, control flow)
19、Cross-Site Scripting: Persistent (Input Validation and Representation, Data Flow)
| risk type | reason |
|---|---|
| Code Correctness: Erroneous String Compare | The comparison of strings uses the wrong method |
| Cross-Site Scripting | The web browser sends illegal data, causing the browser to execute malicious code |
| Dead Code: Expression is Always true | The expression evaluates to always true |
| Dead Code: Unused Method | method not used |
| HTTP Response Splitting | Contains unvalidated data |
| J2EE Bad Practices: Leftover Debug Code | Some unimaginable entry points are established in the deployed web application |
| Missing Check against Null | It is possible to return null |
| Poor Error Handling: Empty Catch Block | Some exceptions are ignored, which may cause the program to fail to detect unexpected conditions |
| Poor Error Handling: Overly Broad Catch | There are many types of exceptions that can be handled by the Catch block, and there are often too many considerations that should not be troubled by handling various problems or failures at this position. |
| Poor Error Handling: Overly Broad Throws | Throws an exception that is too general, making it difficult for the caller to handle and fix the error that occurred |
| Poor Error Handling: Return inside Finally | May cause exception loss |
| Poor Logging Practice: Use of a System output stream | Using system.out or system.err is not a dedicated logging tool and can make it difficult to monitor the health of the program |
| Poor Style: Value Never Read | The value assigned to the variable is not used |
| System Information Leak: HTML Comment in JSP | Any information contained in comments may help attackers understand the system and develop corresponding attack plans |
| Unchecked Return Value | The return value of some methods is ignored |
| J2EE Bad Practices: Threads | Prohibits the use of thread management for web applications in certain circumstances |
| JavaScript Hijacking: Ad Hoc Ajax | Vulnerabilities exist in passing sensitive data using Javascript symbols |
| Denial of Service | Reading a file may allow an attacker to crash the program |
| System Information Leak | printstackTrace() to prompt the system data to help the attacker formulate an attack plan |
| Insecure Randomness | Generated random numbers cannot withstand encryption attacks |
| Null Dereference | referenced a null pointer |
| Unreleased Resource: Streams | System resources allocated by the FileInputStream() function could not be released successfully |
| Redundant Null Check | referenced a null pointer |
| Dead Code: Unused Field | unused field |
| Axis 2 Misconfiguration: Debug Information | With the SOAP Monitor module, attackers can intercept SOAP traffic |
| Poor Error Handling: Program Catches nullpointerexception | NullPointException can be caught, generally speaking, it is not a good method |
| Poor Style: Confusing Naming | Duplicate name |
| Dead Code: Expression is Always false | The evaluation of the expression is always false |
| J2EE Misconfiguration: Incomplete Error handing | Configure default error pages to handle uncaught exceptions |
| Path Manipulation | An attacker can control the File path parameter to access or modify other protected files |
| Poor Logging Practice: Logger Not Declared static final | The logger should be declared as a fixed and final logger |
| Poor Style: Redundant Initialization | The value assigned to the variable is not used |
| Code Correctness: null Argument to equals() | The expression obj.equals(null) will always be false |
| Privacy Violation:Heap Inspection | |
| J2EE Bad Practices:Leftover Debug Code | |
| Poor Error Handling:Overly Broad Throws | |
| Password Management Password in Configuration File | |
| Build Misconfiguration:External Maven Dependency Repository |