0

IBM AppScan has thrown the error Validation Required while scanning my app for the following code:-

return Arrays.asList(System.getenv("PATH").split(":"));

I am not sure why the error is thrown. Could it be a false positive ? Can I use

System.getProperty("java.class.path")
Machavity
  • 30,841
  • 27
  • 92
  • 100
John
  • 740
  • 5
  • 13
  • 36

2 Answers2

0

AppScan is reporting validation issue as you are getting variable value from the source which is outside the app. According to IBM AppScan rules, all the strings values from outside the apps should be validated. If you are sure that nobody will change PATH value, you can say it is a false positive.

bchrabski
  • 160
  • 2
  • Thanks. But how do I validate the value of PATH variable? The JAVA tutorial states that "never refer to an environment variable when the same value is available in a system property". So which property will return same value as getenv("PATH")? – John Jul 20 '18 at 01:53
  • Check vulnerability recommendation and in AppScan Source you should see what will be accepted by the tool or just mark it is false positive. – bchrabski Jul 23 '18 at 09:03
0

Split function: Depends upon what data you have to pass in function. If data is validated before passing the function then you can mark this issues as false positive. Usually we mark split function as false positive

rawat sapna
  • 146
  • 5
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/low-quality-posts/24192402) – MaartenDev Oct 01 '19 at 09:10
  • I am aware all the stack overflow policy. Still i understand your point but if i know the answer i can post and if you thing it is not the correct answer please update the correct answer. – rawat sapna Oct 03 '19 at 06:54