Stack Overflow
Stack Overflow

Questions tagged [veracode]

Veracode provides automated static and dynamic application security testing software and remediation services

321 questions
3
votes
4 answers

Security flaws in code with veracode tool

i ran my application for security compilance in veracode tool. And whenever the tool find any logging it detected as a flaw in code And the flaw says below quote Improper Output Neutralization for Logs Description Function call could result in a log…
BOSS
  • 2,931
  • 8
  • 28
  • 53
3
votes
1 answer

Why does Veracode report CWE-89?

I have this SQL query written in JDBC which contains dynamic table and fields names: private String checkDimension(String tenantId, String prefix, Long schemaMetaId, Long transactionalMetaId, String dimension,…
Radek Chromík
  • 31
  • 6
3
votes
1 answer

Unable to fix veracode cwe id 918 flaw (SSRF) when using API gateway pattern in a Microservices architecture

I am using API Gateway Pattern in a Micro services architecture in which the Front End Angular app makes an HTTP request to my API Gateway project which is simply a ASP.net Core 3.1 Web API project. Currently I only have 2 micro services and an API…
Hamza Khanzada
  • 1,439
  • 1
  • 22
  • 39
3
votes
0 answers

Veracode CWE 89 help requested when attempting to load an excel file to a datatable in .net (web)

Veracode SAST scanner is tagging excel file imports with a CWE 89 (Sql Injection): Attack Vector: system_data_dll.System.Data.Common.DbDataAdapter.Fill Number of Modules Affected: 1 Description: This database query contains a SQL injection flaw.…
Roger Corrin
  • 31
  • 3
3
votes
1 answer

org.owasp.esapi.reference.DefaultEncoder vs. org.owasp.encoder.Encode

Both the org.owasp.esapi.reference.DefaultEncoder and org.owasp.encoder.Encode classes provide some of VeraCode's Supported Cleansing Functions for addressing potential cross-site scripting (XSS) attacks. Given that they both come from OWASP, I…
kc2001
  • 5,008
  • 4
  • 51
  • 92
3
votes
1 answer

Veracode issue CWE 915

I'm having a POST method in my ASP.NET core web API which takes a model as a parameter (binding POST content directly to model). The model contains all the parameters as optional parameters. While scanning the web service using Veracode, I get…
Harshvardhan Chittora
  • 137
  • 1
  • 10
3
votes
3 answers

Veracode still reports OS command injection issue after I have applied the solution as recommendations from OWAPS and Roslyn Security Guard

Current code in my project is shown below and Veracode reports there is an OS command injection filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg" ProcessStartInfo startInfo = default(ProcessStartInfo); Process pStart = new…
NoName
  • 877
  • 12
  • 28
3
votes
2 answers

Avoid Veracode CWE-80: Improper Neutralization of Script-Related HTML in jquery htm() method

I've just completed my first Veracode static scan of an asp.net mvc web application, and Veracode found dozens of CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page flaws. Nearly all of them involve the use of the jquery…
Tom Regan
  • 3,580
  • 4
  • 42
  • 71
3
votes
3 answers

How to resolve External Control of File Name or Path (CWE ID 73)

I am working on fixing Veracode issues in my application. Veracode has highlighted the flaw "External Control of File Name or Path (CWE ID 73) " in below code. Thread.currentThread().getContextClassLoader().getResourceAsStream(lookupName) How do I…
Nicolas
  • 554
  • 2
  • 11
  • 27
3
votes
1 answer

Forcing HttpOnly JSESSIONID in deployed OC4J/Oracle Application Server

We have a legacy application running on Oracle Application Server J2EE 10g 10.1.3.5.0 using OC4J containers. To clear a Veracode dynamic scan flaw CWE ID-402 (and for best practice) we need to set the HttpOnly flag on our JSESSIONID cookies. We…
kmarx
  • 43
  • 5
3
votes
0 answers

Veracode flagging api action with optional parameters for not having input validation

I'm using dot.net WebApi2 and I'm getting Veracode Flaw from code scan: 'The Controller's Action is missing a Route Attribute that will perform input validation on Action parameters using a Route Constraint.... Remediation: Make sure to use…
Alex
  • 836
  • 9
  • 19
3
votes
0 answers

How to resolve CWE ID 501 trust boundary violation

Veracode is showing violation flaw. Below is code: public boolean saveSession(HttpServletRequest request, UserSession useSession){ if (request.getSession().getAttribute( USER_ATTRIBUTES) == null && useSession!=null){ …
Rajnikant Panchal
  • 73
  • 2
  • 6
3
votes
1 answer

Prevent XSS in Spring MVC controller

Hi in my project Veracode reported a XSS issue CWE ID 80. Here in my request handler method: @RequestMapping(value = "/Update.mvc") public @ResponseBody String execute(@ModelAttribute UpdateForm updateForm, BindingResult result, …
Xelian
  • 16,680
  • 25
  • 99
  • 152
3
votes
0 answers

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80) for response.BinaryWrite

I tried by applying encode for filename but still getting veracode error at response.BinaryWrite(data); Below is my code: WebClient req = new WebClient(); HttpResponse response = HttpContext.Current.Response; …
raghu
  • 71
  • 5
3
votes
1 answer

CWE-73: External Control of File Name or Path Veracode java solution

Can somebody please help me know java coding solution for below Vera code canning error? I am creating a file and passing file location as argument. File file1=new File(filePath); **CWE-73: External Control of File Name or Path**
Raj Singh
  • 39
  • 2
  • 6
1 2
3
21 22