Stack Overflow
Stack Overflow

Questions tagged [veracode]

Veracode provides automated static and dynamic application security testing software and remediation services

321 questions
3
votes
0 answers

How to prevent XXE attack (XmlSerializer in .Net)

We had a Veracode security audit on some old legacy apps and found that we are vulnerable to an External Entity (XXE) attack. I have fixed most of the problems but I've ran across some code I have no idea how to deal with and I am hoping someone…
comfortablyNumb
  • 195
  • 1
  • 17
3
votes
2 answers

How to fix Veracode error:Information Exposure Through Sent Data

Veracode fails the following line of code: string server = Decryptor.Decrypt(ConfigurationManager.AppSettings["ConnectionPoint"]); System.Net.HttpWebRequest objRequest = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(server); Does anyone…
gene
  • 2,098
  • 7
  • 40
  • 98
3
votes
2 answers

Veracode directory traversal Issue c#

I have this code that stores file to server: function void StoreFile(string inputFileName) { ... var extension = Path.GetExtension(inputFileName); if(extension == ".csv") { var fileName = string.Format("{0}_{1}{2}",…
freshbm
  • 5,540
  • 5
  • 46
  • 75
3
votes
1 answer

How to resolve CWE 117 Issue

I have a CWE 117 issue reported in my Product. CWE 117 issue is that the software does not properly sanitize or incorrectly sanitizes output that is written to logs and one possible solution i got was to add the following while logging. String clean…
Divya Rose
  • 227
  • 4
  • 22
3
votes
0 answers

Security: CWE-201: What is the correct way to securely read a properties file using openStream?

I'm working on coming up with a solution for CWE-201 that is flagged from Veracode. Background: CWE-201: Information Exposure Through Sent Data Information Exposure Through Sent Data Weakness ID: 201 (Weakness Variant) Status: Draft +…
joker1979
  • 181
  • 2
  • 12
3
votes
4 answers

What is the best way to fix "Improper Restriction of xml external entity reference"?

We recently run VeraCode that points out on the following method: public XmlElement RunProcedureXmlElement(string Procedure, List Parameters) { DataSet ds = RunProcedureDataSet(Procedure, Parameters); …
piterskiy
  • 177
  • 2
  • 6
  • 14
2
votes
3 answers

What is the purpose of ESAPI?

We use Veracode Static Code Analysis for finding and fixing code vulnerabilities. One reoccurring theme is, that they reference ESAPI as recommended solution for fixing them, such as CW117 (How to fix Veracode CWE 117 (Improper Output Neutralization…
rcbiczok
  • 33
  • 5
2
votes
1 answer

Azure DevOps Security Scan as part of build and pull request on only incremental changes

we are trying to build an Azure Devops pipeline (yaml based pipeline) where the build is triggered on a pull request but what we want to do is we only want to execute a step (security scanning thru veracode extension) on the incremental changes i.e.…
user42012
  • 722
  • 12
  • 33
2
votes
1 answer

Getting Server-Side Request Forgery (SSRF) (CWE ID 918) restTemplate.getForEntity

I am using restTemplate for synchronous inter-service communication in a microservices architecture. When we completed Veracode scan, we are getting Server-Side Request Forgery (SSRF) (CWE ID 918) in getForEntity…
SSK
  • 3,444
  • 6
  • 32
  • 59
2
votes
0 answers

Can I integrate Log Analytics with log4j2?

Use-case: Running Spark job in Databricks and monitoring logs in LogAnalytics. Issue: In Veracode report, I am getting security vulnerabilities(CRLF) with Slf4j logger. I am looking for other approaches, with Log4j2 I don't see any issues. Now my…
Vikas
  • 21
  • 1
2
votes
2 answers

Veracode Scan: jQuery html method showing Improper Neutralization of Script-Related HTML Tags in a Web Page issue

Veracode is pointing out the issue Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in the below line. $('#SummaryDiv').html(data); $.ajax({ url: 'Target_URL', type: 'GET', …
Srinubabu Ravilla
  • 39
  • 3
2
votes
2 answers

How can I use Xmlint to map a certain value from a XML file?

I'm a beginner. I need to script a automation command line in linux(but havent achieved success yet), that can map the value sandbox_id= and output it, using the xml as follows:
Ricardo Lima
  • 39
  • 4
2
votes
0 answers

Fix for javax.xml.parsers.DocumentBuilderFactory's XXE flaw (CWE ID 611) flagged by Veracode scans in Android

javax.xml.parsers.DocumentBuilderFactory is used in our Android app to parse and read xml as well as to modify and write to the xml file. Veracode flags the usage of javax.xml.parsers.DocumentBuilderFactory with CWE ID 611 "Improper Restriction of…
RRG
  • 105
  • 9
2
votes
1 answer

ColdFusion 9 - prevent SQL injection while using dynamic table/view name

I'm not ColdFusion developer but this has something put on my head to fix within week. Problem: our legacy app creates view by empid and use logged user id to select records from view. Then this variable is used in…
Navi
  • 21
  • 2
2
votes
1 answer

How to fix VeraCode issue "Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)" for dot net core 2.0 Angular Project?

I am getting Veracode issue (CWE ID 327 & 326) "Use of a Broken or Risky Cryptographic Algorithm" with Two Microsoft DLL's(microsoft.codeanalysis.dll and microsoft.identitymodel.tokens.dll). Below are the approaches we have tried to mitigate this…
M P Reddy
  • 21
  • 2
1 2 3
21 22