Stack Overflow
Stack Overflow

Questions tagged [veracode]

Veracode provides automated static and dynamic application security testing software and remediation services

321 questions
2
votes
4 answers

How to fix Trust Boundary Violation flaw in Java Web application

I am receiving a Trust Boundary Violation from Veracode. My code is userName= req.getParameter(Constant.USERNAME); session.setAttribute(Constant.USERNAME, userName); //At this line i am getting Trust Boundry Violation flaw. How can I validate…
user1782009
  • 299
  • 4
  • 15
  • 32
2
votes
1 answer

External Control of File Name or Path security issue

I have a code File file = new File(fileName) This fileName i am preparing from other details. However, I am getting External Control of File Name or Path flaw when I submit my code to security scan tool 'Vera Code'. Can someone please help me…
user1782009
  • 299
  • 4
  • 15
  • 32
1
vote
0 answers

How to fix CWE 78: Improper Neutralization of Special Elements used in an OS Command

anyone knows how to fix CWE 78? Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Here is my code has CWE 78 after veracode scan: https://cwe.mitre.org/data/definitions/78.html private void…
Ming
  • 379
  • 1
  • 6
  • 20
1
vote
0 answers

Create anchor link from location.pathname and sanitise data

Hi I'm trying to generate breadcrumbs from the contents of window.location.pathname, everything works well except when I run the code through Veracode it's complaining that the input is untrusted. I have tried replacing all the characters on the…
Dandelion
  • 153
  • 1
  • 9
1
vote
0 answers

Unexpected Veracode error "Improper Restriction of XML External Entity Reference (CWE ID 611)" (XMLInputFactory vulnerable to XXE)

I'm receiving a Veracode error CWE 611, flagging a block with the following code: public static T toObject( JAXBContext jaxbContext, String xml ) throws JAXBException, XMLStreamException { XMLInputFactory xif =…
Drew Stevens
  • 382
  • 1
  • 12
1
vote
0 answers

Java- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE ID 89) Veracode Static issue

After running a Vercode report After R&D I didn't get solution for this. Description This database query contains a SQL injection flaw. The function call constructs a dynamic SQL query using a variable derived from untrusted input. An attacker could…
Sanket Shirsat
  • 11
  • 1
1
vote
1 answer

Sonar and Veracode

Is sonar and veracode serves the same purpose or we can use both tools to scan our applications? Metrics like, coverage, duplications, bugs and code smells are avilable in sonar but they are not available in veracode. so we need to use both tools or…
Naresh Ede
  • 123
  • 2
  • 12
1
vote
2 answers

Veracode insertion of sensitive information into sent data (CWE 201) using HttpClient.GetAsync()

I have a MVC application. I have a generic method that does HttpClient GetAsync in which there is a low veracode flaw on this line HttpResponseMessage response = client.GetAsync(client.BaseAddress).Result; Here is he Method. public static async…
Diego
  • 2,238
  • 4
  • 31
  • 68
1
vote
1 answer

Jenkins pipeline, is there a way to set environment variable from console output

My jenkinsfile containes two stages, build and upload&scan (veracode for static scans). My console output would contain somthing like: build_id="21682834" refers to veracode scan ID. Can anyone help in finding this number and set it as environment…
Elian
  • 31
  • 4
1
vote
1 answer

ASP.NET Core 6.0 ExceptionHandlerMiddleware : Avoid information leak through error messages

I have an ASP.NET Core 6.0 Web API application with the below ExceptionHandlerMiddleware: public class ExceptionHandlerMiddleware { private readonly RequestDelegate next; public ExceptionHandlerMiddleware(RequestDelegate next) …
One Developer
  • 99
  • 5
  • 43
  • 103
1
vote
0 answers

Improper Resource Shutdown or Release -Veracode CWE 404

when I ran the scan from veracode , i found the issue like Improper Resource Shutdown or Release , i tried finding the result from other blogs but i didn't get the solution. below is my code which is pointing at the issue. please suggest if i need…
Sri
  • 11
  • 2
1
vote
0 answers

How to fix a possible XSS vulnerability in an Angular app

I use the Veracode Platform to analyze some projects. I currently have a project in Angular. I have a select list in my application. Veracode informs that by selecting an option it is possible to execute a malicious JavaScript, called XSS. As there…
Jhon Laurence
  • 33
  • 3
1
vote
0 answers

Veracode issue in JSP - Insertion of Sensitive Information Into Sent Data (CWE ID 201)

Following is the piece of code <%=test1%> In the line "<%=test1%>" I am getting the vera code issue . How to fix the issue. Tried to fix with below code, It is showing another issue…
Sanmati Munde
  • 11
  • 1
1
vote
0 answers

How do you make Visual Studio Code veracode greenlight scan ignore xml or yaml files?

I have veracode extension installed in VS Code. When I do greenlight scan of a subdir that has an xml or yaml file the scan halts and says it can't scan these files. How can I make it ignore these files and move on without stopping?
Andy N
  • 1,013
  • 9
  • 25
1
vote
2 answers

How to compile in debug mode using maven without making changes to pom.xml?

I am trying to run some vulnerability scans(Veracode) on a spring boot application. However, the scan provider suggests running the scans with binaries compiled in debug mode using the following in pom.xml file.
Saif
  • 2,530
  • 3
  • 27
  • 45
1 2 3
21 22