Stack Overflow
Stack Overflow

Questions tagged [veracode]

Veracode provides automated static and dynamic application security testing software and remediation services

321 questions
1
vote
0 answers

In js file getting Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)

Below line showing veracode issue . I have tried to use encodeURI(incidentTypeAfterEdit) and encodeURI(incidentDescriptionAfterEdit) but it is getting encoding, functionality not working. Can you plese help me to fix this issue $("#incident-title" +…
Gopal Reddy
  • 11
  • 3
1
vote
1 answer

CRLF Injection vulnerability while using slf4j LOGGER in Veracode (CWE 117)

It's a slf4j logger and i have been trying to log error with 2 messages parameters. catch(ExecutionException executionException) { LOGGER.error("TimeoutException caught , Error: " + SSG_TIMEOUT.getErrorText() + ". Message: "…
Amrit Gopal Singh
  • 33
  • 1
  • 6
1
vote
0 answers

Google Re-captcha Response is flagged as flaw CWE 918, in Veracode

I am Sitecore developer and in our website we have a form carrying Re-Captcha. When we are validating our solution in Veracode, at GetResponse the CWE 918 flaw is raised. Adding the code below. public bool IsReCaptchValid() { var result =…
user2310343
  • 11
  • 2
1
vote
1 answer

Use of Hard-coded Password on ReactPropTypesSecret.js - Veracode

I'm trying to deploy over OpenShift a React App made with "create-react-app", one of the pipeline's steps is a Veracode analysis. At this one my pipeline fails for "Use of Hard-coded Password" and the source viewer shows me this file,…
Nicolas Villacorta
  • 315
  • 4
  • 16
1
vote
1 answer

How to fix SQL Injection veracode issue- CWE 564

@Override public AssetLibraryReference selectALRefByName(String entityName,String name) throws Exception { AssetLibraryReference returnRef = null; String query = "from " + entityName + " where name = :name "; try { returnRef…
Rajat Ambastha
  • 9
  • 2
  • 7
1
vote
1 answer

Lodash version number is mismatch in package-lock.json?

i am using the lodash latest version. But in package-lock.json. It's in version @4.17.4. Because of this veracode is showing high risk vulnerability in lodash. When i ran npm audit. Invalid: lock file's lodash@4.17.4 does not satisfy…
SDK
  • 1,356
  • 3
  • 19
  • 44
1
vote
1 answer

try-with-resources Statement resource leakage and HttpServletRequestWrapper.getRead() resource leakage

In the below code I have used BufferedReader and InputStreamReader inside the try and but veracode complains the security as Improper Resource Shutdown or Release (CWE ID 404) try (final BufferedReader bsr = new BufferedReader(new…
Remo
  • 534
  • 7
  • 26
1
vote
1 answer

How to find where a library is being used in my project to fix a Veracode security vulnerability

Currently my application is failing Veracode Scan because of one third party component: "netty-handler.4.1.48.FINAL.jar", which has no safe versions available at the moment. I have reviewed the Veracode Report but i cannot find any specific info…
monkey123
  • 183
  • 1
  • 3
  • 11
1
vote
2 answers

SQL injection vulnerability veracode c#

Veracode report is showing a SQL injection flaw for the below query. private const string DropDatabaseTemplate = @"DROP DATABASE [{0}]"; ExecuteNonQuery(connection, string.Format(DropDatabaseTemplate, databaseName)); private static int…
Shivam Mishra
  • 319
  • 3
  • 15
1
vote
1 answer

Minimal (light version) PyTorch and Numpy packages in production

I am putting a model into production and I am required to scan all dependencies (Pytorch and Numpy) beforehand via VeraCode Scan. I noticed that the majority of the flaws are coming from test scripts and caffe2 modules in Pytorch and numpy. Is there…
mask
  • 539
  • 1
  • 5
  • 18
1
vote
1 answer

Resolve Veracode's CWE-73: "External control of file name or path" MVC application

I have a function in my application for which I am getting a flaw CWE-73 from Veracode's scan. This function is used to traverse a specific path and get the content of one file and the list of the files in the folder: private LogFile…
Jamik
  • 65
  • 4
1
vote
0 answers

Veracode scan: How to get the total expected "Effort to Fix" for all the issues found in a scan?

I am analysing the Veracode scan reports for some applications. I have the PDF reports. These do not have the total "Effort to Fix" for all the issues found. Can someone guide me to get it?
Kangkan
  • 15,267
  • 10
  • 70
  • 113
1
vote
0 answers

CWE-749: Exposed Dangerous Method or Function Veracode issue while configuring the Spring Boot Admin Actuator endpoints

I am trying to configure the SB admin in my Spring Boot application and trying to use the actuator endpoints. My SB application: 2.1.5.RELEASE For Admin, I have added below dependencies: spring-boot-admin-starter-server ->…
Uday Kumar
  • 11
  • 3
1
vote
0 answers

How to Prevent SSRF in .Net

I have a web form application and also an Web Api application hosted in different servers. For all CRUD operations the Web Form application uses the API. To call the API from web form app I have created a generic API requesting method using…
Vignesh
  • 1,458
  • 12
  • 31
  • 59
1
vote
1 answer

How to fix "Trust boundary violation -Security Issue" in Coverity (Security Tool similar to veracode) in Servlet?

I'm getting the below security issue while scanning the file. "Using the tainted data "value" in a context that is often assumed to be trustworthy. Because trusted data may not be validated or sanitized, this data could be mistakenly used in an…
Santosh_shar
  • 39
  • 1
  • 9
1 2 3
21 22