Fortify代码扫描问题及修复

Fortify静态代码扫描常见问题及修复

  • 1、Portability Flaw: Locale Dependent Comparison (Code Quality, Control Flow)
  • 2、Access Specifier Manipulation (Input Validation and Representation, Semantic)
  • 3、Poor Style: Value Never Read (Code Quality, Structural)
  • 4、Build Misconfiguration: External Maven Dependency Repository (Environment, Configuration)
  • 5、Code Correctness: Byte Array to String Conversion (Code Quality, Semantic)
  • 6、Code Correctness: Erroneous String Compare (Code Quality, Structural)
  • 7、Dead Code: Expression is Always false (Code Quality, Structural)
  • 8、Dead Code: Unused Method (Code Quality, Structural)
  • 9、Denial of Service: Parse Double (Input Validation and Representation, Data Flow)
  • 10、HTML5: Overly Permissive CORS Policy (Encapsulation, Semantic)
  • 11、J2EE Bad Practices: Leftover Debug Code (Encapsulation, Structural)
  • 12、Missing Check against Null (API Abuse, Control Flow)
  • 13、Password Management: Password in Comment (Security Features, Structural)
  • 14、Poor Error Handling: Overly Broad Catch (Errors, Structural)
  • 15、Access Control: Database (Security Features, Data Flow)
  • 16、Header Manipulation (Input Validation and Representation, Data Flow)
  • 17、Null Dereference (Code Quality, Control Flow)
  • 18、Unreleased Resource: Streams (Code Quality, Control Flow)
  • 19、Cross-Site Scripting: Persistent (Input Validation and Representation, Data Flow)

1、Portability Flaw: Locale Dependent Comparison (Code Quality, Control Flow)

移植性缺陷:地区依赖比较(代码质量,控制流)

if (tag.toUpperCase().equals("SCRIPT")){
  return null;
}
if (tag.toUpperCase(Locale.ENGLISH).equals("SCRIPT")){
  return null;
}
if (tag.equalsIgnoreCase("SCRIPT")){
	return null;
}

2、Access Specifier Manipulation (Input Validation and Representation, Semantic)

访问说明符操作(输入验证和表示,语义)

field.setAccessible(true);
修改为使用spring提供的类
import org.springframework.util.ReflectionUtils;
ReflectionUtils.makeAccessible(field);

3、Poor Style: Value Never Read (Code Quality, Structural)

糟糕的风格:值从未使用(代码质量,结构)

4、Build Misconfiguration: External Maven Dependency Repository (Environment, Configuration)

构建错误配置:外部Maven依赖库(环境,配置)
这一 Maven 编译脚本依赖于外部数据源,这会导致攻击者能够将恶意代码插入最终产品中,或者控制编译计算机。

5、Code Correctness: Byte Array to String Conversion (Code Quality, Semantic)

代码正确性:字节数组到字符串的转换(代码质量,语义)

public class ByteSerializerUtils extends JsonSerializer<byte[]>{
	@Override
	public void serialize(byte[] bytes, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException, JsonProcessingException {
		jsonGenerator.writeString(new String(bytes));
	}
}
修改为
new String(bytes,"UTF-8")

6、Code Correctness: Erroneous String Compare (Code Quality, Structural)

代码正确性:错误字符串的比较(代码质量,结构)

7、Dead Code: Expression is Always false (Code Quality, Structural)

死代码:表达式总是假的(代码质量,结构)

8、Dead Code: Unused Method (Code Quality, Structural)

死代码:未使用的方法(代码质量,结构)

9、Denial of Service: Parse Double (Input Validation and Representation, Data Flow)

拒绝服务:解析Double(输入验证和表示,数据流)

10、HTML5: Overly Permissive CORS Policy (Encapsulation, Semantic)

HTML5: 过于宽松的CORS策略(封装、语义)
程序会定义过于宽松的跨源资源共享 (CORS) 策略。

11、J2EE Bad Practices: Leftover Debug Code (Encapsulation, Structural)

J2EE Bad Practices:剩余的调试代码(封装,结构)

12、Missing Check against Null (API Abuse, Control Flow)

缺少对Null的检查(API滥用,控制流)

13、Password Management: Password in Comment (Security Features, Structural)

密码管理:密码在评论中(安全功能,结构)
以明文形式在系统或系统代码中存储密码或密码详细信息可能会以无法轻松修复的方式危及系统安全。

14、Poor Error Handling: Overly Broad Catch (Errors, Structural)

糟糕的错误处理:过于宽泛的捕获(错误,结构性)
不要捕获广泛的异常类,例如exception、Throwable、Error或RuntimeException,除非是在程序或线程的最高层。

15、Access Control: Database (Security Features, Data Flow)

访问控制:数据库(安全特性,数据流)
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.

访问控制应该由应用程序层和数据库层处理,而不是依赖表示层来限制用户提交的值。在任何情况下,都不允许用户在没有适当权限的情况下检索或修改数据库中的行。每个访问数据库的查询都应该执行此策略,通常只需将当前经过身份验证的用户名作为查询的一部分即可完成此策略。

16、Header Manipulation (Input Validation and Representation, Data Flow)

报头操作(输入验证和表示,数据流)

17、Null Dereference (Code Quality, Control Flow)

空引用(代码质量,控制流)

18、Unreleased Resource: Streams (Code Quality, Control Flow)

未发布的资源:流(代码质量,控制流)

19、Cross-Site Scripting: Persistent (Input Validation and Representation, Data Flow)

风险类型 原因
Code Correctness: Erroneous String Compare 字符串的对比使用错误方法
Cross-Site Scripting Web浏览器发送非法数据,导致浏览器执行恶意代码
Dead Code: Expression is Always true 表达式的判断总是true
Dead Code: Unused Method 没有使用的方法
HTTP Response Splitting 含有未验证的数据
J2EE Bad Practices: Leftover Debug Code 在部署的Web应用程序中建立了一些想象不到的入口点
Missing Check against Null 有可能返回了null
Poor Error Handling: Empty Catch Block 有些异常备忽略,可能会导致程序无法发现意外状况
Poor Error Handling: Overly Broad Catch Catch块可以处理的异常种类比较多,往往会过多的考虑不应该在此位置处理各种问题或故障而困扰
Poor Error Handling: Overly Broad Throws Throws了一个过于笼统的异常,从而使调用者很难处理和修复发生的错误
Poor Error Handling: Return inside Finally 可能会导致异常丢失
Poor Logging Practice: Use of a System output stream 使用system.out或system.err不是专门的日志记录工具,会导致难以监控程序的运行状况
Poor Style: Value Never Read 没有使用赋给变量的值
System Information Leak: HTML Comment in JSP 注释所包含的任何信息都有可能帮助攻击者了解系统并制定相应的攻击方案
Unchecked Return Value 忽略了某些方法的返回值
J2EE Bad Practices: Threads 禁止在某些环境下使用Web应用程序的线程管理
JavaScript Hijacking: Ad Hoc Ajax 使用Javascript符号传递敏感数据会存在漏洞
Denial of Service 读取文件可能会使攻击者造成程序崩溃
System Information Leak printstackTrace()来提示系统数据有助于攻击者制定攻击计划
Insecure Randomness 产生的随机数不能抵挡加密攻击
Null Dereference 引用了空指针
Unreleased Resource: Streams 无法成功释放FileInputStream()函数分配的系统资源
Redundant Null Check 引用了空指针
Dead Code: Unused Field 没有使用的字段
Axis 2 Misconfiguration: Debug Information 借助SOAP Monitor模块,攻击者可截取SOAP信息流
Poor Error Handling: Program Catches nullpointerexception 可捕获NullPointException,通常来说不是一个好方法
Poor Style: Confusing Naming 重复命名
Dead Code: Expression is Always false 表达式的判断总是false
J2EE Misconfiguration: Incomplete Error handing 配置默认的错误页面,来处理那些未被捕获的异常
Path Manipulation 攻击者可控制File路径参数,借此访问或修改其他受保护的文件
Poor Logging Practice: Logger Not Declared static final 应该将日志记录器声明为固定且最终的记录器
Poor Style: Redundant Initialization 没有使用赋给变量的值
Code Correctness: null Argument to equals() 表达式obj.equals(null)将总是false
Privacy Violation:Heap Inspection
J2EE Bad Practices:Leftover Debug Code
Poor Error Handling:Overly Broad Throws
Password Management Password in Configuration File
Build Misconfiguration:External Maven Dependency Repository

你可能感兴趣的:(JAVA,静态代码扫描Fortify,Fortify扫描,Fortify安全扫描)