How to fix CWE 829 - Inclusion of Functionality from Untrusted Control Sphere

Question

As part of veracode scan i got CWE 829 -Inclusion of Functionality from Untrusted Control Sphere error thrown.

Below I have pasted my Java code and in line#3 i'm getting this vulnerability.

I didn't find much about this issue. Can some one assist me if you have faced this kind of issue earlier?

import java.applet.Applet;
import java.awt.Graphics;

public class ShowVariables extends Applet { //Error shown in thos line
    int age = 35;
    double salary = 25000.34;
    long distance_to_the_moon = 235678;

    public void paint(Graphics g) {
        g.drawString("employees age: " + age, 5, 25);
        g.drawString("Employess salary: " + salary, 5, 45);
        g.drawString("Distance to the moon: " + distance_to_the_moon, 5, 65);

    }

}

Answer 1

It seems like a false-positive since CWE-829 is related with including in your code content from external domain:

https://cwe.mitre.org/top25/index.html#CWE-829

https://cwe.mitre.org/data/definitions/829.html

While you only use functions and classes from java library.

Try to mitigate the flaw as per instruction on Verascode website:

https://help.veracode.com/reader/DGHxSJy3Gn3gtuSIN2jkRQ/~p4MSKOS8F8X8h0KwFTKoQ