0
String value = System.getProperty("someproperty");

why the above piece of code gives a security threat in Fortify scanning.

Lino
  • 19,604
  • 6
  • 47
  • 65
Deepak Mantry
  • 1
  • 1
    Related: https://stackoverflow.com/questions/24795986/how-to-correct-path-manipulation-error-given-by-fortify – Lino May 13 '20 at 06:38

1 Answers1

0

What Fortify is showing right now is the 'source' where some untrusted data is coming in to your app. Fortify considers properties that are provided in files or from the command line as a source of untrusted data.

Chances are that Fortify is saying that there is a "potential" issue here. Track to see where your value variable is being used. If it's being used for some kind of IO operations, like writing to a file or being used in a sql query, then evaluate how you can potentially use the property to do something evil.

If you determine that the value variable is not being used for any kind of sensitive operation, just mark it as a false positive.

wtfacoconut
  • 334
  • 1
  • 8