Stack Overflow
Stack Overflow

Questions tagged [checkmarx]

Source code analyzer software which provides identifying, tracking and repairing technical and logical flaws.

Checkmarx CxSuite is a unique source code analysis solution that provides tools for identifying, tracking, and repairing technical and logical flaws in the source code, such as security vulnerabilities, compliance issues, and business logic problems.

Without needing to build or compile a software project's source code, CxSuite builds a logical graph of the code's elements and flows. CxSuite then queries this internal code graph. CxSuite comes with an extensive list of hundreds of preconfigured queries for known security vulnerabilities for each programming language. Using the CxSuite Auditor tool, you can configure your own additional queries for security, QA, and business logic purposes.

Technical Document

341 questions
16
votes
2 answers

How to sanitize and validate user input to pass a Checkmarx scan

I have an endpoint that receives a String from the client as seen below: @GET @Path("/{x}") public Response doSomething(@PathParam("x") String x) { String y = myService.process(x); return Response.status(OK).entity(y).build(); } Checkmarx…
cahen
  • 15,807
  • 13
  • 47
  • 78
15
votes
5 answers

How to validate and sanitize HTTP Get with Spring Boot?

I keep getting this annoying error from Checkmarx code scanner, Method getTotalValue at line 220 of src\java\com\example\PeopleController.java gets user input for the personName element. This element’s value then flows through the code without…
john
  • 647
  • 5
  • 23
  • 53
15
votes
4 answers

Heap Inspection Security Vulnerability

I have run my java app against the checkmarx tool for security vulnerability and it is constantly giving an issue - Heap Inspection, for my password field for which I use a character array. It doesnt give any more explanation than just pointing out…
Gaurav Sachdeva
  • 652
  • 1
  • 10
  • 23
9
votes
6 answers

checkmarx - How to resolve Stored Absolute Path Traversal issue?

Checkmarx - v 9.3.0 HF11 I am passing env value as data directory path in docker file which used in dev/uat server ENV DATA /app/data/ In local, using following Environment variable DATA=C:\projects\app\data\ getDataDirectory("MyDirectoryName"); //…
StackOverFlow
  • 4,486
  • 12
  • 52
  • 87
9
votes
0 answers

How to Sanitize and validate Pojo in Http Post to pass a Checkmarx scan

I am using Spring MVC and I have an End Point having HTTP Method Post. @ResponseBody public ResponseEntity request(@RequestBody @Valid RequestPayload requestBody){ //Code } public class RequestPayload { private String op; private…
cody123
  • 2,040
  • 24
  • 29
6
votes
2 answers

Checkmarx Java fix for Log Forging -sanitizing user input

Can anyone suggest the proper sanitization/validation process required for the courseType variable in the following getCourses method. I am using that variable to write in a log file. I've tried HtmlUtils.HtmlEscape() but didn't get expected…
NPS
  • 71
  • 1
  • 2
  • 6
6
votes
2 answers

Privacy Violation Checkmarx

On scanning code using checkmarx for security vulnerabilities, a privacy violation issue was reported pointing to a variable name. public const string Authentication = "authentication"; I am using this variable to create a region in cache by this…
user3820128
  • 61
  • 1
  • 1
  • 2
5
votes
1 answer

What is the difference between SonarQube and Checkmarx CxSAST & CxSCA?

I have integrated SonarQube and Checkmarx SAST and SCA into the Azure DevOps build pipeline. I am able to see both the SonarQube and Checkmarx reports without any issues. I have the following questions. Could someone please clarify: What is the…
Pradeep
  • 5,101
  • 14
  • 68
  • 140
5
votes
1 answer

Checkmarx scan - how to fix Missing_HSTS_Header warning?

after running Checkmarx scan on my Node.js application, I got a warning of Medium severity -> Missing_HSTS_Header. On this piece of code that just returns the content of metadata.json file (highlighted as a source of error is "res.json"). const app…
Jozef
  • 479
  • 1
  • 9
  • 36
5
votes
1 answer

Deserializing of untrusted data using C#

I have the following C# code which is getting a "high" error from Checkmarx. I can't see anything wrong with it. var dataDirectoryPath = AppDomain.CurrentDomain.GetData("DataDirectory").ToString(); var json =…
Rob Sedgwick
  • 4,342
  • 6
  • 50
  • 87
5
votes
1 answer

How to solve Stored XSS issue reported by Checkmarx

Codebase I am working on has been analyzed by Checkmarx, and it came back with a report containing a "Stored XSS" issue. The issue states: Method GetHomepageFilterByLocale HomepageRepo.cs gets data from the database, for the Select element. This…
Dasha Finch
  • 121
  • 2
  • 2
  • 4
4
votes
0 answers

Untrusted data is embedded straight into the output

I am currently facing Checkmarx scan issue for the below snippet: The application's getResponse embeds untrusted data in the generated output with setCatList, at line 10 of MyClass.java. This untrusted data is embedded straight into the output…
Anonymous
  • 325
  • 1
  • 3
  • 8
4
votes
2 answers

CheckMarx Medium severity warning - HttpOnly cookie at Startup

CheckMarx is flagging an error which looks like a false positive to me. Our application is written in C# and uses ASP.NET Core. The error is: The web application's Startup method creates a cookie Startup, at line 22 of Startup.cs, and returns it in…
sashoalm
  • 75,001
  • 122
  • 434
  • 781
4
votes
5 answers

Checkmarx - How to validate and sanitize HttpServletRequest .getInputStream to pass checkmarx scan

Following are checkmarx issue details Unrestricted File Upload Source Object : req (Line No - 39) target Object : getInputStream (Line No -41) public class JWTLoginFilter extends AbstractAuthenticationProcessingFilter { //... 38 public…
StackOverFlow
  • 4,486
  • 12
  • 52
  • 87
4
votes
0 answers

Spring boot controller how to sanitize user input (request dto) in order to pass a Checkmarx

I have sample Spring boot controller code like followings: @Slf4j @RestController public class PersonController { private final PersonService PersonService; public PersonController(PersonService PersonService) { this.PersonService =…
ttt
  • 3,934
  • 8
  • 46
  • 85
1
2 3
22 23