Highest Voted 'veracode' Questions

26

votes

7 answers

How to fix Veracode CWE 117 (Improper Output Neutralization for Logs)

There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that: @ExceptionHandler(Exception.class) void handleException(Exception ex) { logger.error("Simple error message", ex); ... Veracode scan says that…

asked Jul 06 '17 at 12:44

Vitaliy Borisok

822
3
11
21

25

votes

1 answer

How do I get details of a veracode vulnerability report?

How do I get details of a veracode vulnerability report? I'm a maintainer of a popular JS library, Ramda, and we've recently received a report that the library is subject to a prototype pollution vulnerability. This has been tracked back to a…

javascript ramda.js veracode cve

asked Nov 12 '21 at 00:45

Scott Sauyet

49,207
4
49
103

22

votes

5 answers

How to configure the XML parser to disable external entity resolution in c#

var xDoc = XDocument.Load(fileName); I am using above code in a function to load an XML file. Functionality wise its working fine but it is showing following Veracode Flaw after Veracode check. Description The product processes an XML document…

c# veracode

asked Aug 25 '15 at 11:39

MANISH KUMAR CHOUDHARY

3,396
3
22
34

9

votes

1 answer

Insufficient Entropy from Veracode when generating random words using java.security.SecureRandom

I have created a class that generates random words (Alphanumerical) using org.apache.commons.lang.RandomStringUtils. public String randomWord(int wordLength) { return RandomStringUtils.random(wordLength, 0, 0, true, true, null, new…

java random entropy veracode

asked Jul 06 '15 at 22:41

D.PETIT

161
1
4

8

votes

2 answers

Unable to rectify VeraCode CWE ID 918 - (SSRF) in ASP.NET

Long story short, no matter what I try VeraCode continues to flag 8 lines of my code as flaws with CWE 918. This is old code so I'm not sure why it's suddenly being flagged. Here's an example [offending] method with the flagged line in bold public…

asp.net asp.net-mvc veracode ssrf

asked Sep 12 '19 at 18:15

m0r6aN

850
1
11
19

8

votes

1 answer

How to prevent XML eXternal Entity (XXE) attack during .net deserialization

We are doing security analysis of our code using veracode and its showing XXE flaw for below code, specifically where Deserialize() is invoked. How can we prevent serializer from accessing external entities. My attempt below to set XMLresolver to…

c# .net xml veracode

asked Jan 25 '16 at 14:53

user5837579

81
1
2

8

votes

2 answers

How to resolve CWE-259: Use of Hard-coded Password?

I submitted my application EAR to Veracode Security scanning tool and got this flaw in the below piece of code : private String url = "jdbc:mysql://localhost:8081/sql"; private String userName = "xyz"; private String password =…

java security veracode

asked Apr 14 '13 at 17:55

user1782009

299
4
15
32

7

votes

1 answer

XXE: Improper Restriction of XML External Entity Reference With XDocument

So I am running into an issue when I run a security scan on my application. It turns out that I am failing to protect against XXE. Here is a short snippet showing the offending code: static void Main() { string inp =…

c# xml linq-to-xml veracode xxe

asked Sep 19 '17 at 15:16

Bitz

1,128
11
33

7

votes

2 answers

Veracode Insecure Temporary File error when using java.io.File.createTempFile

I need to create a temporary file and store some data into it. I have written the following code to do so: import org.apache.commons.lang.RandomStringUtils; import java.security.SecureRandom; [...] String random = RandomStringUtils.random(10, 0,…

java file security veracode secure-coding

asked Jul 07 '15 at 01:40

D.PETIT

161
1
4

7

votes

2 answers

Veracode XML External Entity Reference (XXE)

I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { …

java security veracode xxe

asked Jun 22 '15 at 11:29

Jose Miguel

355
2
6
18

7

votes

2 answers

"Untrusted initialization" flaw - while creating SQL Connection

I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new…

c# sql-server veracode

asked Jun 11 '15 at 12:02

NJMR

1,886
1
27
46

7

votes

1 answer

Veracode, Debug Symbols, and XCode

I'm attempting to have an iOS application scanned by Veracode: an application security platform. In order for them to scan an .IPA, the .IPA needs to contain debug symbols. For the Archive build-configuration and project/target being used, I've…

ios xcode veracode

asked Aug 06 '14 at 18:55

paiego

3,619
34
43

7

votes

6 answers

How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"

After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment: protected override void InitializeCulture() { //If true then setup…

c# cookies veracode

asked Feb 24 '14 at 16:25

piterskiy

177
2
6
14

6

votes

2 answers

Javascript: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

I'm spending time trying to fix veracode scan flaw CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). What I do is an HTTP call to my backend in order to open a blob with a download file. const xhr = new…

javascript xmlhttprequest xss owasp veracode

asked Nov 28 '19 at 19:07

Ziko

919
2
10
22

6

votes

2 answers

CWE 73 Error - Veracode Issue -.net application

I have been problem to solve an appointment of Veracode Scanner in my project. I created a function to validate a file but it did not pass in veracode scanner; Here is the code of my function: public static string GetSafeFileName(string…

c# .net veracode

asked Jan 26 '18 at 16:42

user3149261

61
1
3

Questions tagged [veracode]