All geek questions in one place

HP Fortify Formatting Options - Annotate

I am trying to eliminate false positives from an HP Fortify scan of a Java application.

This method causes a "privacy violation" problem (PrintWriter - servlet response)

private void writeOutput(String passwordRules, PrintWriter out) { ... out.print(passwordRules); ... }

This is because Fortify follows naming conventions to decide that passwordRules contains personal data. But my passwordRules not personal data - it contains things like "At least 8 characters."

I can remove the error by changing the variable name. However, in principle, I do not want to compromise the readability of my code in the interests of the source code analyzer.

I expected this to fix:

  private void writeOutput(@FortifyNotPassword String passwordRules, PrintWriter out) ...

However, it seems the annotation is not written for this context:

  The annotation @FortifyNotPassword is disallowed for this location.

I tried:

  private void writeOutput(String passwordRules, PrintWriter out) { ... @FortifyNotPassword String rules = passwordRules; out.print(rules); ... }

... but this does not remove the false positive. (And it jeopardizes my principle of not making the code less readable).

I also tried above with @FortifyNotPrivate with the same results.

So what is the right way to do this?

+6
source share
1 answer

Fortify offers you two ways to deal with this situation: 1) suppress the problem or 2) hide the problem. Which one you choose depends on what you think will work best for you.

Suppressed problems. You can mark a problem as suppressed if you are sure that a particular vulnerability is not and never will be a problem. You may also want to suppress warnings for certain types of problems that may not be priority or urgent. For example, you can fix problems that are fixed, or problems that - in your case - you do not plan to fix. Suppressed problems are not included in the group totals shown in the problem panel. This approach may be best if you want to completely eliminate awareness of the problem.

Hidden problems. You can hide a group of problems temporarily to avoid distraction when you focus elsewhere. For example, you can hide all problems except those that are assigned to you. Persons assigned to troubleshoot issues that you have hidden in your submission can access them. The group summary displayed in the problem panel includes hidden problems. If you find a problem in the list of folders that you want to hide or redirect to another folder, you can create a new filter using the filter wizard. The filter wizard displays all attributes with the appropriate conditions for the filter. P 29 document HP_Fortify_Audit_Workbench_User_Guide_4.30; this documentation is related to your Fortify program files. This alternative may be preferred if you want others to know about the problems, even if you ignore it.

Issues fixed. This alternative is not particularly relevant to your situation, but I present it for completeness. Because multiple scans are performed over time, problems are often resolved or become obsolete. When it combines the results of a scan, Static Code Analyzer notes problems that were detected in the previous scan, but no longer appear in the latest SCA analysis as “Deleted”. Deleted problems are not included in the group totals displayed in the problems panel. Since you are not going to “fix” this problem, it will not become a “remote problem”.

To show or hide suppressed, hidden, and deleted issues, use the Option menu. Visibility filters show or hide problems.

+2
source

Source: https://habr.com/ru/post/988155/

More articles:


All Articles