white listing solution against fortify erros does not remove the fortify errors -
when ran fority scanner reported misused authentication issue on below line
hostname=java.net.inetaddress.getlocalhost().gethostname();
i had written function validate host name against white list of host names below.
private string validatehost(string hostname) { string[] possiblehosts = {"host1","host2","host2","host4","host5",}; integer myhostindex = arrays.aslist(possiblehosts).indexof((hostname).tolowercase()); if(myhostindex>=0){ hostname = possiblehosts[myhostindex]; } else { hostname = ""; } return hostname; }
which called below line
hostname=validatehost(java.net.inetaddress.getlocalhost().gethostname());
but when run fority scan next time , still shows issue on same line after have done validaiton. can done remove fortify error.
to answer you, let me explain how fortify detects issue, why it's included, it.
how fortify detects issue: it's super grep. finds anywhere you're using java.net.inetaddress.getlocalhost().gethostname() , complains. unaffected data validation.
why this? because function used security purposes, , should not be. example, imagine dev wanted trust messages own domain, might use determine message came from. security of system relies on dns, not secure. (see details tab more info.)
what do: first, make sure you're trying java.net.inetaddress.getlocalhost().gethostname() safe. basically, you're not trying secure system code. ignore finding. @ companies help, write short explanation of why code ok, put in comment field of issue summary tab, , mark analysis "not issue." @ places, suppress it. if you're getting ton of these, can create filter knock out whole category, realize might knock out real issues way.
source of information: consultant @ fortify software 2008-2010, independent application security consultant since then.
Comments
Post a Comment