dradis-veracode 4.11.0 → 4.12.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/README.md +1 -2
- data/lib/dradis/plugins/veracode/field_processor.rb +14 -9
- data/lib/dradis/plugins/veracode/gem_version.rb +1 -1
- data/lib/dradis/plugins/veracode/importer.rb +18 -13
- data/lib/dradis/plugins/veracode/mapping.rb +54 -0
- data/lib/dradis/plugins/veracode.rb +1 -0
- data/lib/dradis-veracode.rb +1 -0
- data/lib/veracode/evidence.rb +46 -0
- data/lib/veracode/flaw.rb +2 -3
- data/spec/dradis/plugins/veracode/importer_spec.rb +50 -0
- data/spec/fixtures/files/veracode.xml +205 -0
- data/spec/spec_helper.rb +4 -0
- data/templates/evidence.sample +45 -0
- metadata +13 -6
- data/templates/issue.fields +0 -17
- data/templates/issue.template +0 -44
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 8cadfb51c79bec4707f3489a88d1e9f43c5c119590f72f690382a398ca4419fa
|
|
4
|
+
data.tar.gz: c02b8c3a15bd80bb9bce2941a71319886065c1dad2c4184ba80211f37337de42
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd8352cf57c9b4c5d92bd004276e4abde04785d3cd7497652cedf311cd500c9e3e1f7b7e7536343efedacd8569fe71dcad17b002899a17b4e9b42628b7c2f5fc
|
|
7
|
+
data.tar.gz: 780b2729fa4c5d7ea1b659c1bf11c6c5f1478af0994ea09ddf9adece63c1613ef97f43fc564d75f1a5913bc603c79271674735cdabb9ed9f5b50a3d70ea3900b
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -4,8 +4,7 @@
|
|
|
4
4
|
|
|
5
5
|
Upload [Veracode Static Analysis](https://www.veracode.com/products/binary-static-analysis-sast) security scanner XML output into Dradis.
|
|
6
6
|
|
|
7
|
-
The add-on requires [Dradis CE](https://
|
|
8
|
-
|
|
7
|
+
The add-on requires [Dradis CE](https://dradis.com/ce/) > 3.0, or [Dradis Pro](https://dradis.com/).
|
|
9
8
|
|
|
10
9
|
## More information
|
|
11
10
|
|
|
@@ -2,17 +2,22 @@ module Dradis
|
|
|
2
2
|
module Plugins
|
|
3
3
|
module Veracode
|
|
4
4
|
class FieldProcessor < Dradis::Plugins::Upload::FieldProcessor
|
|
5
|
-
def post_initialize(args={})
|
|
5
|
+
def post_initialize(args = {})
|
|
6
|
+
@record =
|
|
7
|
+
if (data.is_a?(::Veracode::Flaw) || data.is_a?(::Veracode::Evidence))
|
|
8
|
+
data
|
|
6
9
|
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
10
|
+
# Note: The evidence and flaw samples are the same but they need to
|
|
11
|
+
# be differentiated in the plugins manager preview. In that case,
|
|
12
|
+
# we're adding a "dradis_type" attribute in the evidence.sample file
|
|
13
|
+
elsif (data['dradis_type'] == 'evidence')
|
|
14
|
+
::Veracode::Evidence.new(data.at_xpath('./staticflaws/flaw'))
|
|
15
|
+
else
|
|
16
|
+
::Veracode::Flaw.new(data.at_xpath('./staticflaws/flaw'))
|
|
17
|
+
end
|
|
13
18
|
end
|
|
14
19
|
|
|
15
|
-
def value(args={})
|
|
20
|
+
def value(args = {})
|
|
16
21
|
field = args[:field]
|
|
17
22
|
|
|
18
23
|
# fields in the template are of the form <template>.<name>, where
|
|
@@ -20,7 +25,7 @@ module Dradis
|
|
|
20
25
|
# meaningless).
|
|
21
26
|
_, name = field.split('.')
|
|
22
27
|
|
|
23
|
-
@
|
|
28
|
+
@record.try(name) || 'n/a'
|
|
24
29
|
end
|
|
25
30
|
end
|
|
26
31
|
end
|
|
@@ -1,18 +1,18 @@
|
|
|
1
1
|
module Dradis::Plugins::Veracode
|
|
2
2
|
class Importer < Dradis::Plugins::Upload::Importer
|
|
3
3
|
def self.templates
|
|
4
|
-
{ issue: 'issue' }
|
|
4
|
+
{ evidence: 'evidence', issue: 'issue' }
|
|
5
5
|
end
|
|
6
6
|
|
|
7
7
|
# The framework will call this function if the user selects this plugin from
|
|
8
8
|
# the dropdown list and uploads a file.
|
|
9
9
|
# @returns true if the operation was successful, false otherwise
|
|
10
|
-
def import(params={})
|
|
11
|
-
file_content = File.read(
|
|
10
|
+
def import(params = {})
|
|
11
|
+
file_content = File.read(params[:file])
|
|
12
12
|
|
|
13
13
|
# Parse the uploaded file into a Ruby Hash
|
|
14
14
|
logger.info { "Parsing Veracode output from #{ params[:file] }..." }
|
|
15
|
-
xml = Nokogiri::XML(
|
|
15
|
+
xml = Nokogiri::XML(file_content)
|
|
16
16
|
logger.info { 'Done.' }
|
|
17
17
|
|
|
18
18
|
# Do a sanity check to confirm the user uploaded the right file
|
|
@@ -25,13 +25,13 @@ module Dradis::Plugins::Veracode
|
|
|
25
25
|
end
|
|
26
26
|
|
|
27
27
|
# create app_name, and parse attributes
|
|
28
|
-
parse_report_details(xml.root)
|
|
28
|
+
node = parse_report_details(xml.root)
|
|
29
29
|
|
|
30
30
|
# parse each severity > category > cwe > flaws
|
|
31
31
|
xml.root.xpath('./xmlns:severity').each do |xml_severity|
|
|
32
|
-
logger.info{ "\t => Severity (level: #{ xml_severity[:level] })" }
|
|
32
|
+
logger.info { "\t => Severity (level: #{ xml_severity[:level] })" }
|
|
33
33
|
xml_severity.xpath('.//xmlns:flaw').each do |xml_flaw|
|
|
34
|
-
parse_flaw(xml_flaw)
|
|
34
|
+
parse_flaw(xml_flaw, node)
|
|
35
35
|
end
|
|
36
36
|
end
|
|
37
37
|
end
|
|
@@ -42,7 +42,7 @@ module Dradis::Plugins::Veracode
|
|
|
42
42
|
def parse_report_details(xml_detailedreport)
|
|
43
43
|
app_name = xml_detailedreport[:app_name]
|
|
44
44
|
app_node = content_service.create_node(label: app_name)
|
|
45
|
-
logger.info{ "Adding report details (app_name: #{ app_name })" }
|
|
45
|
+
logger.info { "Adding report details (app_name: #{ app_name })" }
|
|
46
46
|
|
|
47
47
|
[
|
|
48
48
|
:app_id, :business_criticality, :business_owner, :business_unit,
|
|
@@ -52,15 +52,20 @@ module Dradis::Plugins::Veracode
|
|
|
52
52
|
end
|
|
53
53
|
|
|
54
54
|
app_node.save
|
|
55
|
+
app_node
|
|
55
56
|
end
|
|
56
57
|
|
|
58
|
+
def parse_flaw(xml_flaw, node)
|
|
59
|
+
cwe_id = xml_flaw[:cweid]
|
|
60
|
+
logger.info { "\t\t => Creating issue and evidence (flaw cweid: #{ cwe_id })" }
|
|
57
61
|
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
62
|
+
flaw = ::Veracode::Flaw.new(xml_flaw)
|
|
63
|
+
issue_text = mapping_service.apply_mapping(source: 'issue', data: flaw)
|
|
64
|
+
issue = content_service.create_issue(text: issue_text, id: cwe_id)
|
|
61
65
|
|
|
62
|
-
|
|
63
|
-
|
|
66
|
+
veracode_evidence = ::Veracode::Evidence.new(xml_flaw)
|
|
67
|
+
evidence_text = mapping_service.apply_mapping(source: 'evidence', data: veracode_evidence)
|
|
68
|
+
evidence = content_service.create_evidence(content: evidence_text, issue: issue, node: node)
|
|
64
69
|
end
|
|
65
70
|
end
|
|
66
71
|
end
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
module Dradis::Plugins::Veracode
|
|
2
|
+
module Mapping
|
|
3
|
+
DEFAULT_MAPPING = {
|
|
4
|
+
evidence: {
|
|
5
|
+
'Description' => '{{ veracode[evidence.description] }}',
|
|
6
|
+
'LineNumber' => '{{ veracode[evidence.line] }}',
|
|
7
|
+
'SourceFile' => '{{ veracode[evidence.sourcefile] }}'
|
|
8
|
+
},
|
|
9
|
+
issue: {
|
|
10
|
+
'Title' => '{{ veracode[issue.cwename] }}',
|
|
11
|
+
'CVSSv3.BaseScore' => 'n/a',
|
|
12
|
+
'CVSSv3.Vector' => 'n/a',
|
|
13
|
+
'Type' => 'Internal',
|
|
14
|
+
'Description' => '{{ veracode[issue.description] }}',
|
|
15
|
+
'Solution' => '{{ veracode[issue.remediation_status] }}',
|
|
16
|
+
'References' => 'https://cwe.mitre.org/data/definitions/{{ veracode[issue.cweid] }}.html',
|
|
17
|
+
'Severity' => '{{ veracode[issue.severity] }}',
|
|
18
|
+
'Category' => '{{ veracode[issue.categoryname] }}',
|
|
19
|
+
'CWE' => '{{ veracode[issue.cweid] }}',
|
|
20
|
+
'RemediationStatus' => '{{ veracode[issue.remediation_status] }}'
|
|
21
|
+
}
|
|
22
|
+
}.freeze
|
|
23
|
+
|
|
24
|
+
SOURCE_FIELDS = {
|
|
25
|
+
evidence: [
|
|
26
|
+
'evidence.description',
|
|
27
|
+
'evidence.exploitlevel',
|
|
28
|
+
'evidence.issueid',
|
|
29
|
+
'evidence.line',
|
|
30
|
+
'evidence.mitigation_status',
|
|
31
|
+
'evidence.mitigation_status_desc',
|
|
32
|
+
'evidence.module',
|
|
33
|
+
'evidence.remediation_status',
|
|
34
|
+
'evidence.remediationeffort',
|
|
35
|
+
'evidence.sourcefile',
|
|
36
|
+
'evidence.sourcefilepath'
|
|
37
|
+
],
|
|
38
|
+
issue: [
|
|
39
|
+
'issue.categoryid',
|
|
40
|
+
'issue.categoryname',
|
|
41
|
+
'issue.cweid',
|
|
42
|
+
'issue.cwename',
|
|
43
|
+
'issue.description',
|
|
44
|
+
'issue.exploitlevel',
|
|
45
|
+
'issue.mitigation_status',
|
|
46
|
+
'issue.mitigation_status_desc',
|
|
47
|
+
'issue.note',
|
|
48
|
+
'issue.remediation_status',
|
|
49
|
+
'issue.remediationeffort',
|
|
50
|
+
'issue.severity'
|
|
51
|
+
]
|
|
52
|
+
}.freeze
|
|
53
|
+
end
|
|
54
|
+
end
|
data/lib/dradis-veracode.rb
CHANGED
|
@@ -0,0 +1,46 @@
|
|
|
1
|
+
module Veracode
|
|
2
|
+
class Evidence
|
|
3
|
+
# Accepts an XML node from Nokogiri::XML.
|
|
4
|
+
def initialize(xml_flaw)
|
|
5
|
+
@xml = xml_flaw
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
# List of supported tags. They can be attributes, simple descendans or
|
|
9
|
+
# collections (e.g. <references/>, <tags/>)
|
|
10
|
+
def supported_tags
|
|
11
|
+
[
|
|
12
|
+
:description, :exploitlevel, :issueid, :line, :mitigation_status,
|
|
13
|
+
:mitigation_status_desc, :module, :remediation_status,
|
|
14
|
+
:remediationeffort, :sourcefile, :sourcefilepath
|
|
15
|
+
]
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
# This allows external callers (and specs) to check for implemented
|
|
19
|
+
# properties
|
|
20
|
+
def respond_to?(method, include_private = false)
|
|
21
|
+
return true if supported_tags.include?(method.to_sym)
|
|
22
|
+
super
|
|
23
|
+
end
|
|
24
|
+
|
|
25
|
+
# This method is invoked by Ruby when a method that is not defined in this
|
|
26
|
+
# instance is called.
|
|
27
|
+
#
|
|
28
|
+
# In our case we inspect the @method@ parameter and try to find the
|
|
29
|
+
# attribute, simple descendent or collection that it maps to in the XML
|
|
30
|
+
# tree.
|
|
31
|
+
def method_missing(method, *args)
|
|
32
|
+
# We could remove this check and return nil for any non-recognized tag.
|
|
33
|
+
# The problem would be that it would make tricky to debug problems with
|
|
34
|
+
# typos. For instance: <>.potr would return nil instead of raising an
|
|
35
|
+
# exception
|
|
36
|
+
unless supported_tags.include?(method)
|
|
37
|
+
super
|
|
38
|
+
return
|
|
39
|
+
end
|
|
40
|
+
|
|
41
|
+
# First we try the attributes
|
|
42
|
+
method_name = method.to_s
|
|
43
|
+
return @xml.attributes[method_name].value if @xml.attributes.key?(method_name)
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
data/lib/veracode/flaw.rb
CHANGED
|
@@ -20,9 +20,8 @@ module Veracode
|
|
|
20
20
|
[
|
|
21
21
|
# attributes
|
|
22
22
|
:categoryid, :categoryname, :cweid, :cwename, :description, :exploitlevel,
|
|
23
|
-
:
|
|
24
|
-
:
|
|
25
|
-
:sourcefilepath
|
|
23
|
+
:mitigation_status, :mitigation_status_desc, :note, :remediation_status,
|
|
24
|
+
:remediationeffort, :severity
|
|
26
25
|
]
|
|
27
26
|
end
|
|
28
27
|
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
require 'ostruct'
|
|
3
|
+
|
|
4
|
+
describe Dradis::Plugins::Veracode::Importer do
|
|
5
|
+
|
|
6
|
+
before(:each) do
|
|
7
|
+
# Stub template service
|
|
8
|
+
templates_dir = File.expand_path('../../../../../templates', __FILE__)
|
|
9
|
+
expect_any_instance_of(Dradis::Plugins::TemplateService)
|
|
10
|
+
.to receive(:default_templates_dir).and_return(templates_dir)
|
|
11
|
+
|
|
12
|
+
# Init services
|
|
13
|
+
plugin = Dradis::Plugins::Veracode
|
|
14
|
+
|
|
15
|
+
@content_service = Dradis::Plugins::ContentService::Base.new(
|
|
16
|
+
logger: Logger.new(STDOUT),
|
|
17
|
+
plugin: plugin
|
|
18
|
+
)
|
|
19
|
+
|
|
20
|
+
@importer = plugin::Importer.new(
|
|
21
|
+
content_service: @content_service
|
|
22
|
+
)
|
|
23
|
+
|
|
24
|
+
# Stub dradis-plugins methods
|
|
25
|
+
#
|
|
26
|
+
# They return their argument hashes as objects mimicking
|
|
27
|
+
# Nodes, Issues, etc
|
|
28
|
+
allow(@content_service).to receive(:create_node) do |args|
|
|
29
|
+
obj = OpenStruct.new(args)
|
|
30
|
+
obj.define_singleton_method(:set_property) { |*| }
|
|
31
|
+
obj.define_singleton_method(:set_service) { |*| }
|
|
32
|
+
obj
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
|
|
36
|
+
it 'creates nodes, issues, and, evidence' do
|
|
37
|
+
expect(@content_service).to receive(:create_node).with(hash_including label: 'Cybersecurity-Pilot').once
|
|
38
|
+
|
|
39
|
+
%w{ 117 382 }.each do |cweid|
|
|
40
|
+
expect(@content_service).to receive(:create_issue).with(hash_including id: cweid).at_least(:once)
|
|
41
|
+
end
|
|
42
|
+
|
|
43
|
+
%w{ 107 129 333 }.each do |line|
|
|
44
|
+
expect(@content_service).to receive(:create_evidence).with(hash_including(content: a_string_matching(/#{line}/))).once
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
# Run the import
|
|
48
|
+
@importer.import(file: 'spec/fixtures/files/veracode.xml')
|
|
49
|
+
end
|
|
50
|
+
end
|
|
@@ -0,0 +1,205 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
|
|
3
|
+
<detailedreport xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="https://www.veracode.com/schema/reports/export/1.0" xsi:schemaLocation="https://www.veracode.com/schema/reports/export/1.0 https://analysiscenter.veracode.com/resource/detailedreport.xsd" report_format_version="1.5" account_id="10470" app_name="Cybersecurity-Pilot" app_id="1280614" analysis_id="22666593" static_analysis_unit_id="22682243" sandbox_id="4031820" first_build_submitted_date="2022-12-12 06:18:41 UTC" version="12 Dec 2022 Static Promoted" build_id="22695302" submitter="Sai Manjunath Reddy Katha" platform="Not Specified" assurance_level="2" business_criticality="2" generation_date="2023-03-07 14:45:59 UTC" veracode_level="VL3 + SCA" total_flaws="3" flaws_not_mitigated="3" teams="SecurityReviewServices" life_cycle_stage="Not Specified" planned_deployment_date="2022-12-12 07:40:09 UTC" last_update_time="2022-12-12 08:20:14 UTC" is_latest_build="true" policy_name="HP Internet App" policy_version="13" policy_compliance_status="Pass" policy_rules_status="Pass" grace_period_expired="false" scan_overdue="false" business_owner="Hoelzer, Ralf" business_unit="Cybersecurity" tags="sammuel.washington@hp.com" legacy_scan_engine="false"><static-analysis rating="A" score="99" submitted_date="2022-12-12 08:19:44 UTC" published_date="2022-12-12 08:20:13 UTC" version="12 Dec 2022 Static Promoted" analysis_size_bytes="105400" engine_version="20221110172554">
|
|
4
|
+
<modules>
|
|
5
|
+
<module name="pipeline-scan.jar" compiler="JAVAC_8" os="Java J2SE 8" architecture="JVM" loc="6130" score="99" numflawssev0="0" numflawssev1="0" numflawssev2="1" numflawssev3="2" numflawssev4="0" numflawssev5="0"/>
|
|
6
|
+
</modules>
|
|
7
|
+
</static-analysis>
|
|
8
|
+
<severity level="5"/>
|
|
9
|
+
<severity level="4"/>
|
|
10
|
+
<severity level="3">
|
|
11
|
+
<category categoryid="21" categoryname="CRLF Injection" pcirelated="true">
|
|
12
|
+
<desc>
|
|
13
|
+
<para text="The acronym CRLF stands for "Carriage Return, Line Feed" and refers to the sequence of characters used to denote the end of a line of text. CRLF injection vulnerabilities occur when data enters an application from an untrusted source and is not properly validated before being used. For example, if an attacker is able to inject a CRLF into a log file, he could append falsified log entries, thereby misleading administrators or cover traces of the attack. If an attacker is able to inject CRLFs into an HTTP response header, he can use this ability to carry out other attacks such as cache poisoning. CRLF vulnerabilities primarily affect data integrity. "/>
|
|
14
|
+
</desc>
|
|
15
|
+
<recommendations>
|
|
16
|
+
<para text="Apply robust input filtering for all user-supplied data, using centralized data validation routines when possible. Use output filters to sanitize all output derived from user-supplied input, replacing non-alphanumeric characters with their HTML entity equivalents."/>
|
|
17
|
+
</recommendations>
|
|
18
|
+
<cwe cweid="117" cwename="Improper Output Neutralization for Logs" pcirelated="true" owasp="1355" certjava="1134">
|
|
19
|
+
<description>
|
|
20
|
+
<text text="A function call could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible."/>
|
|
21
|
+
</description>
|
|
22
|
+
<staticflaws>
|
|
23
|
+
<flaw severity="3" categoryname="Improper Output Neutralization for Logs" count="1" issueid="6" module="pipeline-scan.jar" type="org.slf4j.Logger.debug" description="This call to org.slf4j.Logger.debug() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to debug() contains tainted data from the variable escapedString. The tainted data originated from an earlier call to org.apache.http.impl.client.CloseableHttpClient.execute.

Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

References: 
CWE (https://cwe.mitre.org/data/definitions/117.html) 
OWASP (https://owasp.org/www-community/attacks/Log_Injection) 
Supported Cleansers (https://docs.veracode.com/r/review_cleansers?tocId=nYnZqAenFFZmB75MQrZwuA)

" note="" cweid="117" remediationeffort="2" exploitLevel="1" categoryid="21" pcirelated="true" date_first_occurrence="2022-12-12 07:40:07 UTC" remediation_status="New" cia_impact="npp" grace_period_expires="" affects_policy_compliance="false" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="SecureLogger.java" line="129" sourcefilepath="com/veracode/security/logging/" scope="com.veracode.security.logging.SecureLogger" functionprototype="void debug(java.lang.String)" functionrelativelocation="62"/>
|
|
24
|
+
<flaw severity="3" categoryname="Improper Output Neutralization for Logs" count="1" issueid="7" module="pipeline-scan.jar" type="org.slf4j.Logger.error" description="This call to org.slf4j.Logger.error() could result in a log forging attack. Writing untrusted data into a log file allows an attacker to forge log entries or inject malicious content into log files. Corrupted log files can be used to cover an attacker's tracks or as a delivery mechanism for an attack on a log viewing or processing utility. For example, if a web administrator uses a browser-based utility to review logs, a cross-site scripting attack might be possible. The first argument to error() contains tainted data from the variable escapedString. The tainted data originated from an earlier call to org.apache.http.impl.client.CloseableHttpClient.execute.

Avoid directly embedding user input in log files when possible. Sanitize untrusted data used to construct log entries by using a safe logging mechanism such as the OWASP ESAPI Logger, which will automatically remove unexpected carriage returns and line feeds and can be configured to use HTML entity encoding for non-alphanumeric data. Alternatively, some of the XSS escaping functions from the OWASP Java Encoder project will also sanitize CRLF sequences. Only create a custom blocklist when absolutely necessary. Always validate untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible.

References: 
CWE (https://cwe.mitre.org/data/definitions/117.html) 
OWASP (https://owasp.org/www-community/attacks/Log_Injection) 
Supported Cleansers (https://docs.veracode.com/r/review_cleansers?tocId=nYnZqAenFFZmB75MQrZwuA)

" note="" cweid="117" remediationeffort="2" exploitLevel="1" categoryid="21" pcirelated="true" date_first_occurrence="2022-12-12 07:40:07 UTC" remediation_status="New" cia_impact="npp" grace_period_expires="" affects_policy_compliance="false" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="SecureLogger.java" line="333" sourcefilepath="com/veracode/security/logging/" scope="com.veracode.security.logging.SecureLogger" functionprototype="void error(java.lang.String)" functionrelativelocation="62"/>
|
|
25
|
+
</staticflaws>
|
|
26
|
+
</cwe>
|
|
27
|
+
</category>
|
|
28
|
+
</severity>
|
|
29
|
+
<severity level="2">
|
|
30
|
+
<category categoryid="14" categoryname="Time and State" pcirelated="false">
|
|
31
|
+
<desc>
|
|
32
|
+
<para text="Time and State flaws are related to unexpected interactions between threads, processes, time, and information. These interactions happen through shared state: semaphores, variables, the filesystem, and basically anything that can store information. Vulnerabilities occur when there is a discrepancy between the programmer's assumption of how a program executes and what happens in reality. "/>
|
|
33
|
+
<para text="State issues result from improper management or invalid assumptions about system state, such as assuming mutable objects are immutable. Though these conditions are less commonly exploited by attackers, state issues can lead to unpredictable or undefined application behavior."/>
|
|
34
|
+
</desc>
|
|
35
|
+
<recommendations>
|
|
36
|
+
<para text="Limit the interleaving of operations on resources from multiple processes. Use locking mechanisms to protect resources effectively. Follow best practices with respect to mutable objects and internal references. Pay close attention to asynchronous actions in processes and make copious use of sanity checks in systems that may be subject to synchronization errors."/>
|
|
37
|
+
</recommendations>
|
|
38
|
+
<cwe cweid="382" cwename="J2EE Bad Practices: Use of System.exit()" pcirelated="false" certjava="1141">
|
|
39
|
+
<description>
|
|
40
|
+
<text text="A web applications should not attempt to shut down its container. A call to System.exit() is probably part of leftover debug code or code imported from a non-J2EE application. Non-web applications may contain a main() method that calls System.exit(), but generally should not call it from other locations in the code."/>
|
|
41
|
+
</description>
|
|
42
|
+
<staticflaws>
|
|
43
|
+
<flaw severity="2" categoryname="J2EE Bad Practices: Use of System.exit()" count="1" issueid="8" module="pipeline-scan.jar" type="exit" description="A J2EE application should not attempt to shut down its container. A call to System.exit() is probably part of leftover debug code or code imported from a non-J2EE application. Non-web applications may contain a main() method that calls System.exit(), but generally should not call it from other locations in the code.

Ensure that System.exit() is never called by web applications.

References: 
CWE (https://cwe.mitre.org/data/definitions/382.html)

" note="" cweid="382" remediationeffort="1" exploitLevel="-1" categoryid="14" pcirelated="false" date_first_occurrence="2022-12-12 07:40:07 UTC" remediation_status="New" cia_impact="nnp" grace_period_expires="" affects_policy_compliance="false" mitigation_status="none" mitigation_status_desc="Not Mitigated" sourcefile="Main.java" line="107" sourcefilepath="com/veracode/greenlight/tools/scanner/" scope="com.veracode.greenlight.tools.scanner.Main$1" functionprototype="void run()" functionrelativelocation="89"/>
|
|
44
|
+
</staticflaws>
|
|
45
|
+
</cwe>
|
|
46
|
+
</category>
|
|
47
|
+
</severity>
|
|
48
|
+
<severity level="1"/>
|
|
49
|
+
<severity level="0"/>
|
|
50
|
+
<flaw-status new="3" reopen="0" open="0" fixed="0" total="3" not_mitigated="3" sev-1-change="0" sev-2-change="1" sev-3-change="2" sev-4-change="0" sev-5-change="0"/>
|
|
51
|
+
<customfields>
|
|
52
|
+
<customfield name="AppOwner" value=""/>
|
|
53
|
+
<customfield name="SRSID" value=""/>
|
|
54
|
+
<customfield name="Custom 3" value=""/>
|
|
55
|
+
<customfield name="Custom 4" value=""/>
|
|
56
|
+
<customfield name="Custom 5" value=""/>
|
|
57
|
+
<customfield name="Custom 6" value=""/>
|
|
58
|
+
<customfield name="Custom 7" value=""/>
|
|
59
|
+
<customfield name="Custom 8" value=""/>
|
|
60
|
+
<customfield name="Custom 9" value=""/>
|
|
61
|
+
<customfield name="Custom 10" value=""/>
|
|
62
|
+
</customfields>
|
|
63
|
+
<software_composition_analysis third_party_components="9" violate_policy="false" components_violated_policy="0">
|
|
64
|
+
<vulnerable_components>
|
|
65
|
+
<component component_id="06d4eae9-a85b-4990-80c2-2eba0d755ca4" file_name="jakarta.activation-api-1.2.1.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="1.2.1" library="Jakarta Activation API" library_id="maven:jakarta.activation:jakarta.activation-api:1.2.1:" vendor="jakarta.activation" description="" added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
66
|
+
<file_paths>
|
|
67
|
+
<file_path value="pipeline-scan.jar:jakarta.activation-api-1.2.1.jar"/>
|
|
68
|
+
</file_paths>
|
|
69
|
+
<licenses>
|
|
70
|
+
<license name="Eclipse Distribution License (EDL)" spdx_id="EDL" license_url="https://www.eclipse.org/org/documents/edl-v10.php" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
71
|
+
<mitigations/>
|
|
72
|
+
</license>
|
|
73
|
+
</licenses>
|
|
74
|
+
<vulnerabilities/>
|
|
75
|
+
<violated_policy_rules/>
|
|
76
|
+
</component>
|
|
77
|
+
<component component_id="08a62a28-97a7-4d63-ab8a-ec54de0271a3" file_name="jaxb-impl-2.3.2.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="2.3.2" library="Old JAXB Runtime" library_id="maven:com.sun.xml.bind:jaxb-impl:2.3.2:" vendor="com.sun.xml.bind" description="Old JAXB Runtime module. Contains sources required for runtime processing." added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
78
|
+
<file_paths>
|
|
79
|
+
<file_path value="pipeline-scan.jar:jaxb-impl-2.3.2.jar"/>
|
|
80
|
+
</file_paths>
|
|
81
|
+
<licenses>
|
|
82
|
+
<license name="Eclipse Distribution License (EDL)" spdx_id="EDL" license_url="https://www.eclipse.org/org/documents/edl-v10.php" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
83
|
+
<mitigations/>
|
|
84
|
+
</license>
|
|
85
|
+
</licenses>
|
|
86
|
+
<vulnerabilities/>
|
|
87
|
+
<violated_policy_rules/>
|
|
88
|
+
</component>
|
|
89
|
+
<component component_id="0ebf669d-3c5b-4031-8488-8c1519f2ceb8" file_name="commons-logging-1.2.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="1.2" library="Apache Commons Logging" library_id="maven:commons-logging:commons-logging:1.2:" vendor="commons-logging" description="Apache Commons Logging is a thin adapter allowing configurable bridging to other,
 well known logging systems." added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
90
|
+
<file_paths>
|
|
91
|
+
<file_path value="pipeline-scan.jar:commons-logging-1.2.jar"/>
|
|
92
|
+
</file_paths>
|
|
93
|
+
<licenses>
|
|
94
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
95
|
+
<mitigations/>
|
|
96
|
+
</license>
|
|
97
|
+
</licenses>
|
|
98
|
+
<vulnerabilities/>
|
|
99
|
+
<violated_policy_rules/>
|
|
100
|
+
</component>
|
|
101
|
+
<component component_id="3df5187f-1b71-481e-a108-6e1bd3db2729" file_name="ini4j-0.5.4.jar" sha1="" vulnerabilities="1" max_cvss_score="5.0" version="0.5.4" library="ini4j" library_id="maven:org.ini4j:ini4j:0.5.4:" vendor="org.ini4j" description="Java API for handling configuration files in Windows .ini format. The library includes its own Map based API, Java Preferences API and Java Beans API for handling .ini files. Additionally, the library includes a feature rich (variable/macro substitution, multiply property values, etc) java.util.Properties replacement." added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
102
|
+
<file_paths>
|
|
103
|
+
<file_path value="pipeline-scan.jar:ini4j-0.5.4.jar"/>
|
|
104
|
+
</file_paths>
|
|
105
|
+
<licenses>
|
|
106
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
107
|
+
<mitigations/>
|
|
108
|
+
</license>
|
|
109
|
+
</licenses>
|
|
110
|
+
<vulnerabilities>
|
|
111
|
+
<vulnerability cve_id="CVE-2022-41404" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08:19:48 UTC" cve_summary="org.ini4j:ini4j is vulnerable to denial of service (DoS) attacks. The vulnerable `fetch` method in the `BasicProfile.java` allows remote attackers to cause denial of service conditions in the target system." severity_desc="Medium" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2023-01-05 16:15:07 UTC" vulnerability_affects_policy_compliance="false">
|
|
112
|
+
<mitigations>
|
|
113
|
+
<mitigation action="Potential False Positive" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2023-01-05 16:15:07 UTC"/>
|
|
114
|
+
<mitigation action="Approve Mitigation" description="asda" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 16:00:29 UTC"/>
|
|
115
|
+
<mitigation action="Mitigate by Design" description="
Technique: M1 : Establish and maintain control over all of your inputs
Specifics: sds
Remaining Risk: sd
Verification: asd" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 15:59:53 UTC"/>
|
|
116
|
+
</mitigations>
|
|
117
|
+
</vulnerability>
|
|
118
|
+
</vulnerabilities>
|
|
119
|
+
<violated_policy_rules/>
|
|
120
|
+
</component>
|
|
121
|
+
<component component_id="5a8617f6-6158-4b69-bbf3-fd8aba83235f" file_name="jsoup-1.14.3.jar" sha1="" vulnerabilities="1" max_cvss_score="6.4" version="1.14.3" library="jsoup Java HTML Parser" library_id="maven:org.jsoup:jsoup:1.14.3:" vendor="org.jsoup" description="" added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
122
|
+
<file_paths>
|
|
123
|
+
<file_path value="pipeline-scan.jar:jsoup-1.14.3.jar"/>
|
|
124
|
+
</file_paths>
|
|
125
|
+
<licenses>
|
|
126
|
+
<license name="MIT License" spdx_id="MIT" license_url="https://spdx.org/licenses/MIT.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
127
|
+
<mitigations/>
|
|
128
|
+
</license>
|
|
129
|
+
</licenses>
|
|
130
|
+
<vulnerabilities>
|
|
131
|
+
<vulnerability cve_id="CVE-2022-36033" cvss_score="6.4" severity="4" cwe_id="CWE-79" first_found_date="2022-12-12 08:19:48 UTC" cve_summary="jsoup is vulnerable to cross-site scripting. The vulnerability exists in `resolve` function in `StringUtil.java` because the jsoup cleaner is not properly sanitized when SafeList.preserveRelativeLinks is enabled which allows an attacker to inject and execute arbitrary javascript." severity_desc="High" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2022-12-12 08:57:30 UTC" vulnerability_affects_policy_compliance="false">
|
|
132
|
+
<mitigations>
|
|
133
|
+
<mitigation action="Approve Mitigation" description="testg" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 08:57:30 UTC"/>
|
|
134
|
+
<mitigation action="Potential False Positive" description="testr" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 08:57:21 UTC"/>
|
|
135
|
+
</mitigations>
|
|
136
|
+
</vulnerability>
|
|
137
|
+
</vulnerabilities>
|
|
138
|
+
<violated_policy_rules/>
|
|
139
|
+
</component>
|
|
140
|
+
<component component_id="bd3b71c3-7d16-45d7-b0fd-50db30003713" file_name="httpcomponents-httpmime-4.5.10.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="4.5.10" library="Apache HttpMime" library_id="maven:org.lucee:httpcomponents-httpmime:4.5.10:" vendor="org.lucee" description="" added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
141
|
+
<file_paths>
|
|
142
|
+
<file_path value="pipeline-scan.jar:httpcomponents-httpmime-4.5.10.jar"/>
|
|
143
|
+
</file_paths>
|
|
144
|
+
<licenses>
|
|
145
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
146
|
+
<mitigations/>
|
|
147
|
+
</license>
|
|
148
|
+
</licenses>
|
|
149
|
+
<vulnerabilities/>
|
|
150
|
+
<violated_policy_rules/>
|
|
151
|
+
</component>
|
|
152
|
+
<component component_id="c030254f-1578-4795-98c2-092fa603c97d" file_name="commons-lang3-3.11.jar" sha1="" vulnerabilities="0" max_cvss_score="" version="3.11" library="Apache Commons Lang" library_id="maven:org.apache.commons:commons-lang3:3.11:" vendor="org.apache.commons" description="" added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
153
|
+
<file_paths>
|
|
154
|
+
<file_path value="pipeline-scan.jar:commons-lang3-3.11.jar"/>
|
|
155
|
+
</file_paths>
|
|
156
|
+
<licenses>
|
|
157
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
158
|
+
<mitigations/>
|
|
159
|
+
</license>
|
|
160
|
+
</licenses>
|
|
161
|
+
<vulnerabilities/>
|
|
162
|
+
<violated_policy_rules/>
|
|
163
|
+
</component>
|
|
164
|
+
<component component_id="c51a9485-8565-436f-a414-34cab4215f4a" file_name="commons-codec-1.11.jar" sha1="" vulnerabilities="1" max_cvss_score="5.0" version="1.11" library="Apache Commons Codec" library_id="maven:commons-codec:commons-codec:1.11:" vendor="commons-codec" description="The Apache Commons Codec package contains simple encoder and decoders for
 various formats such as Base64 and Hexadecimal. In addition to these
 widely used encoders and decoders, the codec package also maintains a
 collection of phonetic encoding utilities." added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
165
|
+
<file_paths>
|
|
166
|
+
<file_path value="pipeline-scan.jar:commons-codec-1.11.jar"/>
|
|
167
|
+
</file_paths>
|
|
168
|
+
<licenses>
|
|
169
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
170
|
+
<mitigations/>
|
|
171
|
+
</license>
|
|
172
|
+
</licenses>
|
|
173
|
+
<vulnerabilities>
|
|
174
|
+
<vulnerability cve_id="SRCCLR-SID-22742" cvss_score="5.0" severity="3" cwe_id="" first_found_date="2022-12-12 08:19:48 UTC" cve_summary="commons-codec does not properly perform input validation on encoded values. The `decode()` function in the Base32, Base64 and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and decodes into arbitrary values. A remote attacker can leverage this vulnerability to tunnel additional information via Base32 or Base64 encoded strings that appears to be legitimate." severity_desc="Medium" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2023-01-04 17:38:44 UTC" vulnerability_affects_policy_compliance="false">
|
|
175
|
+
<mitigations>
|
|
176
|
+
<mitigation action="Comment" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2023-01-04 17:38:44 UTC"/>
|
|
177
|
+
<mitigation action="Approve Mitigation" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 08:22:48 UTC"/>
|
|
178
|
+
<mitigation action="Potential False Positive" description="testing" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 08:22:36 UTC"/>
|
|
179
|
+
</mitigations>
|
|
180
|
+
</vulnerability>
|
|
181
|
+
</vulnerabilities>
|
|
182
|
+
<violated_policy_rules/>
|
|
183
|
+
</component>
|
|
184
|
+
<component component_id="eb34211e-6076-44cf-9edf-b2cf2e000688" file_name="commons-text-1.9.jar" sha1="" vulnerabilities="1" max_cvss_score="7.5" version="1.9" library="Apache Commons Text" library_id="maven:org.apache.commons:commons-text:1.9:" vendor="org.apache.commons" description="" added_date="2022-12-12 08:19:48 UTC" component_affects_policy_compliance="false">
|
|
185
|
+
<file_paths>
|
|
186
|
+
<file_path value="pipeline-scan.jar:commons-text-1.9.jar"/>
|
|
187
|
+
</file_paths>
|
|
188
|
+
<licenses>
|
|
189
|
+
<license name="Apache License 2.0" spdx_id="Apache-2.0" license_url="https://spdx.org/licenses/Apache-2.0.html" risk_rating="2" mitigation="false" license_affects_policy_compliance="false">
|
|
190
|
+
<mitigations/>
|
|
191
|
+
</license>
|
|
192
|
+
</licenses>
|
|
193
|
+
<vulnerabilities>
|
|
194
|
+
<vulnerability cve_id="CVE-2022-42889" cvss_score="7.5" severity="4" cwe_id="CWE-94" first_found_date="2022-12-12 08:19:48 UTC" cve_summary="Apache Commons Text is vulnerable to arbitrary code execution. The vulnerability exists in the `lookup` module due to insecure interpolation defaults when untrusted configuration values are used which allows an attacker to inject arbitrary code into the system." severity_desc="High" mitigation="true" mitigation_type="Potential False Positive" mitigated_date="2022-12-12 15:58:13 UTC" vulnerability_affects_policy_compliance="false">
|
|
195
|
+
<mitigations>
|
|
196
|
+
<mitigation action="Approve Mitigation" description="tets" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 15:58:13 UTC"/>
|
|
197
|
+
<mitigation action="Potential False Positive" description="test" user="login.external.hp.comkatha.sai.manjunath.reddy@hp.com" date="2022-12-12 15:58:06 UTC"/>
|
|
198
|
+
</mitigations>
|
|
199
|
+
</vulnerability>
|
|
200
|
+
</vulnerabilities>
|
|
201
|
+
<violated_policy_rules/>
|
|
202
|
+
</component>
|
|
203
|
+
</vulnerable_components>
|
|
204
|
+
</software_composition_analysis>
|
|
205
|
+
</detailedreport>
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
<?xml version="1.0"?>
|
|
2
|
+
<cwe cweid="259" cwename="Use of Hard-coded Password" pcirelated="true" owasp="1353" sans="798" certjava="1152" dradis_type="evidence">
|
|
3
|
+
<description>
|
|
4
|
+
<text text="A method uses a hard-coded password that may compromise system security in a way that cannot be easily remedied. The use of a hard-coded password significantly increases the possibility that the account being protected will be compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password is compromised in a commercial product, all deployed instances may be vulnerable to attack."/>
|
|
5
|
+
</description>
|
|
6
|
+
<staticflaws>
|
|
7
|
+
<flaw
|
|
8
|
+
severity="4"
|
|
9
|
+
categoryname="Use of Hard-coded Password"
|
|
10
|
+
count="1"
|
|
11
|
+
issueid="125"
|
|
12
|
+
module="JS files within myBank_SourceCode_1119224.zip"
|
|
13
|
+
type="set"
|
|
14
|
+
description="This variable assignment uses a hard-coded password that may compromise system security in a way that cannot be easily remedied. The use of a hard-coded password significantly increases the possibility that the account being protected will be compromised. Moreover, the password cannot be changed without patching the software. If a hard-coded password is compromised in a commercial product, all deployed instances may be vulnerable to attack. In some cases, this finding may indicate a reference to a password (e.g. the name of a key in a properties file) rather than an actual password. set Store passwords out-of-band from the application code. Follow best practices for protecting credentials stored in locations such as configuration or properties files. An HSM may be appropriate for particularly sensitive credentials. References: CWE (https://cwe.mitre.org/data/definitions/259.html) "
|
|
15
|
+
note=""
|
|
16
|
+
cweid="259"
|
|
17
|
+
remediationeffort="4"
|
|
18
|
+
exploitLevel="1"
|
|
19
|
+
categoryid="10"
|
|
20
|
+
pcirelated="true"
|
|
21
|
+
date_first_occurrence="2021-12-10 07:49:58 UTC"
|
|
22
|
+
remediation_status="Potential False Positive"
|
|
23
|
+
cia_impact="ppn"
|
|
24
|
+
grace_period_expires="2022-02-09 22:50:56 UTC"
|
|
25
|
+
affects_policy_compliance="true"
|
|
26
|
+
mitigation_status="accepted"
|
|
27
|
+
mitigation_status_desc="Mitigation Accepted"
|
|
28
|
+
sourcefile="constants.ts"
|
|
29
|
+
line="186"
|
|
30
|
+
sourcefilepath="/libraries/mybank/src/"
|
|
31
|
+
scope="UNKNOWN"
|
|
32
|
+
functionprototype="!main() : void"
|
|
33
|
+
functionrelativelocation="-1">
|
|
34
|
+
|
|
35
|
+
<mitigations>
|
|
36
|
+
<mitigation action="Potential False Positive" description="As discussed last week, these are potential false positives. Need your review." user="Adama" date="2022-01-24 21:55:55 UTC"/>
|
|
37
|
+
<mitigation action="Potential False Positive" description="All six items are API keys used to authenticate with a service. None of the marked code lines are storing the password directly" user="Starbuck" date="2022-01-25 06:38:52 UTC"/>
|
|
38
|
+
</mitigations>
|
|
39
|
+
<annotations>
|
|
40
|
+
<annotation action="Potential False Positive" description="As discussed last week, these are potential false positives. Need your review." user="Adama" date="2022-01-24 21:55:55 UTC"/>
|
|
41
|
+
<annotation action="Potential False Positive" description="All six items are API keys used to authenticate with a service. None of the marked code lines are storing the password directly" user="Starbuck" date="2022-01-25 06:38:52 UTC"/>
|
|
42
|
+
</annotations>
|
|
43
|
+
</flaw>
|
|
44
|
+
</staticflaws>
|
|
45
|
+
</cwe>
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dradis-veracode
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 4.
|
|
4
|
+
version: 4.12.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dradis Team
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-
|
|
11
|
+
date: 2024-05-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: dradis-plugins
|
|
@@ -104,12 +104,16 @@ files:
|
|
|
104
104
|
- lib/dradis/plugins/veracode/field_processor.rb
|
|
105
105
|
- lib/dradis/plugins/veracode/gem_version.rb
|
|
106
106
|
- lib/dradis/plugins/veracode/importer.rb
|
|
107
|
+
- lib/dradis/plugins/veracode/mapping.rb
|
|
107
108
|
- lib/dradis/plugins/veracode/version.rb
|
|
108
109
|
- lib/tasks/thorfile.rb
|
|
110
|
+
- lib/veracode/evidence.rb
|
|
109
111
|
- lib/veracode/flaw.rb
|
|
110
|
-
-
|
|
112
|
+
- spec/dradis/plugins/veracode/importer_spec.rb
|
|
113
|
+
- spec/fixtures/files/veracode.xml
|
|
114
|
+
- spec/spec_helper.rb
|
|
115
|
+
- templates/evidence.sample
|
|
111
116
|
- templates/issue.sample
|
|
112
|
-
- templates/issue.template
|
|
113
117
|
homepage: https://dradis.com/integrations/veracode.html
|
|
114
118
|
licenses:
|
|
115
119
|
- GPL-2
|
|
@@ -129,8 +133,11 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
129
133
|
- !ruby/object:Gem::Version
|
|
130
134
|
version: '0'
|
|
131
135
|
requirements: []
|
|
132
|
-
rubygems_version: 3.
|
|
136
|
+
rubygems_version: 3.1.4
|
|
133
137
|
signing_key:
|
|
134
138
|
specification_version: 4
|
|
135
139
|
summary: Veracode add-on for the Dradis Framework.
|
|
136
|
-
test_files:
|
|
140
|
+
test_files:
|
|
141
|
+
- spec/dradis/plugins/veracode/importer_spec.rb
|
|
142
|
+
- spec/fixtures/files/veracode.xml
|
|
143
|
+
- spec/spec_helper.rb
|
data/templates/issue.fields
DELETED
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
issue.categoryid
|
|
2
|
-
issue.categoryname
|
|
3
|
-
issue.cweid
|
|
4
|
-
issue.cwename
|
|
5
|
-
issue.description
|
|
6
|
-
issue.exploitlevel
|
|
7
|
-
issue.issueid
|
|
8
|
-
issue.line
|
|
9
|
-
issue.mitigation_status
|
|
10
|
-
issue.mitigation_status_desc
|
|
11
|
-
issue.module
|
|
12
|
-
issue.note
|
|
13
|
-
issue.remediation_status
|
|
14
|
-
issue.remediationeffort
|
|
15
|
-
issue.severity
|
|
16
|
-
issue.sourcefile
|
|
17
|
-
issue.sourcefilepath
|
data/templates/issue.template
DELETED
|
@@ -1,44 +0,0 @@
|
|
|
1
|
-
#[Title]#
|
|
2
|
-
%issue.cwename%
|
|
3
|
-
|
|
4
|
-
#[CVSSv3.BaseScore]#
|
|
5
|
-
n/a
|
|
6
|
-
|
|
7
|
-
#[CVSSv3.Vector]#
|
|
8
|
-
n/a
|
|
9
|
-
|
|
10
|
-
#[Type]#
|
|
11
|
-
Internal
|
|
12
|
-
|
|
13
|
-
#[Description]#
|
|
14
|
-
%issue.description%
|
|
15
|
-
|
|
16
|
-
#[Solution]#
|
|
17
|
-
%issue.remediation_status%
|
|
18
|
-
|
|
19
|
-
#[References]#
|
|
20
|
-
https://cwe.mitre.org/data/definitions/%issue.cweid%.html
|
|
21
|
-
|
|
22
|
-
#[VeracodeID]#
|
|
23
|
-
%issue.issueid%
|
|
24
|
-
|
|
25
|
-
#[Severity]#
|
|
26
|
-
%issue.severity%
|
|
27
|
-
|
|
28
|
-
#[Category]#
|
|
29
|
-
%issue.categoryname%
|
|
30
|
-
|
|
31
|
-
#[CWE]#
|
|
32
|
-
%issue.cweid%
|
|
33
|
-
|
|
34
|
-
#[File]#
|
|
35
|
-
%issue.sourcefilepath%%issue.sourcefile%
|
|
36
|
-
|
|
37
|
-
#[Module]#
|
|
38
|
-
%issue.module%
|
|
39
|
-
|
|
40
|
-
#[Line]#
|
|
41
|
-
%issue.line%
|
|
42
|
-
|
|
43
|
-
#[RemediationStatus]#
|
|
44
|
-
%issue.remediation_status%
|