Fortify:与访问控制数据库有关的问题
[英]Fortify: Access Control Database related issue
问题描述
we have been using fortify tool in our code to check for security vulnerabilities. 
我们一直在代码中使用强化工具来检查安全漏洞。 We were able to fix most of the issues, but there are some issues which we are finding it hard to fix.One of it is related to access control database related issues.WE use hibernate criteria within our code to fetch records from DB and foritfy complains that the data which get from DB and place into program is from untrusted source.Below is the same code 我们能够解决大多数问题,但是发现有些问题很难解决,其中一个与访问控制数据库相关的问题有关,我们在代码中使用休眠条件从DB中获取记录并foritfy抱怨从数据库获取并放入程序的数据来自不受信任的来源。下面是相同的代码
Criteria criteria = hibernatessn.createCriteria("com.vish.Status")
critiera.list() ------>Here were get an error saying "data enters program from an untrusted source".
Is there a way we can indicate fortify that the data is indeed coming from a trusted source? 有没有办法表明数据确实来自可信来源?
Thanks 谢谢
3 个解决方案
解决方案1
1 2016-02-04 21:58:33
Short answer - no. 简短答案-不。
Slightly longer answer - Fortify does not know if your data source is trusted or not. 答案略长-Fortify不知道您的数据源是否受信任。 You would either have to create a custom filter to ignore that category, or custom rules that would be able to ignore just data from a specific data source. 您可能必须创建一个自定义过滤器以忽略该类别,或者必须创建一个自定义规则以仅忽略来自特定数据源的数据。
Historically speaking, if you are scanning the same app over and over, I just remember that those findings are "Not an Issue" when you see them. 从历史上讲,如果您要一遍又一遍地扫描同一个应用程序,我只记得当您看到这些发现时,这些发现是“不是问题”。
解决方案2
1 2016-02-24 14:48:24
You can control whether the issues panel lists the following types of issues: 您可以控制问题面板是否列出以下类型的问题:
Suppressed issues 受抑制的问题
You can mark an issue as suppressed if you are sure that the specific vulnerability is not, and never will be, a concern. 如果您确定特定漏洞不是(也永远不会)成为关注点,则可以将问题标记为“已抑制”。 You might also want to suppress warnings for specific types of issues that might not be high priority or of immediate concern. 您可能还希望取消针对可能不是高优先级或紧迫关注的特定类型问题的警告。 For example, you can suppress issues that are fixed, or issues that - in your case - you do not plan to fix. 例如,您可以消除已解决的问题,或者不打算解决的问题(对于您而言)。 Suppressed issues are not included in the group totals shown in the issues panel. 被抑制的问题不包括在“问题”面板中显示的组总计中。 This approach may be best when you want to eliminate awareness of the issue altogether. 当您想完全消除对该问题的意识时,这种方法可能是最好的。
Hidden issues 隐藏的问题
You can hide a group of issues temporarily to avoid distraction as you focus elsewhere. 您可以暂时隐藏一组问题,以避免在其他地方集中精力。 For example, you could hide all issues except those assigned to you. 例如,您可以隐藏分配给您的所有问题。 The individuals assigned to address the issues you have hidden in your view can still access them. 被分配来解决您在视图中隐藏的问题的个人仍然可以访问它们。 The group totals displayed in the issues panel include hidden issues. 问题面板中显示的组总计包括隐藏的问题。 If you find an issue in a folder list that you want to hide or direct to another folder, you can create a new filter using the filter wizard. 如果在文件夹列表中找到要隐藏或直接指向另一个文件夹的问题,则可以使用过滤器向导创建一个新的过滤器。 The filter wizard displays all the attributes with matching conditions for the filter. 过滤器向导将显示所有具有匹配条件的属性。 P 29 of the document HP_Fortify_Audit_Workbench_User_Guide_4.30; 文件HP_Fortify_Audit_Workbench_User_Guide_4.30的P 29; this documentation is with your Fortify program files. 本文档与Fortify程序文件一起提供。 This alternative might be preferable if you want others to be aware of the issues, even as you ignore it. 如果您希望其他人意识到这些问题,即使您忽略它,也可以采用这种替代方法。
Removed issues 删除的问题
This alternative is not particularly relevant to your situation, but I present it for the sake of completeness. 这种选择与您的情况并不特别相关,但是为了完整起见,我将其介绍。 As multiple scans are run on a project over time, issues are often remediated or become obsolete. 随着对项目的多次扫描随着时间的流逝,问题通常会得到解决或变得过时。 As it merges scan results, Static Code Analyzer marks issues that were uncovered in a previous scan, but are no longer evident in the most recent SCA analysis results as Removed. 在合并扫描结果时,静态代码分析器会将以前扫描中未发现但在最新SCA分析结果中不再明显的问题标记为“已删除”。 Removed issues are not included in the group totals shown in the issues panel. 已删除的问题不包括在“问题”面板中显示的组总计中。 As you do not intend to "remediate" this issue, it will not become a "removed issue." 由于您不打算“修复”此问题,因此它不会成为“已删除的问题”。 To show or hide suppressed, hidden, and removed issues, use the Option menu. 要显示或隐藏隐藏,隐藏和删除的问题,请使用“选项”菜单。 You can set the visibility filters to show or hide issues. 您可以设置可见性过滤器以显示或隐藏问题。
解决方案3
0 2016-03-07 05:40:31
您不能说这是来自受信任的来源,但是您可以创建一个自定义规则集以在即将进行的扫描中删除所有这些问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.