Fortify: Access Control Database related issue -
we have been using fortify tool in our code check security vulnerabilities. able fix of issues, there issues finding hard fix.one of related access control database related issues.we use hibernate criteria within our code fetch records db , foritfy complains data db , place program untrusted source.below same code
criteria criteria = hibernatessn.createcriteria("com.vish.status") critiera.list() ------>here error saying "data enters program untrusted source". is there way can indicate fortify data indeed coming trusted source?
thanks
short answer - no.
slightly longer answer - fortify not know if data source trusted or not. either have create custom filter ignore category, or custom rules able ignore data specific data source.
historically speaking, if scanning same app on , over, remember findings "not issue" when see them.
Comments
Post a Comment