Stack Overflow
Stack Overflow

Questions tagged [veracode]

Veracode provides automated static and dynamic application security testing software and remediation services

273 questions
4
votes
1 answer

Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE ID 93)

In Veracode report I am getting Error CWE 93 in some of the java files. In Instance of static scan some code is MimeMessage msg = new MimeMessage(session); msg.setFrom(new InternetAddress(msmtpfrom)); 2.msg.setRecipients(Message.RecipientType.TO,…
Jaydeep Bobade
  • 895
  • 9
  • 20
4
votes
2 answers

CWE 73 Error - Veracode Issue -.net application

I have been problem to solve an appointment of Veracode Scanner in my project. I created a function to validate a file but it did not pass in veracode scanner; Here is the code of my function: public static string GetSafeFileName(string…
user3149261
  • 41
  • 1
  • 3
4
votes
0 answers

Improper Restriction of XML External Entity Reference - Java with DocumentBuilderFactory

I've been trying to resolve the Veracode "Improper Restriction of XML External Entity Reference" flaw. I looked up the issue online and a found a few suggestions on how to resolve it, namely: Set the features mentioned in the OWASP cheat sheet Set…
EH Khiari
  • 185
  • 1
  • 2
  • 12
4
votes
5 answers

How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) with error message?

We use web control adapter in our login page. Recently we run VeraCode on our web application. In following function, we got CWE80, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS), on the line rev.ErrorMessage =…
GLP
  • 2,790
  • 18
  • 52
  • 82
4
votes
4 answers

ASP.NET Veracode Scanning issues

Our client uses Veracode scanning tool to scan ASP.NET Application. We have solved many flaws except for the below. Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') (CWE ID 113)(1 flaw) in the line …
PADMANABHAN KANNAN
  • 51
  • 1
  • 3
3
votes
2 answers

Javascript: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

I'm spending time trying to fix veracode scan flaw CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS). What I do is an HTTP call to my backend in order to open a blob with a download file. const xhr = new…
Ziko
  • 611
  • 6
  • 18
3
votes
0 answers

Veracode CWE 89 help requested when attempting to load an excel file to a datatable in .net (web)

Veracode SAST scanner is tagging excel file imports with a CWE 89 (Sql Injection): Attack Vector: system_data_dll.System.Data.Common.DbDataAdapter.Fill Number of Modules Affected: 1 Description: This database query contains a SQL injection flaw.…
Roger Corrin
  • 31
  • 2
3
votes
2 answers

Veracode still reports OS command injection issue after I have applied the solution as recommendations from OWAPS and Roslyn Security Guard

Current code in my project is shown below and Veracode reports there is an OS command injection filename = Regex.Replace(filename, "[^a-zA-Z0-9_]", "_") & ".svg" ProcessStartInfo startInfo = default(ProcessStartInfo); Process pStart = new…
NoName
  • 803
  • 12
  • 24
3
votes
1 answer

Forcing HttpOnly JSESSIONID in deployed OC4J/Oracle Application Server

We have a legacy application running on Oracle Application Server J2EE 10g 10.1.3.5.0 using OC4J containers. To clear a Veracode dynamic scan flaw CWE ID-402 (and for best practice) we need to set the HttpOnly flag on our JSESSIONID cookies. We…
kmarx
  • 43
  • 5
3
votes
0 answers

Veracode flagging api action with optional parameters for not having input validation

I'm using dot.net WebApi2 and I'm getting Veracode Flaw from code scan: 'The Controller's Action is missing a Route Attribute that will perform input validation on Action parameters using a Route Constraint.... Remediation: Make sure to use…
Alex
  • 699
  • 7
  • 17
3
votes
2 answers

"Improper Resource Shutdown or Release" error from Veracode, why?

What is wrong with this code? Moreover how do I fix it? public class BodyStreamMiddleware { private readonly RequestDelegate _next; public BodyStreamMiddleware(RequestDelegate next) { _next = next; } public async Task…
NeedHack
  • 2,885
  • 3
  • 28
  • 42
3
votes
1 answer

CWE-73: External Control of File Name or Path Veracode java solution

Can somebody please help me know java coding solution for below Vera code canning error? I am creating a file and passing file location as argument. File file1=new File(filePath); **CWE-73: External Control of File Name or Path**
Raj Singh
  • 39
  • 1
  • 5
3
votes
0 answers

How to prevent XXE attack (XmlSerializer in .Net)

We had a Veracode security audit on some old legacy apps and found that we are vulnerable to an External Entity (XXE) attack. I have fixed most of the problems but I've ran across some code I have no idea how to deal with and I am hoping someone…
comfortablyNumb
  • 185
  • 1
  • 16
3
votes
2 answers

How to fix Veracode error:Information Exposure Through Sent Data

Veracode fails the following line of code: string server = Decryptor.Decrypt(ConfigurationManager.AppSettings["ConnectionPoint"]); System.Net.HttpWebRequest objRequest = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(server); Does anyone…
gene
  • 1,762
  • 6
  • 28
  • 74
3
votes
1 answer

What is Veracode Scan used for?

I have made some searches with but, but was unable to discover the purpose of Veracode Scan. Also, I would like to know why veracode scanner is plugged in to Jenkins. Could anyone help me with this? I am posting this here, as I am unable to find an…
Faz
  • 484
  • 1
  • 9
  • 25
1
2
3
18 19