-
Epic
-
Resolution: Done
-
Medium
-
None
-
None
-
Address Veracode Security Flaws
119 Medium Veracode flaws need to addressed,
| Severity | Total | Static | |
| Very High | 0 | 0 | |
| High | 0* | 0* | Mitigate by Design 9 CWE 89 |
| Medium | 119* | 119* | |
| CRLF Injection | 81* | 81* | Mitigate by Design 122 CWE 117 |
| Cross-Site Scripting | 1 | 1 | |
| Cryptographic Issues | 1 | 1 | |
| Directory Traversal | 28* | 28* | Mitigate by Design 23 CWE 73 in libs provided by ASDC |
| Encapsulation | 2 | 2 | |
| Information Leakage | 4 | 4 | |
| Insufficient Input Validation | 2 | 2 |
CRLF Injection can be addressed via logging configuration replacement pattern to replace CRLF with a space. These flaws are isolated to sli-/northbound dmaap-listener and ueb-listener.
Cross-Cite scripting (Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)(1 flaw)):
ueb-listener-*.jar org/.../SdncOdlConnection.java 125
Cryptographic Issues (Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(1 flaw)):
sli-common-*.jar org/.../sli/CheckSumHelper.java 40
Directory Traversal (External Control of File Name or Path (CWE ID 73)(51 flaws)):
aai-serviceprovider-* .../AAIClientRESTExecutor.java 128
aai-serviceprovider-* .../AAIClientRESTExecutor.java 133
aai-serviceprovider-* .../AAIClientRESTExecutor.java 141
sli-common-*.jar org/.../sli/CheckSumHelper.java 35
sql-resourceprovider-.jar/utils-provider-.jar .../utils/EnvVarFileResolver.java 64
asdcApi-provider-.jar/sliprovider-.jar org/.../provider/MdsalHelper.java 77
mdsal-resourceprovider-*.jar .../MdsalResourceActivator.java 64
sli-common-* org/.../sli/MessageWriter.java 77
ueb-listener-*.jar org/.../SdncArtifactMap.java 94
ueb-listener-*.jar org/.../SdncUebCallback.java 212
ueb-listener-*.jar org/.../SdncUebCallback.java 269
ueb-listener-*.jar org/.../SdncUebCallback.java 270
ueb-listener-*.jar org/.../SdncUebCallback.java 288
ueb-listener-*.jar org/.../SdncUebCallback.java 293
ueb-listener-*.jar org/.../SdncUebCallback.java 327
ueb-listener-*.jar org/.../SdncUebCallback.java 332
ueb-listener-*.jar org/.../SdncUebCallback.java 377
ueb-listener-*.jar org/.../SdncUebCallback.java 388
ueb-listener-*.jar org/.../SdncUebCallback.java 481
ueb-listener-*.jar org/.../SdncUebCallback.java 486
ueb-listener-*.jar org/.../SdncUebCallback.java 537
ueb-listener-*.jar org/.../SdncUebCallback.java 1200
ueb-listener-*.jar .../SdncUebConfiguration.java 113
sli-common-*.jar org/.../sli/SvcLogicLoader.java 60
sli-common-*.jar org/.../sli/SvcLogicLoader.java 171
sli-common-*.jar org/.../sli/SvcLogicParser.java 453
sli-common-*.jar org/.../sli/SvcLogicParser.java 485
sli-common-*.jar .../SvcLogicStoreFactory.java 38
Encapsulation (Deserialization of Untrusted Data (CWE ID502)(2 flaws)):
sli-common-*.jar .../sli/SvcLogicDblibStore.java 152
sli-common-*.jar org/.../sli/SvcLogicJdbcStore.java 404
Information Leakage (Improper Restriction of XML External Entity Reference (CWE ID 611)(4 flaws)):
ueb-listener-*.jar org/.../SdncUebCallback.java 585
ueb-listener-*.jar org/.../SdncUebCallback.java 1167
ueb-listener-*.jar org/.../SdncUebCallback.java 1205
sli-common-*.jar org/.../sli/SvcLogicParser.java 320
Insufficient Input Validation (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470)(2 flaws)):
sli-provider-*.jar org/.../PrintYangToProp.java 1343
sli-common-*.jar org/.../sli/SvcLogicJdbcStore.java 240