You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "Joe Bowser (JIRA)" <ji...@apache.org> on 2016/08/18 16:00:24 UTC

[jira] [Resolved] (CB-11719) Security Issues found with SystemWebViewEngine in static code analysis with Veracode

     [ https://issues.apache.org/jira/browse/CB-11719?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joe Bowser resolved CB-11719.
-----------------------------
    Resolution: Won't Fix

There's nothing to resolve here.  SystemExposedJSApi has the appropriate annotations denoting which methods are to be exposed to Javascript.  It seems that the Security Scanner can't read annotated classes.  There's a reason the name of the class is ExposedJSApi in the first place, since it's designed to be exposed so the rest of the classes aren't.  This is a false positive, and I would mark it as such and move on.

> Security Issues found with SystemWebViewEngine in static code analysis with Veracode
> ------------------------------------------------------------------------------------
>
>                 Key: CB-11719
>                 URL: https://issues.apache.org/jira/browse/CB-11719
>             Project: Apache Cordova
>          Issue Type: Bug
>          Components: Android
>         Environment: Android Hybrid App
>            Reporter: Hitesh Sahu
>            Priority: Critical
>
> While doing a security scan of our code using the veracode tool, following high priority defect has been found :  
> Associated Flaws by CWE ID: Exposed Dangerous Method or Function (CWE ID 749)(1 flaw)  
> Description  The application provides an API or similar interface to a dangerous method or function that is not properly restricted.  Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code.
>  1 day to fix. 
>  Recommendations  Restrict the exposed API, or avoid using the classes that exhibit this behavior. 
>   Instances found via Static Scan  Flaw Id Module # Class # Module Location Fix By  53 9 - abc(name_changed).apk  .../SystemWebViewEngine.java 259 16/08/16  
> The flaw has been caught in SystemWebViewEngine.java.  It is an internal Cordova Lib class at following path:-    android/CordovaLib/src/org/apache/cordova/engine/SystemWebViewEngine.java  
> The code at line 259 is :-  webView.addJavascriptInterface(exposedJsApi, "_cordovaNative"); 
>  Since being an integral part of Cordova lib I couldn't understand how to mitigate this flaw.  Can you help us to understand what should be done in order to mitigate this ?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@cordova.apache.org
For additional commands, e-mail: issues-help@cordova.apache.org