You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Brian Harris (JIRA)" <ji...@apache.org> on 2012/05/04 16:32:50 UTC

[jira] [Updated] (JENA-243) Passing along HP Fortify findings to the community

     [ https://issues.apache.org/jira/browse/JENA-243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Brian Harris updated JENA-243:
------------------------------

    Attachment: Sanitized Fuseki Scan Findings.xlsx

Here is a spread sheet of the findings.
                
> Passing along HP Fortify findings to the community
> --------------------------------------------------
>
>                 Key: JENA-243
>                 URL: https://issues.apache.org/jira/browse/JENA-243
>             Project: Apache Jena
>          Issue Type: Question
>          Components: Fuseki
>    Affects Versions: Fuseki 0.2.1
>            Reporter: Brian Harris
>         Attachments: Sanitized Fuseki Scan Findings.xlsx
>
>
> Our customer has run an HP Fortify scan against the Fuseki code base. I'd like to pass along these findings to the community so they can be reviewed and possibly addressed. I am unsure if I should submit a ticket for each individual finding, submit a ticket that lumps the findings into logical groups or submit one large ticket.
> In all - there are 123 finding that fall into the following categories:
> Cross-Site Scripting: Reflected
> Dead Code: Expression is Always false
> Dead Code: Expression is Always true
> Header Manipulation
> Missing Check against Null
> Null Dereference
> Obsolete
> Often Misused: File Upload
> Poor Error Handling: Empty Catch Block
> Poor Error Handling: Overly Broad Catch
> Poor Logging Practice: Use of a System Output Stream
> Poor Style: Identifier Contains Dollar Symbol ($)
> Poor Style: Non-final Public Static Field
> System Information Leak
> System Information Leak: Incomplete Servlet Error Handling
> Trust Boundary Violation
> Unreleased Resource: Streams
> Some of these are flagged as more important such as the XSS violation and must be corrected prior to moving into a production environment. And, it's quite possible some of these are false positives.
> Any direction is greatly appreciated. Thanks!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira