You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2016/04/01 13:20:40 UTC
Fwd: failure notice
Hi,
Thank you for performing the "Fortify Open Review" for Apache WSS4J
(2.1.4). It's valuable to get this kind of feedback on potential issues in
a project. FYI your intial email did not make it through to the WSS4J dev
list, as you did not use the correct email address for the project (
dev@ws.apache.org - you need to subscribe first).
Incidentally, the email address you gave is wrong, the following email
address bounces:
"To contact to a member of our team, please email us at
Fortify-Open-Review@hp.com. "
In the interests of providing constructive feedback, there are a number of
immediate problems with the review:
a) It does not exclude test code. Almost all of the "issues" raised are in
test classes, and this makes it more difficult to focus on the potential
bugs in the actual source code itself. I am not really interested in
potential bugs in test classes, as this code is not used in a production
environment. The "critical" issue of hard-coding a password is obviously
not a problem with it's used in a test-class.
b) The code scanning needs some refinement. It appears to interpret any
static String constant with "PASSWORD" in it, as an actual password, or
with "KEY" as a encryption key. However, in WSS4J these are all URI type
fields or else configuration fields, such as:
public static final String TAG_ENCRYPTED_KEY_TRANSPORT_METHOD =
"encrypted-key-transport-method";
This introduces a large number of false positives. Maybe your scanner could
check to see if the value actually looks like a key or password before
emitting the warning.
Colm.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--089e01227cf0273047052f6a8a55
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div><div><div><div><div>Hi,<br><br></div>Thank you f=
or performing the "Fortify Open Review" for Apache WSS4J (2.1.4).=
It's valuable to get this kind of feedback on potential issues in a pr=
oject. FYI your intial email did not make it through to the WSS4J dev list,=
as you did not use the correct email address for the project (<a href=3D"m=
ailto:dev@ws.apache.org">dev@ws.apache.org</a> - you need to subscribe firs=
t).<br><br></div>In the interests of providing constructive feedback, there=
are a number of immediate problems with the review:<br><br></div>a) It doe=
s not exclude test code. Almost all of the "issues" raised are in=
test classes, and this makes it more difficult to focus on the potential b=
ugs in the actual source code itself. I am not really interested in potenti=
al bugs in test classes, as this code is not used in a production environme=
nt. The "critical" issue of hard-coding a password is obviously n=
ot a problem with it's used in a test-class.<br><br></div>b) The code s=
canning needs some refinement. It appears to interpret any static String co=
nstant with "PASSWORD" in it, as an actual password, or with &quo=
t;KEY" as a encryption key. However, in WSS4J these are all URI type f=
ields or else configuration fields, such as:<br><br>public static final Str=
ing TAG_ENCRYPTED_KEY_TRANSPORT_METHOD =3D "encrypted-key-transport-me=
thod";<br><br></div>This introduces a large number of false positives.=
Maybe your scanner could check to see if the value actually looks like a k=
ey or password before emitting the warning. <br><br></div>Colm.<br><div><di=
v><br><br><div><div><div><div><div><br clear=3D"all"><br>-- <br><div class=
=3D"gmail_signature">Colm O hEigeartaigh<br><br>Talend Community Coder<br><=
a href=3D"http://coders.talend.com" target=3D"_blank">http://coders.talend.=
com</a><br></div></div></div></div></div></div></div></div></div>
--089e01227cf0273047052f6a8a55--
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com