Fortify Security Report. Sep 30, 2010 Aleks

Transcription

1 Sep 30, 2010 Aleks

2 Executive Summary Issues Overview On Sep 30, 2010, a source code review was performed over the src code base. 124 files, 9053 LOC (Executable) were scanned and reviewed for defects that could lead to potential security vulnerabilities. A total of 389 reviewed findings were uncovered during the analysis. Issues by Fortify Priority Order Low 349 High 38 Critical 2 Recommendations and Conclusions The Issues Category section provides Fortify recommendations for addressing issues at a generic level. The recommendations for specific fixes can be extrapolated from those generic recommendations by the development group. Copyright 2010 Fortify Software Inc. Page 2 of 9

3 Project Summary Code Base Summary Code location: C:\Users\Aleks\Documents\Skole\INF226\ezquiz\quizbuilder\trunk\src Number of Files: 124 Lines of Code: 9053 Build Label: <No Build Label> Scan Information Scan time: 02:36 SCA Engine version: Machine Name: Aleks-Gaming Username running scan: Aleks Results Certification Valid Results Certification Details: Results Signature: SCA Analysis Results has Valid signature Rules Signature: There were no custom rules used in this scan Attack Surface Attack Surface: Command Line Arguments: no.jafu.quizbuilder.decrypttool.main no.jafu.quizbuilder.encrypttool.main no.jafu.quizbuilder.quizbuilder.main no.jafu.quizbuilder.userencrypt.main no.jafu.quizbuilder.gui.menu.lnfswitcher.main File System: java.io.fileinputstream.fileinputstream GUI Form: javax.swing.jpasswordfield.getpassword javax.swing.jpasswordfield.gettext javax.swing.text.jtextcomponent.gettext Private Information: Copyright 2010 Fortify Software Inc. Page 3 of 9

4 null.null.null javax.swing.jpasswordfield.getpassword javax.swing.jpasswordfield.gettext Java Properties: java.lang.system.getproperty Serialized Data: java.io.objectinputstream.readobject Stream: java.io.fileinputstream.read System Information: null.null.null java.awt.headlessexception.getmessage java.lang.throwable.getmessage org.xml.sax.saxexception.getmessage Web: java.net.urlconnection.getinputstream Filter Set Summary Current Enabled Filter Set: Security Auditor View Filter Set Details: Folder If [fortify priority order] contains critical Then set folder to Critical If [fortify priority order] contains high Then set folder to High If [fortify priority order] contains medium Then set folder to Medium If [fortify priority order] contains low Then set folder to Low Visibility File System Inputs Audit Guide Summary Hide issues involving file system inputs. Depending on your system, inputs from files may or may not come from trusted users. AuditGuide can hide issues that are based on data coming from the file system if it is trusted. Enable if you trust file system inputs. If taint contains file_system Then hide issue If taint contains constantfile Then hide issue Copyright 2010 Fortify Software Inc. Page 4 of 9

5 If taint contains stream Then hide issue If category is file access race condition Then hide issuetaint from Command-Line Arguments Hide issues involving taint from command-line arguments. Depending on your system, inputs from command-line arguments may or may not come from trusted users. AuditGuide can hide issues that are based on data coming from command-line arguments if they are trusted. Enable if you trust command-line arguments. If taint contains args Then hide issueproperty File Inputs Hide inputs from properties files. Depending on your system, inputs from properties files may or may not come from trusted users. AuditGuide can hide issues that are based on data coming from properties files if they are trusted. Enable if you trust inputs from properties files. If taint contains property Then hide issueenvironment Variable Inputs Hide issues involving environment variable inputs. Depending on your system, inputs from environment variables may or may not come from trusted users. AuditGuide can hide issues that are based on data coming from environment variables if they are trusted. Enable if you trust environment variable inputs. If taint contains environment Then hide issuej2ee Bad Practices Hide warnings about J2EE bad practices. Depending on whether your application is a J2EE application, J2EE bad practice warnings may or may not apply. AuditGuide can hide J2EE bad practice warnings. Enable if J2EE bad practice warnings do not apply to your application because it is not a J2EE application. If category contains j2ee Then hide issue If category is race condition: static database connection Then hide issue Copyright 2010 Fortify Software Inc. Page 5 of 9

6 Results Outline Overall number of results The scan found 389 issues. Vulnerability Examples by Category Category: Password Management: Empty Password (2 Issues) Number of Issues <Unaudited> Not an Issue Analysis Reliability Issue Bad Practice Suspicious Exploitable Abstract: Empty passwords can compromise system security in a way that cannot be easily remedied. Explanation: It is never a good idea to assign an empty string to a password variable. If the empty password is used to successfully authenticate against another system, then the corresponding account's security is likely compromised because it accepts an empty password. If the empty password is merely a placeholder until a legitimate value can be assigned to the variable, then it can confuse anyone unfamiliar with the code and potentially cause problems on unexpected control flow paths. Example 1: The code below attempts to connect to a database with an empty password. DriverManager.getConnection(url, "scott", ""); If the code in Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password, which can be easily guessed by an attacker. Even worse, once the program has shipped, updating the account to use a non-empty password will require a code change. Example 2: The code below initializes a password variable to an empty string, attempts to read a stored value for the password, and compares it against a user-supplied value. String storedpassword = ""; String temp; if ((temp = readpassword())!= null) { storedpassword = temp; } if(storedpassword.equals(userpassword)) // Access protected resources } If readpassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially bypass the password check by providing an empty string for userpassword. Copyright 2010 Fortify Software Inc. Page 6 of 9

7 Recommendations: Always read stored password values from encrypted, external resources and assign password variables meaningful values. Ensure that sensitive resources are never protected with empty or null passwords. Starting with Microsoft(R) Windows(R) 2000, Microsoft(R) provides Windows Data Protection Application Programming Interface (DPAPI), which is an OS-level service that protects sensitive application data, such as passwords and private keys [1]. Tips: The Fortify Java Annotations FortifyPassword and FortifyNotPassword can be used to indicate which fields and variables represent passwords. OpenFromXML.java, line 545 (Password Management: Empty Password) Fortify Priority: High Folder High Kingdom: Security Features Abstract: Empty passwords can compromise system security in a way that cannot be easily remedied. Sink: OpenFromXML.java:545 VariableAccess: password() 543 } 544 String username = ""; 545 String password = ""; 546 // Dealing with HTTP protocol. 547 HttpURLConnection connection = (HttpURLConnection) urlconnection; Copyright 2010 Fortify Software Inc. Page 7 of 9

8 Issue Count by Category Issues by Category Poor Error Handling: Overly Broad Catch 88 System Information Leak 75 Poor Logging Practice: Use of a System Output Stream 50 Poor Error Handling: Empty Catch Block 30 Unreleased Resource: Streams 25 Password Management: Password in Comment 21 Poor Error Handling: Overly Broad Throws 20 Code Correctness: Erroneous String Compare 15 Dead Code: Expression is Always true 9 Denial of Service 6 Code Correctness: Class Does Not Implement equals 5 Null Dereference 5 Object Model Violation: Just one of equals() and hashcode() Defined 5 Dead Code: Unused Field 4 Password Management: Password in Configuration File 4 Poor Logging Practice: Logger Not Declared Static Final 4 Poor Style: Value Never Read 4 Dead Code: Unused Method 3 Unchecked Return Value 3 Insecure Randomness 2 Password Management: Empty Password 2 Path Manipulation 2 Poor Error Handling: Program Catches NullPointerException 2 Code Correctness: Misspelled Method Name 1 Missing Check against Null 1 Poor Style: Non-final Public Static Field 1 Poor Style: Redundant Initialization 1 Weak Cryptographic Hash 1 Copyright 2010 Fortify Software Inc. Page 8 of 9

9 Issue Breakdown by Analysis Issues by Analysis <none>: (389, 100%) <none> Copyright 2010 Fortify Software Inc. Page 9 of 9