Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7722

In camunda engine jar, mybatis xmls like Attachment.xml is giving Fortify scanning issues.

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Won't Fix
    • Icon: L2 - Critical L2 - Critical
    • None
    • 7.6.0-alpha5
    • None
    • None
    • Linux

      In camunda engine jar contain mybatis xml files for database is having SQL injection fortify scanning vulnerabilities. Because in some of the xml files, has contain ${<somestring>} for string concatenation . HP Fortify code scanner is taking this as an SQL injection issue as ${} is only a string concatenation and not parameterized one . And giving suggestion to use #

      {<somestring>}

      instead. In almost all xmls, (Attachment.xml) the table name is prefix with ${prefix} , which is also showing as sql injection possibility. I am using 7.6.0 camunda-engine.jar. Since it is a SQL injection all vulnerabilities are showing as CRITICAL errors,

      Please suggest.

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              judebantony Jude Antony
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: