In camunda engine jar, mybatis xmls like Attachment.xml is giving Fortify scanning issues.

XMLWordPrintable

    • Type: Bug Report
    • Resolution: Won't Fix
    • Priority: L2 - Critical
    • None
    • Affects Version/s: 7.6.0-alpha5
    • Component/s: None
    • None
    • Environment:
      Linux

      In camunda engine jar contain mybatis xml files for database is having SQL injection fortify scanning vulnerabilities. Because in some of the xml files, has contain ${<somestring>} for string concatenation . HP Fortify code scanner is taking this as an SQL injection issue as ${} is only a string concatenation and not parameterized one . And giving suggestion to use #

      {<somestring>}

      instead. In almost all xmls, (Attachment.xml) the table name is prefix with ${prefix} , which is also showing as sql injection possibility. I am using 7.6.0 camunda-engine.jar. Since it is a SQL injection all vulnerabilities are showing as CRITICAL errors,

      Please suggest.

        This is the controller panel for Smart Panels app

              Assignee:
              Unassigned
              Reporter:
              Jude Antony
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: