Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7722

In camunda engine jar, mybatis xmls like Attachment.xml is giving Fortify scanning issues.

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Open
    • Priority: L2 - Critical
    • Resolution: Unresolved
    • Affects Version/s: 7.6.0-alpha5
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:
      Linux
    • Title Keywords:
      Fortify scanning issues

      Description

      In camunda engine jar contain mybatis xml files for database is having SQL injection fortify scanning vulnerabilities. Because in some of the xml files, has contain ${<somestring>} for string concatenation . HP Fortify code scanner is taking this as an SQL injection issue as ${} is only a string concatenation and not parameterized one . And giving suggestion to use #

      {<somestring>}

      instead. In almost all xmls, (Attachment.xml) the table name is prefix with ${prefix} , which is also showing as sql injection possibility. I am using 7.6.0 camunda-engine.jar. Since it is a SQL injection all vulnerabilities are showing as CRITICAL errors,

      Please suggest.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            judebantony Jude Antony
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: