[Esapi-dev] Code Scan

Jim Manico jim.manico at owasp.org
Wed Jun 15 12:59:14 EDT 2011 

This is great news! I'm certain that our developer community will be
very happy to see more ESAPI modularization. More from me on this topic
soon. :)

Aloha Juan Carlos!
- Jim

> ESAPI WAF was renamed to OWASP JAVA WAF and will be no longer part of
> ESAPI mainstream.
>  
> Not sure if it was already removed from ESAPI 2.0 GA, but if not that
> could be an easy way to remove these code flaws from ESAPI. Anyway,
> any volunteer work is very welcome :) you can download the latest
> version of WAF here
> http://code.google.com/p/owasp-java-waf/source/checkout
>  
> Regards,
> *Juan C Calderon*
>
> ------------------------------------------------------------------------
> *From:* Yan Yan Wang [mailto:yan.y.wang.r7lv at statefarm.com]
> *Sent:* Wednesday, June 15, 2011 11:19 AM
> *To:* Calderon, Juan Carlos (GE, Corporate, consultant);
> esapi-dev at lists.owasp.org
> *Subject:* RE: [Esapi-dev] Code Scan
>
> Hi Juan,
>
>  
>
> This is a Klocwork scan on ESAPI only. I was somewhat concerned with
> the findings, thought I'd ask y'all opinions. :D What would you like
> me to request? I probably could make the changes if desired.
>
>  
>
> Thanks!
>
>  
>
> YanYan
>
>  
>
> *From:*Calderon, Juan Carlos (GE, Corporate, consultant)
> [mailto:juan.calderon at ge.com]
> *Sent:* Wednesday, June 15, 2011 11:02 AM
> *To:* Yan Yan Wang; esapi-dev at lists.owasp.org
> *Subject:* RE: [Esapi-dev] Code Scan
>
>  
>
> All these findings are related to ESAPI WAF (except for those on
> DefaultHTTPUtilities class) I will take them into consideration for
> the next release
>
>  
>
> Question YanYan, is this related to fortify scans on OWASP code? if
> not then to raise a request for that specifically I am interesting in
> making sure the code is high quality.
>
>  
>
> Regards,
>
> *Juan C Calderon*
>
>  
>
> ------------------------------------------------------------------------
>
> *From:*esapi-dev-bounces at lists.owasp.org
> [mailto:esapi-dev-bounces at lists.owasp.org] *On Behalf Of *Yan Yan Wang
> *Sent:* Wednesday, June 15, 2011 10:52 AM
> *To:* esapi-dev at lists.owasp.org
> *Subject:* [Esapi-dev] Code Scan
>
> Hi everyone,
>
>  
>
> We performed a code scan on ESAPI, and I am not sure if the following
> findings might be concerns. Could someone advice please?
>
>  
>
> Thanks.
>
>  
>
> YanYan
>
>  
>
> InterceptingServletOutputStream:
>
>  
>
> line 59
>
> SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as
> temporary file but not deleted on exit : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletOutputStream.java
> : 59 : Severe : Analyze : Existing
>
>  
>
> Line 45
>
> RLK.FIELD : Possible leak of system resource
> 'java.io.RandomAccessFile' stored in field 'out'. Resource is not
> closed in any of the class methods. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletOutputStream.java
> : 45 : Error : Defer : Existing
>
>  
>
> InterceptingHTTPServletRequest:
>
> line 101
>
> SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as
> temporary file but not deleted on exit : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServletRequest.java
> : 101 : Severe : Analyze : Existing
>
>  
>
> DefaultHTTPUtilities:
>
> line 576
>
> SV.DOS.TMPFILEEXIT : File 'f' is created as temporary file but not
> deleted on exit : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.java
> : 576 : Severe : Analyze : Existing
>
>  
>
> Line 305
>
> SV.DATA.BOUND : Unvalidated user input from 'value' stored at
> parameter 'stringObjectEntry.getValue()' of call to setAttribute(...).
> This is considered to be trusted storage and its users might not
> perform data validation extracting from it : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.java
> : 305 : Unexpected : Defer : Existing
>
>  
>
> BeanShellRule:
>
> line 104
>
> RLK.IN : Input stream 'fr' is not closed on exit. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\rules\BeanShellRule.java :
> 104 : Error : Analyze : Existing
>
>  
>
> ESAPIWebApplicationFirewallFilter:
>
> line 166
>
> RLK.IN : Input stream 'new FileInputStream(...)' is not closed on
> exit. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFilter.java
> : 166 : Error : Analyze : Existing
>
>  
>
> Line 90
>
> RLK.IN : Input stream 'new FileInputStream(...)' is not closed on
> exit. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFilter.java
> : 90 : Error : Analyze : Existing
>
>  
>
> InterceptingHTTPServletRequest
>
> Line 53
>
> RLK.FIELD : Possible leak of system resource
> 'java.io.RandomAccessFile' stored in field 'requestBody'. Resource is
> not closed in any of the class methods. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServletRequest.java
> : 53 : Error : Defer : Existing
>
>  
>
> ConfigurationParser
>
> Line 141
>
> JD.CATCH : Catching 'java.lang.NullPointerException' explicitly is
> usually a bad practice. Use preventive checks on data instead. : C:\
> ESAPI_GA\src\main\java\org\owasp\esapi\waf\configuration\ConfigurationParser.java
> : 141 : Investigate : Analyze : Existing
>
>  
>
>  
>
>  
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110615/4c80731b/attachment-0001.html

More information about the Esapi-dev mailing list