[Esapi-dev] Code Scan

Yan Yan Wang yan.y.wang.r7lv at statefarm.com
Wed Jun 15 13:19:06 EDT 2011 

ESAPI 2.0 GA is the version that I scanned. I will download the code, fix these findings and get back to you.

Thanks!

YanYan

From: Calderon, Juan Carlos (GE, Corporate, consultant) [mailto:juan.calderon at ge.com]
Sent: Wednesday, June 15, 2011 11:42 AM
To: Yan Yan Wang; esapi-dev at lists.owasp.org
Subject: RE: [Esapi-dev] Code Scan

ESAPI WAF was renamed to OWASP JAVA WAF and will be no longer part of ESAPI mainstream.

Not sure if it was already removed from ESAPI 2.0 GA, but if not that could be an easy way to remove these code flaws from ESAPI. Anyway, any volunteer work is very welcome :) you can download the latest version of WAF here http://code.google.com/p/owasp-java-waf/source/checkout

Regards,
Juan C Calderon

________________________________
From: Yan Yan Wang [mailto:yan.y.wang.r7lv at statefarm.com]
Sent: Wednesday, June 15, 2011 11:19 AM
To: Calderon, Juan Carlos (GE, Corporate, consultant); esapi-dev at lists.owasp.org
Subject: RE: [Esapi-dev] Code Scan
Hi Juan,

This is a Klocwork scan on ESAPI only. I was somewhat concerned with the findings, thought I'd ask y'all opinions. :D What would you like me to request? I probably could make the changes if desired.

Thanks!

YanYan

From: Calderon, Juan Carlos (GE, Corporate, consultant) [mailto:juan.calderon at ge.com]
Sent: Wednesday, June 15, 2011 11:02 AM
To: Yan Yan Wang; esapi-dev at lists.owasp.org
Subject: RE: [Esapi-dev] Code Scan

All these findings are related to ESAPI WAF (except for those on DefaultHTTPUtilities class) I will take them into consideration for the next release

Question YanYan, is this related to fortify scans on OWASP code? if not then to raise a request for that specifically I am interesting in making sure the code is high quality.

Regards,
Juan C Calderon

________________________________
From: esapi-dev-bounces at lists.owasp.org [mailto:esapi-dev-bounces at lists.owasp.org] On Behalf Of Yan Yan Wang
Sent: Wednesday, June 15, 2011 10:52 AM
To: esapi-dev at lists.owasp.org
Subject: [Esapi-dev] Code Scan
Hi everyone,

We performed a code scan on ESAPI, and I am not sure if the following findings might be concerns. Could someone advice please?

Thanks.

YanYan

InterceptingServletOutputStream:

line 59
SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as temporary file but not deleted on exit : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletOutputStream.java : 59 : Severe : Analyze : Existing

Line 45
RLK.FIELD : Possible leak of system resource 'java.io.RandomAccessFile' stored in field 'out'. Resource is not closed in any of the class methods. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingServletOutputStream.java : 45 : Error : Defer : Existing

InterceptingHTTPServletRequest:
line 101
SV.DOS.TMPFILEEXIT : File 'File.createTempFile(...)' is created as temporary file but not deleted on exit : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServletRequest.java : 101 : Severe : Analyze : Existing

DefaultHTTPUtilities:
line 576
SV.DOS.TMPFILEEXIT : File 'f' is created as temporary file but not deleted on exit : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.java : 576 : Severe : Analyze : Existing

Line 305
SV.DATA.BOUND : Unvalidated user input from 'value' stored at parameter 'stringObjectEntry.getValue()' of call to setAttribute(...). This is considered to be trusted storage and its users might not perform data validation extracting from it : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\reference\DefaultHTTPUtilities.java : 305 : Unexpected : Defer : Existing

BeanShellRule:
line 104
RLK.IN : Input stream 'fr' is not closed on exit. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\rules\BeanShellRule.java : 104 : Error : Analyze : Existing

ESAPIWebApplicationFirewallFilter:
line 166
RLK.IN : Input stream 'new FileInputStream(...)' is not closed on exit. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFilter.java : 166 : Error : Analyze : Existing

Line 90
RLK.IN : Input stream 'new FileInputStream(...)' is not closed on exit. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\ESAPIWebApplicationFirewallFilter.java : 90 : Error : Analyze : Existing

InterceptingHTTPServletRequest
Line 53
RLK.FIELD : Possible leak of system resource 'java.io.RandomAccessFile' stored in field 'requestBody'. Resource is not closed in any of the class methods. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\internal\InterceptingHTTPServletRequest.java : 53 : Error : Defer : Existing

ConfigurationParser
Line 141
JD.CATCH : Catching 'java.lang.NullPointerException' explicitly is usually a bad practice. Use preventive checks on data instead. : C:\ ESAPI_GA\src\main\java\org\owasp\esapi\waf\configuration\ConfigurationParser.java : 141 : Investigate : Analyze : Existing



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20110615/18898ee6/attachment.html

More information about the Esapi-dev mailing list