我们一直在使用Fortify工具来检查安全漏洞。访问控制数据库问题给予了很难修复。
`public BigDecimal getLctnId(String roId){ 查询queryCaseId = em.createNamedQuery(“RegionalOffice.getLctnId”); queryCaseId.setParameter(“roId”,roId);
BigDecimal lctnId = null;
try {
lctnId = (BigDecimal) queryCaseId.getSingleResult();
} catch (Exception e) {
}
return lctnId;
}
` 有没有办法可以表明数据确实来自可信来源?
感谢。
答案 0 :(得分:1)
I run into this a lot with clients, where Fortify flags a data source that is trusted.
First, make sure the data source actually is trusted. Usually, this means it's tightly access controlled (only sysadmins, not other employees, and no user data), encrypted, and change logged (in case a sysadmin is malicious). Document that it's trusted, and what could change that.
To tell Fortify it's trusted, there are 2 options:
Do this when all inputs of a certain type are trusted. (So all file system inputs, or all database inputs, etc.) In Audit Workbench, open the Audit Guide from the banner at the top, select Advanced Mode, and check the boxes to tell Fortify to trust those inputs. Unfortunately, if you use 2 databases, one trusted and one untrusted, there's no way to tell Fortify to trust just one of those DBs.
In that issue's Issue Summary (bottom center panel), write a comment saying, "Trusted data source, see [document]." Mark the Analysis as "Not an Issue," and optionally suppress it with the red X button. (Many companies prefer developers to not suppress issues, check with whoever owns Fortify for your company.) This is a manual process, but you can multi-select issues and apply this audit to all of them at once.