I am getting a Veracode Information Exposure via Sent Data flaw. My code is:

String companyName = System.getProperty(EPMIConstants.COMPANY_NAME);  

This System.getProperty(EPMIConstants.COMPANY_NAME) gets its value from a JVM argument hardcoded in the server itself.

The variable companyName causes this flaw.

Can someone please tell me how to avoid this flaw?

I would recommend you to create a rule exception in Veracode so the false positive is not highlighted anymore.

Fabio

Have a look at this:

http://cwe.mitre.org/data/definitions/201.html

It looks like this might be a false positive.

Fabio @fcerullo