we have been using fortify tool in our code to check for security vulnerabilities. We were able to fix most of the issues, but there are some issues which we are finding it hard to fix.One of it is related to access control database related issues.WE use hibernate criteria within our code to fetch records from DB and foritfy complains that the data which get from DB and place into program is from untrusted source.Below is the same code
Criteria criteria = hibernatessn.createCriteria("com.vish.Status")
critiera.list() ------>Here were get an error saying "data enters program from an untrusted source".
Is there a way we can indicate fortify that the data is indeed coming from a trusted source?
Thanks
You cant say this is coming from trusted source but you can create a custom ruleset to remove all these issues in upcoming scans.
Short answer - no.
Slightly longer answer - Fortify does not know if your data source is trusted or not. You would either have to create a custom filter to ignore that category, or custom rules that would be able to ignore just data from a specific data source.
Historically speaking, if you are scanning the same app over and over, I just remember that those findings are "Not an Issue" when you see them.
You can control whether the issues panel lists the following types of issues:
Suppressed issues
You can mark an issue as suppressed if you are sure that the specific vulnerability is not, and never will be, a concern. You might also want to suppress warnings for specific types of issues that might not be high priority or of immediate concern. For example, you can suppress issues that are fixed, or issues that - in your case - you do not plan to fix. Suppressed issues are not included in the group totals shown in the issues panel. This approach may be best when you want to eliminate awareness of the issue altogether.
Hidden issues
You can hide a group of issues temporarily to avoid distraction as you focus elsewhere. For example, you could hide all issues except those assigned to you. The individuals assigned to address the issues you have hidden in your view can still access them. The group totals displayed in the issues panel include hidden issues. If you find an issue in a folder list that you want to hide or direct to another folder, you can create a new filter using the filter wizard. The filter wizard displays all the attributes with matching conditions for the filter. P 29 of the document HP_Fortify_Audit_Workbench_User_Guide_4.30; this documentation is with your Fortify program files. This alternative might be preferable if you want others to be aware of the issues, even as you ignore it.
Removed issues
This alternative is not particularly relevant to your situation, but I present it for the sake of completeness. As multiple scans are run on a project over time, issues are often remediated or become obsolete. As it merges scan results, Static Code Analyzer marks issues that were uncovered in a previous scan, but are no longer evident in the most recent SCA analysis results as Removed. Removed issues are not included in the group totals shown in the issues panel. As you do not intend to "remediate" this issue, it will not become a "removed issue." To show or hide suppressed, hidden, and removed issues, use the Option menu. You can set the visibility filters to show or hide issues.