Fortify Security Report

Sep 30, 2010

Aleks

Fortify Security Report

Executive Summary
Issues Overview
On Sep 30, 2010, a source code review was performed over the src code base. 124 files, 9053 LOC (Executable) were scanned
and reviewed for defects that could lead to potential security vulnerabilities. A total of 389 reviewed findings were uncovered
during the analysis.

Issues by Fortify Priority Order

349
38
2

Low
High
Critical

Recommendations and Conclusions

The Issues Category section provides Fortify recommendations for addressing issues at a generic level. The recommendations for
specific fixes can be extrapolated from those generic recommendations by the development group.

Copyright 2010 Fortify Software Inc.

Page 2 of 9

Fortify Security Report

Project Summary
Code Base Summary
Code location: C:\Users\Aleks\Documents\Skole\INF226\ezquiz\quizbuilder\trunk\src
Number of Files: 124
Lines of Code: 9053
Build Label: <No Build Label>

Scan Information
Scan time: 02:36
SCA Engine version: 5.9.5.0007
Machine Name: Aleks-Gaming
Username running scan: Aleks

Results Certification
Results Certification Valid
Details:
Results Signature:
SCA Analysis Results has Valid signature

Rules Signature:
There were no custom rules used in this scan

Attack Surface
Attack Surface:
Command Line Arguments:
no.jafu.Quizbuilder.DecryptTool.main
no.jafu.Quizbuilder.EncryptTool.main
no.jafu.Quizbuilder.Quizbuilder.main
no.jafu.Quizbuilder.UserEncrypt.main
no.jafu.Quizbuilder.Gui.Menu.LNFSwitcher.main
File System:
java.io.FileInputStream.FileInputStream
GUI Form:
javax.swing.JPasswordField.getPassword
javax.swing.JPasswordField.getText
javax.swing.text.JTextComponent.getText
Private Information:
Copyright 2010 Fortify Software Inc.

Page 3 of 9

Fortify Security Report

null.null.null
javax.swing.JPasswordField.getPassword
javax.swing.JPasswordField.getText
Java Properties:
java.lang.System.getProperty
Serialized Data:
java.io.ObjectInputStream.readObject
Stream:
java.io.FileInputStream.read
System Information:
null.null.null
java.awt.HeadlessException.getMessage
java.lang.Throwable.getMessage
org.xml.sax.SAXException.getMessage
Web:
java.net.URLConnection.getInputStream

Filter Set Summary

Current Enabled Filter Set:
Security Auditor View
Filter Set Details:
Folder Filters:
If [fortify priority order] contains critical Then set folder to Critical
If [fortify priority order] contains high Then set folder to High
If [fortify priority order] contains medium Then set folder to Medium
If [fortify priority order] contains low Then set folder to Low
Visibility Filters:

Audit Guide Summary

File System Inputs
Hide issues involving file system inputs.
Depending on your system, inputs from files may or may not come from trusted users. AuditGuide can hide issues that are based
on data coming from the file system if it is trusted.
Enable if you trust file system inputs.

Filters:
If taint contains file_system Then hide issue
If taint contains constantfile Then hide issue

Copyright 2010 Fortify Software Inc.

Page 4 of 9

Fortify Security Report

If taint contains stream Then hide issue
If category is file access race condition Then hide issueTaint from Command-Line Arguments
Hide issues involving taint from command-line arguments.
Depending on your system, inputs from command-line arguments may or may not come from trusted users. AuditGuide can hide
issues that are based on data coming from command-line arguments if they are trusted.
Enable if you trust command-line arguments.

Filters:
If taint contains args Then hide issueProperty File Inputs
Hide inputs from properties files.
Depending on your system, inputs from properties files may or may not come from trusted users. AuditGuide can hide issues that
are based on data coming from properties files if they are trusted.
Enable if you trust inputs from properties files.

Filters:
If taint contains property Then hide issueEnvironment Variable Inputs
Hide issues involving environment variable inputs.
Depending on your system, inputs from environment variables may or may not come from trusted users. AuditGuide can hide
issues that are based on data coming from environment variables if they are trusted.
Enable if you trust environment variable inputs.

Filters:
If taint contains environment Then hide issueJ2EE Bad Practices
Hide warnings about J2EE bad practices.
Depending on whether your application is a J2EE application, J2EE bad practice warnings may or may not apply. AuditGuide can
hide J2EE bad practice warnings.
Enable if J2EE bad practice warnings do not apply to your application because it is not a J2EE application.

Filters:
If category contains j2ee Then hide issue
If category is race condition: static database connection Then hide issue

Copyright 2010 Fortify Software Inc.

Page 5 of 9

Fortify Security Report

Results Outline
Overall number of results
The scan found 389 issues.

Vulnerability Examples by Category

Category: Password Management: Empty Password (2 Issues)
Number of Issues
0.00

0.25

0.50

0.75

1.00

1.25

1.50

1.75

2.00

<Unaudited>

Analysis

Not an Issue
Reliability Issue
Bad Practice
Suspicious
Exploitable

Abstract:
Empty passwords can compromise system security in a way that cannot be easily remedied.

Explanation:
It is never a good idea to assign an empty string to a password variable. If the empty password is used to successfully
authenticate against another system, then the corresponding account's security is likely compromised because it accepts an empty
password. If the empty password is merely a placeholder until a legitimate value can be assigned to the variable, then it can
confuse anyone unfamiliar with the code and potentially cause problems on unexpected control flow paths.
Example 1: The code below attempts to connect to a database with an empty password.
...
DriverManager.getConnection(url, "scott", "");
...
If the code in Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password,
which can be easily guessed by an attacker. Even worse, once the program has shipped, updating the account to use a non-empty
password will require a code change.
Example 2: The code below initializes a password variable to an empty string, attempts to read a stored value for the password,
and compares it against a user-supplied value.
...
String storedPassword = "";
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
If readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially
bypass the password check by providing an empty string for userPassword.
Copyright 2010 Fortify Software Inc.

Page 6 of 9

Fortify Security Report

Recommendations:
Always read stored password values from encrypted, external resources and assign password variables meaningful values.
Ensure that sensitive resources are never protected with empty or null passwords.
Starting with Microsoft(R) Windows(R) 2000, Microsoft(R) provides Windows Data Protection Application Programming
Interface (DPAPI), which is an OS-level service that protects sensitive application data, such as passwords and private keys [1].

Tips:
The Fortify Java Annotations FortifyPassword and FortifyNotPassword can be used to indicate which fields and variables
represent passwords.

OpenFromXML.java, line 545 (Password Management: Empty Password)

Sink:

High
Folder
High
Security Features
Empty passwords can compromise system security in a way that cannot be easily
remedied.
OpenFromXML.java:545 VariableAccess: password()

543
544
545
546
547

}
String username = "";
String password = "";
// Dealing with HTTP protocol.
HttpURLConnection connection = (HttpURLConnection) urlConnection;

Fortify Priority:
Kingdom:
Abstract:

Copyright 2010 Fortify Software Inc.

Page 7 of 9

Fortify Security Report

Issue Count by Category
Issues by Category
Poor Error Handling: Overly Broad Catch
System Information Leak
Poor Logging Practice: Use of a System Output Stream
Poor Error Handling: Empty Catch Block
Unreleased Resource: Streams
Password Management: Password in Comment
Poor Error Handling: Overly Broad Throws
Code Correctness: Erroneous String Compare
Dead Code: Expression is Always true
Denial of Service
Code Correctness: Class Does Not Implement equals
Null Dereference
Object Model Violation: Just one of equals() and hashCode() Defined
Dead Code: Unused Field
Password Management: Password in Configuration File
Poor Logging Practice: Logger Not Declared Static Final
Poor Style: Value Never Read
Dead Code: Unused Method
Unchecked Return Value
Insecure Randomness
Password Management: Empty Password
Path Manipulation
Poor Error Handling: Program Catches NullPointerException
Code Correctness: Misspelled Method Name
Missing Check against Null
Poor Style: Non-final Public Static Field
Poor Style: Redundant Initialization
Weak Cryptographic Hash

Copyright 2010 Fortify Software Inc.

88
75
50
30
25
21
20
15
9
6
5
5
5
4
4
4
4
3
3
2
2
2
2
1
1
1
1
1

Page 8 of 9

Fortify Security Report

Issue Breakdown by Analysis
Issues by Analysis

<none>: (389, 100%)

<none>

Copyright 2010 Fortify Software Inc.

Page 9 of 9