Escolar Documentos
Profissional Documentos
Cultura Documentos
Low
High
Critical
Page 2 of 9
Scan Information
Scan time: 02:36
SCA Engine version: 5.9.5.0007
Machine Name: Aleks-Gaming
Username running scan: Aleks
Results Certification
Results Certification Valid
Details:
Results Signature:
SCA Analysis Results has Valid signature
Rules Signature:
There were no custom rules used in this scan
Attack Surface
Attack Surface:
Command Line Arguments:
no.jafu.Quizbuilder.DecryptTool.main
no.jafu.Quizbuilder.EncryptTool.main
no.jafu.Quizbuilder.Quizbuilder.main
no.jafu.Quizbuilder.UserEncrypt.main
no.jafu.Quizbuilder.Gui.Menu.LNFSwitcher.main
File System:
java.io.FileInputStream.FileInputStream
GUI Form:
javax.swing.JPasswordField.getPassword
javax.swing.JPasswordField.getText
javax.swing.text.JTextComponent.getText
Private Information:
Copyright 2010 Fortify Software Inc.
Page 3 of 9
Filters:
If taint contains file_system Then hide issue
If taint contains constantfile Then hide issue
Page 4 of 9
Filters:
If taint contains args Then hide issueProperty File Inputs
Hide inputs from properties files.
Depending on your system, inputs from properties files may or may not come from trusted users. AuditGuide can hide issues that
are based on data coming from properties files if they are trusted.
Enable if you trust inputs from properties files.
Filters:
If taint contains property Then hide issueEnvironment Variable Inputs
Hide issues involving environment variable inputs.
Depending on your system, inputs from environment variables may or may not come from trusted users. AuditGuide can hide
issues that are based on data coming from environment variables if they are trusted.
Enable if you trust environment variable inputs.
Filters:
If taint contains environment Then hide issueJ2EE Bad Practices
Hide warnings about J2EE bad practices.
Depending on whether your application is a J2EE application, J2EE bad practice warnings may or may not apply. AuditGuide can
hide J2EE bad practice warnings.
Enable if J2EE bad practice warnings do not apply to your application because it is not a J2EE application.
Filters:
If category contains j2ee Then hide issue
If category is race condition: static database connection Then hide issue
Page 5 of 9
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
<Unaudited>
Analysis
Not an Issue
Reliability Issue
Bad Practice
Suspicious
Exploitable
Abstract:
Empty passwords can compromise system security in a way that cannot be easily remedied.
Explanation:
It is never a good idea to assign an empty string to a password variable. If the empty password is used to successfully
authenticate against another system, then the corresponding account's security is likely compromised because it accepts an empty
password. If the empty password is merely a placeholder until a legitimate value can be assigned to the variable, then it can
confuse anyone unfamiliar with the code and potentially cause problems on unexpected control flow paths.
Example 1: The code below attempts to connect to a database with an empty password.
...
DriverManager.getConnection(url, "scott", "");
...
If the code in Example 1 succeeds, it indicates that the database user account "scott" is configured with an empty password,
which can be easily guessed by an attacker. Even worse, once the program has shipped, updating the account to use a non-empty
password will require a code change.
Example 2: The code below initializes a password variable to an empty string, attempts to read a stored value for the password,
and compares it against a user-supplied value.
...
String storedPassword = "";
String temp;
if ((temp = readPassword()) != null) {
storedPassword = temp;
}
if(storedPassword.equals(userPassword))
// Access protected resources
...
}
...
If readPassword() fails to retrieve the stored password due to a database error or another problem, then an attacker could trivially
bypass the password check by providing an empty string for userPassword.
Copyright 2010 Fortify Software Inc.
Page 6 of 9
Tips:
The Fortify Java Annotations FortifyPassword and FortifyNotPassword can be used to indicate which fields and variables
represent passwords.
Sink:
High
Folder
High
Security Features
Empty passwords can compromise system security in a way that cannot be easily
remedied.
OpenFromXML.java:545 VariableAccess: password()
543
544
545
546
547
}
String username = "";
String password = "";
// Dealing with HTTP protocol.
HttpURLConnection connection = (HttpURLConnection) urlConnection;
Fortify Priority:
Kingdom:
Abstract:
Page 7 of 9
88
75
50
30
25
21
20
15
9
6
5
5
5
4
4
4
4
3
3
2
2
2
2
1
1
1
1
1
Page 8 of 9
<none>
Page 9 of 9