search

Azure / azure-service-bus-java

☁️ Java client library for Azure Service Bus
https://azure.microsoft.com/services/service-bus
MIT License
60 stars 59 forks source link

Veracode (CWE ID 611) #375

Closed ghost closed 5 years ago

ghost commented 5 years ago

Actual Behavior

Veracode Scan failed, reason: Improper Restriction of XML External Entity (CWE ID 611)

Azure DevOps pipeline task: Veracode Upload and Scan

References: CWE (https://cwe.mitre.org/data/definitions/611.html) OWASP (https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md) WASC (https://webappsec.pbworks.com/XML-External-Entities)

Files with issue:

com/microsoft/azure/servicebus/management/

RuleDescriptionSerializer.java ManagementClientAsync.java TopicRuntimeInfoSerializer.java SubscriptionDescriptionSerializer.java NamespaceInfoSerializer.java SubscriptionRuntimeInfoSerializer.java QueueDescriptionSerializer.java TopicDescriptionSerializer.java SubscriptionDescriptionSerializer.java QueueDescriptionSerializer.java QueueRuntimeInfoSerializer.java TopicDescriptionSerializer.java RuleDescriptionSerializer.java

Expected Behavior

Veracode Scan success.

Versions

Note:

This library is required to use the Azure Service-Bus product, without the Veracode validation our the product cannot be public in a production environment.

yvgopal commented 5 years ago

Branch containing this code moved to the repo https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/servicebus. Please raise this issue on the new repository.