Open niraj-100 opened 2 years ago
I think these two are false positives in this case.
For https://github.com/adobe/aem-core-wcm-components/blob/core.wcm.components.reactor-2.15.0/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/internal/servlets/contentfragment/ElementsDataSourceServlet.java#L83-L88, we are checking the request parameter against a constant value.
For https://github.com/adobe/aem-core-wcm-components/blob/core.wcm.components.reactor-2.17.14/bundles/core/src/main/java/com/adobe/cq/wcm/core/components/commons/editor/dialog/inherited/PageImageThumbnail.java#L74-L89 we are trying to read a JCR component/node for the item using the user's session, which should be safe.
Bug Report
Current Behavior We are using core component 2.15.0, When the OOTB code was scanned against veracode guideline, which is a mandate in our organisation, then we got the below issue
CWE 99 Improper Control of Resource Identifiers ('Resource Injection')
This issue is reported at 2 places /src/main/java/com/adobe/cq/wcm/core/components/internal/servlets/contentfragment/ElementsDataSourceServlet.java, line - 104 /src/main/java/com/adobe/cq/wcm/core/components/commons/editor/dialog/inherited/PageImageThumbnail.java, line - 89