Veracode static scan security flaws

[kmarx]

We ran a Veracode static scan on eCRNow and it found 191 medium severity flaws:

cweid   count   description
73  1   External Control of File Name or Path
93  2   Improper Neutralization of CRLF Sequences ('CRLF Injection')
113 1   Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
117 170 Improper Output Neutralization for Logs
209 1   Generation of Error Message Containing Sensitive Information
327 1   Use of a Broken or Risky Cryptographic Algorithm
331 1   Insufficient Entropy
352 1   Cross-Site Request Forgery (CSRF)
404 3   Improper Resource Shutdown or Release
601 1   URL Redirection to Untrusted Site ('Open Redirect')
918 13  Server-Side Request Forgery (SSRF)

And one low severity flaw Information Leakage flaw.

A detailed report has been shared with the development team.

[kmarx]

Here's a list of cleansing functions for different CWE flaws: https://docs.veracode.com/r/Supported_Java_Cleansing_Functions

[kmarx]

Summary of flaws by CWEID:

cweid count

• cweid=73 1
• cweid=93 2
• cweid=113 1
• cweid=117 170
• cweid=209 1
• cweid=327 1
• cweid=331 1
• cweid=352 1
• cweid=404 3
• cweid=601 1
• cweid=918 13

[VenkatSaiReddyTeegala]

Resolved as part of 3.1.4