shiva10162
commented
6 years ago what is the plan to mitigate these security flaws?
Open kaylangan opened 6 years ago
shiva10162
commented
6 years ago what is the plan to mitigate these security flaws?
eric-milles
commented
2 years ago If someone wants to help with this, it would be good to break each category out into a separate issue with link(s) to recommended remediation.
Copied over from https://developercommunity.visualstudio.com/content/problem/300318/tfs-sdk-vulnerabilities-in-veracode-scan.html
We are using TFS SDK Java API (version14.123.1.jar) to connect to TFS Server. When we scanned our module against Veracode vulnerability scan there are many flaws found in the TFS SDK.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE ID 89)(2 flaws)
com.microsoft.tfs.core.internal.db.DBStatement.java 51
com.microsoft.tfs.core.internal.db.DBStatement.java 96
Process Control (CWE ID 114)(1 flaw )
com.microsoft.tfs.jni.loader.NativeLoader.java 549
Use of Hard-coded Password (CWE ID 259)(3 flaws)
com.microsoft.tfs.util.StringUtil.java 1
com.microsoft.tfs.util.StringUtil.java 1
com.microsoft.tfs.util.StringUtil.java 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)(2 flaws)
com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2714
com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2721
Improper Validation of Certificate with Host Mismatch (CWE ID 297)(2 flaws)
com.microsoft.tfs.core.config.httpclient.internal.DefaultSSLProtocolSocketFactory.java 221
com.microsoft.tfs.core.config.httpclient.internal.DefaultSSLProtocolSocketFactory.java 253
Insufficient Entropy (CWE ID 331)(1 flaws)
com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 4748
Use of Hard-coded Cryptographic Key (CWE ID 321)(1 flaw)
com.microsoft.tfs.jni.internal.ntlm.JavaNTLM.java 732
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(2 flaws)
com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 496
com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.BaselineUpdaterWorker.java 130
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470)(1 flaw)
com.microsoft.tfs.core.internal.db.ConnectionConfiguration.java 120
Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611)(4 flaws)
com.microsoft.tfs.core.clients.workitem.internal.form.WIFormParseHandler.java 122
com.microsoft.tfs.core.externaltools.ExternalTool.java 267
com.microsoft.tfs.util.xml.DOMCreateUtils.java 600
com.microsoft.tfs.core.util.CodePageData.java 125
Information Exposure Through Sent Data (CWE ID 201)(13 flaws)
com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2714
com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2721
com.microsoft.tfs.util.temp.FastTempOutputStream.java 314
com.microsoft.tfs.util.chunkingcodec.StreamChunkedDecoder.java
Use of Wrong Operator in String Comparison (CWE ID 597)(5 flaws)
com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 986
com.microsoft.tfs.core.checkinpolicies.PolicyAnnotation.java 101
com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.WorkspaceLocalItemEnumerable.java 53
com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.WorkspaceLocalItemEnumerable.java 90
com.microsoft.tfs.core.clients.versioncontrol.Workstation.java 736
Insecure Temporary File (CWE ID 377)(7 flaws)
com.microsoft.tfs.core.util.internal.AppleSingleUtil.java 79
com.microsoft.tfs.core.util.internal.AppleSingleUtil.java 165
com.microsoft.tfs.core.persistence.FilesystemPersistenceStore.java 191
com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 290
com.microsoft.tfs.jni.internal.filesystem.NativeFileSystem.java 264
com.microsoft.tfs.util.NewlineUtils.java 554
com.microsoft.tfs.util.temp.TempStorageService.java 264
All these flaws identified by veracode should be mitigated.
External Control of File Name or Path (CWE ID 73)(104 flaws)
com.microsoft.tfs.core.clients.versioncontrol.engines.internal.BaselineFileDownloadOutput.java 105 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 314 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 314 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 326 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 398 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 407 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 423 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 432 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 476 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 515 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 517 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 556 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 566 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 595 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 628 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 629 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 636 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 637 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 688 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 688 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 893 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.ChangeRequest.java 148 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.ChangeRequest.java 171 com.microsoft.tfs.core.util.diffmerge.ExternalRunner.java 81 com.microsoft.tfs.core.util.diffmerge.ExternalRunner.java 82 com.microsoft.tfs.core.clients.versioncontrol.internal.fileattributes.FileAttributesFile.java 99 com.microsoft.tfs.jni.helpers.FileCopyHelper.java 96 com.microsoft.tfs.core.util.FileEncodingDetector.java 116 com.microsoft.tfs.core.util.FileEncodingDetector.java 133 com.microsoft.tfs.util.FileHelpers.java 495 com.microsoft.tfs.util.FileHelpers.java 495 com.microsoft.tfs.util.FileHelpers.java 539 com.microsoft.tfs.util.FileHelpers.java 602 com.microsoft.tfs.util.FileHelpers.java 608 com.microsoft.tfs.util.FileHelpers.java 653 com.microsoft.tfs.core.persistence.FilesystemPersistenceStore.java 81 com.microsoft.tfs.core.clients.versioncontrol.path.internal.FileSystemWalker.java 546 com.microsoft.tfs.core.clients.versioncontrol.path.internal.FileSystemWalker.java 564 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 255 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 263 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 404 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 551 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 603 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 667 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 672 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1855 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1903 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1918 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2031 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2068 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2143 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2157 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2318 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3165 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3186 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3324 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3342 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 4271 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalItemEnumerable.java 44 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalItemEnumerable.java 96 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 266 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 269 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 292 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 293 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 294 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 316 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 323 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 315 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 316 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 618 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 626 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 710 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 726 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 806 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 903 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 921 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 341 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 685 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 801 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 807 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 833 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 865 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 868 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 898 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1178 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1178 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1220 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalWorkspaceScanner.java 197 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalWorkspaceScanner.java 272 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 696 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 702 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 737 com.microsoft.tfs.core.clients.versioncontrol.Workstation.java 1584 com.microsoft.tfs.core.persistence.VersionedVendorFilesystemPersistenceStore.java 184 com.microsoft.tfs.core.persistence.VersionedVendorFilesystemPersistenceStore.java 196 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 1047 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 1990 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 2157 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1392 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1405 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1407 com.microsoft.tfs.jni.filelock.NIOFileLock.java 67 com.microsoft.tfs.jni.loader.NativeLoader.java 486 com.microsoft.tfs.jni.internal.filesystem.NativeFileSystem.java 281