Solved

Veracode triggering on ResourceResolver.findResource()

Forum|Forum|5 years ago
April 29, 2020
1 reply
2781 views

It looks like Veracode does not like executing queries using the ResourceResolver.findResource() method. ResourceResolver doesn't have a parameterized version. Has anyone been able to resolve this issue? The customer I am working fore requires that all Very High to Low risk assessments are removed.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by joerghoh

what exactly is Veracode complaining about?

The method signature is

java.util.Iterator<Resource>

findResources(java.lang.String query, java.lang.String language)

So I womder what Veracode is complaining about, all parameters are strongly typed.

joerghoh

Accepted solution

Adobe Employee

what exactly is Veracode complaining about?

The method signature is

java.util.Iterator<Resource>

findResources(java.lang.String query, java.lang.String language)

So I womder what Veracode is complaining about, all parameters are strongly typed.

A

AshokThota

Getting veracode CWE-99 issue for the below syntax? what is the exact solution for it Can anyone please help me on this?
resourceResolver.getResource(damPath)

joerghoh

Adobe Employee

CWE-99 is described here (Mitre) as Insufficient input check:

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

I assume that you read the provided parameter directly from request parameter, which everyone doing this call can influence.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded