Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Veracode triggering on ResourceResolver.findResource()

Avatar

Level 4

It looks like Veracode does not like executing queries using the ResourceResolver.findResource() method. ResourceResolver doesn't have a parameterized version. Has anyone been able to resolve this issue? The customer I am working fore requires that all Very High to Low risk assessments are removed.

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

what exactly is Veracode complaining about?

 

The method signature is

 

java.util.Iterator<Resource>findResources(java.lang.String query, java.lang.String language)

 

So I womder what Veracode is complaining about, all parameters are strongly typed.

View solution in original post

4 Replies

Avatar

Correct answer by
Employee Advisor

what exactly is Veracode complaining about?

 

The method signature is

 

java.util.Iterator<Resource>findResources(java.lang.String query, java.lang.String language)

 

So I womder what Veracode is complaining about, all parameters are strongly typed.

Avatar

Level 2

Getting veracode CWE-99 issue for the below syntax? what is the exact solution for it Can anyone please help me on this?
resourceResolver.getResource(damPath)

Avatar

Employee Advisor

CWE-99 is described here (Mitre) as Insufficient input check: 

 

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource that may be outside the intended sphere of control.

 

I assume that you read the provided parameter directly from request parameter, which everyone doing this call can influence.