Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SDK vulnerabilities in veracode scan #278

Open
kaylangan opened this issue Aug 22, 2018 · 2 comments
Open

SDK vulnerabilities in veracode scan #278

kaylangan opened this issue Aug 22, 2018 · 2 comments

Comments

@kaylangan
Copy link
Contributor

Copied over from https://developercommunity.visualstudio.com/content/problem/300318/tfs-sdk-vulnerabilities-in-veracode-scan.html

We are using TFS SDK Java API (version14.123.1.jar) to connect to TFS Server. When we scanned our module against Veracode vulnerability scan there are many flaws found in the TFS SDK.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE ID 89)(2 flaws)

com.microsoft.tfs.core.internal.db.DBStatement.java 51

com.microsoft.tfs.core.internal.db.DBStatement.java 96

Process Control (CWE ID 114)(1 flaw )

com.microsoft.tfs.jni.loader.NativeLoader.java 549

Use of Hard-coded Password (CWE ID 259)(3 flaws)

com.microsoft.tfs.util.StringUtil.java 1

com.microsoft.tfs.util.StringUtil.java 1

com.microsoft.tfs.util.StringUtil.java 1

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)(2 flaws)

com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2714

com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2721

Improper Validation of Certificate with Host Mismatch (CWE ID 297)(2 flaws)

com.microsoft.tfs.core.config.httpclient.internal.DefaultSSLProtocolSocketFactory.java 221

com.microsoft.tfs.core.config.httpclient.internal.DefaultSSLProtocolSocketFactory.java 253

Insufficient Entropy (CWE ID 331)(1 flaws)

com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 4748

Use of Hard-coded Cryptographic Key (CWE ID 321)(1 flaw)

com.microsoft.tfs.jni.internal.ntlm.JavaNTLM.java 732

Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)(2 flaws)

com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 496

com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.BaselineUpdaterWorker.java 130

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE ID 470)(1 flaw)

com.microsoft.tfs.core.internal.db.ConnectionConfiguration.java 120

Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611)(4 flaws)

com.microsoft.tfs.core.clients.workitem.internal.form.WIFormParseHandler.java 122

com.microsoft.tfs.core.externaltools.ExternalTool.java 267

com.microsoft.tfs.util.xml.DOMCreateUtils.java 600

com.microsoft.tfs.core.util.CodePageData.java 125

Information Exposure Through Sent Data (CWE ID 201)(13 flaws)

com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2714

com.microsoft.tfs.core.clients.versioncontrol.VersionControlClient.java 2721

com.microsoft.tfs.util.temp.FastTempOutputStream.java 314

com.microsoft.tfs.util.chunkingcodec.StreamChunkedDecoder.java

Use of Wrong Operator in String Comparison (CWE ID 597)(5 flaws)

com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 986

com.microsoft.tfs.core.checkinpolicies.PolicyAnnotation.java 101

com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.WorkspaceLocalItemEnumerable.java 53

com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.WorkspaceLocalItemEnumerable.java 90

com.microsoft.tfs.core.clients.versioncontrol.Workstation.java 736

Insecure Temporary File (CWE ID 377)(7 flaws)

com.microsoft.tfs.core.util.internal.AppleSingleUtil.java 79

com.microsoft.tfs.core.util.internal.AppleSingleUtil.java 165

com.microsoft.tfs.core.persistence.FilesystemPersistenceStore.java 191

com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 290

com.microsoft.tfs.jni.internal.filesystem.NativeFileSystem.java 264

com.microsoft.tfs.util.NewlineUtils.java 554

com.microsoft.tfs.util.temp.TempStorageService.java 264

All these flaws identified by veracode should be mitigated.

External Control of File Name or Path (CWE ID 73)(104 flaws)

com.microsoft.tfs.core.clients.versioncontrol.engines.internal.BaselineFileDownloadOutput.java 105 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 314 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 314 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 326 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 398 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 407 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 423 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 432 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 476 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 515 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 517 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 556 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 566 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 595 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 628 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 629 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 636 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 637 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 688 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 688 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.BaselineFolderCollection.java 893 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.ChangeRequest.java 148 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.ChangeRequest.java 171 com.microsoft.tfs.core.util.diffmerge.ExternalRunner.java 81 com.microsoft.tfs.core.util.diffmerge.ExternalRunner.java 82 com.microsoft.tfs.core.clients.versioncontrol.internal.fileattributes.FileAttributesFile.java 99 com.microsoft.tfs.jni.helpers.FileCopyHelper.java 96 com.microsoft.tfs.core.util.FileEncodingDetector.java 116 com.microsoft.tfs.core.util.FileEncodingDetector.java 133 com.microsoft.tfs.util.FileHelpers.java 495 com.microsoft.tfs.util.FileHelpers.java 495 com.microsoft.tfs.util.FileHelpers.java 539 com.microsoft.tfs.util.FileHelpers.java 602 com.microsoft.tfs.util.FileHelpers.java 608 com.microsoft.tfs.util.FileHelpers.java 653 com.microsoft.tfs.core.persistence.FilesystemPersistenceStore.java 81 com.microsoft.tfs.core.clients.versioncontrol.path.internal.FileSystemWalker.java 546 com.microsoft.tfs.core.clients.versioncontrol.path.internal.FileSystemWalker.java 564 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 255 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 263 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 404 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 551 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.workers.GetDownloadWorker.java 603 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 667 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 672 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1855 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1903 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 1918 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2031 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2068 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2143 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2157 com.microsoft.tfs.core.clients.versioncontrol.engines.internal.GetEngine.java 2318 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3165 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3186 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3324 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 3342 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalDataAccessLayer.java 4271 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalItemEnumerable.java 44 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalItemEnumerable.java 96 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 266 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 269 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 292 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 293 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 294 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 316 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalMetadataTable.java 323 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 315 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 316 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 618 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 626 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 710 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 726 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 806 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 903 com.microsoft.tfs.core.clients.versioncontrol.path.LocalPath.java 921 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 341 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 685 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 801 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 807 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 833 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 865 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 868 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 898 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1178 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1178 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceProperties.java 1220 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalWorkspaceScanner.java 197 com.microsoft.tfs.core.clients.versioncontrol.localworkspace.LocalWorkspaceScanner.java 272 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 696 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 702 com.microsoft.tfs.core.clients.versioncontrol.internal.localworkspace.LocalWorkspaceTransaction.java 737 com.microsoft.tfs.core.clients.versioncontrol.Workstation.java 1584 com.microsoft.tfs.core.persistence.VersionedVendorFilesystemPersistenceStore.java 184 com.microsoft.tfs.core.persistence.VersionedVendorFilesystemPersistenceStore.java 196 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 1047 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 1990 com.microsoft.tfs.core.clients.versioncontrol.internal.WebServiceLayerLocalWorkspaces.java 2157 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1392 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1405 com.microsoft.tfs.core.clients.versioncontrol.soapextensions.PendingChange.java 1407 com.microsoft.tfs.jni.filelock.NIOFileLock.java 67 com.microsoft.tfs.jni.loader.NativeLoader.java 486 com.microsoft.tfs.jni.internal.filesystem.NativeFileSystem.java 281
@shiva10162
Copy link

what is the plan to mitigate these security flaws?

@eric-milles
Copy link
Collaborator

If someone wants to help with this, it would be good to break each category out into a separate issue with link(s) to recommended remediation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shiva10162 @eric-milles @kaylangan