Feedback

Feedback

Did this article resolve your question/issue?

   

Article

Vulnerability flaws highlighted by running a Veracode static scan on JDBC libraries

Printable View

Information

 
TitleVulnerability flaws highlighted by running a Veracode static scan on JDBC libraries
URL NameVulnerability-flaws-highlighted-by-running-a-Veracode-static-scan-on-JDBC-libraries
Article Number000169122
EnvironmentProduct: Connect for JDBC, Progress DataDirect for JDBC
Version: 5.1 & 6.0
OS: Java
Database: All supported databases
Application: All supported applications
Question/Problem Description
Vulnerability flaws highlighted by running a Veracode static scan on Progress DataDirect for JDBC driver libraries
Steps to Reproduce
Clarifying Information
"Driver release builds are obfuscated builds and Progress recommends that customers should not scan release builds for generating security reports. This recommendation aligns with Veracode’s guidelines which says “For a successful scan, you cannot obfuscate Java applications.” (https://help.veracode.com/r/compilation_java)

Progress internally does security scans on debug builds. This is based on Veracode’s Recommendation: “Veracode can analyze Java code with or without debug symbols. Providing debug builds of Java application code allows Veracode to provide source file and line number information about the location of findings found."

Progress uses the same copy of 3rd-party components for both our debug and release packages. We build a debug version, scan both our object code plus the jars. Then we use those same jars with release builds of our code. Our build scripts are generated, to ensure that everything uses the exact set of components. 

So, the scan reports generated by Progress on the non-obfuscated builds are more accurate."

Error MessageVeracode reports SQL Injection (CWE ID 89) vulnerability
Defect Number
Enhancement Number
Cause
Resolution
An obfuscated driver sometime may report false positives, so it is not recommended to scan obfuscation drivers. Progress DataDirect regularly scans our JDBC drivers with Veracode and currently does not have SQL Injection (CWE ID 89) vulnerabilities in our JDBC drivers. 

When dealing with sevcurity vulnerabilities the best practice is to update to the latest hot fix as often as possible to stay ahead of the curve regarding new security threats. The fixes.txt file that ships with all driver installation packages contains all driver updates including those related to security vulnerabilities.

Refer to  Connect for JDBC hot fix download and install instructions for instructions on how to download and install the hot fix
Workaround
Notes
Last Modified Date4/30/2021 4:57 AM
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.


Copyright © 2022 Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.

Progress, Telerik, Ipswitch, Chef, Kemp, Flowmon and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks for appropriate markings.

Terms of Use Privacy Center Security Center Trademarks License Agreements Code of Conduct Careers Offices
Do Not Sell My Personal Information