New found vulnerabilities in h2 #1410
Comments
|
It looks like this tool was designed (or configured) for web applications and similar products. Warnings like
and probably some others are not applicable to database engine. Such reports are not very useful. They may find something that needs attention, but it's better to filter out at least such tests that obviously should not be used to test a database engine. |
|
what about Very High (OS Command Injection) and High (SQL Injection). In your response you paid attention to som strange Low vulnerabilities only. |
|
I intentionally ignored false positives, some amount of them is a normal situation for any automated testing system. Did you check sources or only the report? |
|
I'm not comfortable with your source code enough and not sure I can assess the potential vulnerabilities correctly. That's why we ask input from the lib developers. |
|
If you want detailed reply I suggest you to configure your testing system properly for each specific product that you test to avoid huge amount of incorrect warnings. Some software that uses a database and database engine itself work with SQL in very different way. Also your report is abused with unrelated information. It would be easy to read it without working time predictions and large descriptions of obvious things. Somebody may want this information, but developers are usually not. |
|
Do you confirm all found vulnerabiliities are false positive? |
|
Most of them definitely are, but I might have missed something. For example, when names and string literals are properly quoted your system reports a SQL injection anyway. I don't know how to avoid it, because different products use different ways to quote them. (Usage of prepared statements is not always possible.) Access to file system from methods that are designed to do it and that require appropriate permissions from end user is not a vulnerability. DB server works with network, why this is detected as a problem? Warnings about insufficient entropy in places that don't work with cryptography are not relevant. And so on. |
|
Can you please more speicific? Please list the points which are 100% false positive? |
|
We have already explained and wasted enough time on this, please do your own work properly before wasting our time. Especially since this appears to be a commercial project, I do not see why we need to act to unpaid QA for you. |
Hello,
In the past, we scanned artifact h2, version 1.4.197 with Veracode (#816), but the engine of Veracode is updated, so it've found some new vulnerabilities. The report is attached.
h2.pdf
The text was updated successfully, but these errors were encountered: