Fix quickstart
This quickstart steps you through using the Veracode CLI to fix a security flaw with Veracode Fix. You use Fix to generate suggested fixes and apply a fix to a flaw in a provided demo application.
To fix a flaw with Veracode Fix, complete the following tasks:
- Meet the prerequisites.
- Sign in to the Veracode Platform.
- Use the Veracode Platform to generate API credentials.
- Set up the Veracode CLI and demo application.
- Fix a flaw in a demo application.
- Optionally, confirm the flaw is fixed.
Prerequisites
To complete this quickstart, you must meet the following prerequisites:
- A Veracode user account in the Commercial Region. To view Fix results, your account must have the Submitter role. Fix currently does not support accounts in the European Region or the US Federal Region. If you need an account, contact the Veracode Administrator for your organization.
- To run Fix, ensure your system has Git installed.
- The Veracode CLI requires access to
analysiscenter.veracode.com
andapi.veracode.com
, which are both in the Commercial Region. Contact your IT team to ensure both domains are on the allowlist for your organization and that there is one-way communication on port 443 toapi.veracode.com
. Refer to the complete list of domains and IP addresses to add to your allowlist. - To download the demo application, ensure you can access GitHub.
Sign in to the Veracode Platform
To sign in to the Veracode Platform, use one of the following methods.
- If you have a new Veracode account in the Commercial Region, you received a welcome email that provides a link for activating your account in the Veracode Platform. If you did not receive the welcome email, contact your Veracode Administrator.
- If you have an active Veracode account, you can sign in to the Veracode Platform using the Commercial Region domain: https://analysiscenter.veracode.com/. If your organization uses a Single Sign-On (SSO) portal such as Okta, you can also access the Veracode Platform with SSO.
Generate API credentials
To access and use the Veracode CLI, you must have API credentials. You provide these credentials after you install the Veracode CLI.
- In the Veracode Platform, from the user account dropdown menu, select API Credentials.
- Select Generate API Credentials.
- Copy the ID and secret key to a secure place.
Though not required for this quickstart, Veracode recommends that you store your credentials in an API credentials file.
Set up the Veracode CLI and demo application
Install the Veracode CLI and clone the demo application verademo
in the same folder. By default, the Veracode CLI expects any dependency files to be in the same folder as the CLI executable.
-
Open a command prompt.
-
Create the folder
/try-fix
. On macOS, you might need to create the folder under~/try-fix
. -
Change to the folder
/try-fix
. -
Install the Veracode CLI and add your API credentials.
-
Clone the demo application
verademo
:git clone https://github.com/veracode/verademo
verademo
is a Java web application that meets Veracode compilation and packaging requirements and intentionally includes flaws.verademo
includes the scan results fileresults.json
, which lists the discovered flaws after running the commandveracode static scan
onverademo
.
Fix a flaw
Use Veracode Fix to fix a flaw in verademo
.
-
At a command prompt, ensure you are in the folder
/try-fix
. -
To run Fix on
IgnoreCommand.java
using the includedresults.json
file, run:- Windows
- macOS or Linux
veracode fix --results verademo\docs\scan_results\results.json verademo\app\src\main\java\com\veracode\verademo\commands\IgnoreCommand.java
./veracode fix --results verademo/docs/scan_results/results.json verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
Fix correlates the flaws in
results.json
to the lines of code inIgnoreCommand.java
and returns a list of issues. Each issue identifies the Common Weakness Enumeration (CWE), which indicates the flaw type and severity, and the code line number that contains the flaw. An issue ID is a random, arbitrary identifier for a flaw. You only need to be concerned with the CWE ID.Issues in source file IgnoreCommand.java:
IssueID 1012: CWEId 89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
IssueID 1007: CWEId 89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
on line 47 in function com.veracode.verademo.commands.IgnoreCommand.execute
IssueID 1153: CWEId 117
Improper Output Neutralization for Logs
on line 39 in function com.veracode.verademo.commands.IgnoreCommand.execute
IssueID 1146: CWEId 117
Improper Output Neutralization for Logs
on line 46 in function com.veracode.verademo.commands.IgnoreCommand.execute
IssueID 1053: CWEId 404
Improper Resource Shutdown or Release
on line 38 in function com.veracode.verademo.commands.IgnoreCommand.execute
IssueID 1019: CWEId 404
Improper Resource Shutdown or Release
on line 40 in function com.veracode.verademo.commands.IgnoreCommand.execute
Enter issue ID: -
To address the first issue, enter issue ID
1012
and press Enter.Fix returns two fixes you can apply to patch line 40 in
IgnoreCommand.java
. The fixes are ranked, with FIX 1 as the top Veracode recommendation that you typically want to apply.Requesting fixes...
Waiting for results...
.....
--- FIX 1 -------------------------------------------------------------
--- verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -8,6 +8,7 @@
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
+import java.sql.PreparedStatement;
public class IgnoreCommand implements BlabberCommand {
private static final Logger logger = LogManager.getLogger("VeraDemo:IgnoreCommand");
@@ -34,10 +35,12 @@
action.setString(2, username);
action.execute();
- sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
- Statement sqlStatement = connect.createStatement();
+ sqlQuery = "SELECT blab_name FROM users WHERE username = ?";
logger.info(sqlQuery);
- ResultSet result = sqlStatement.executeQuery(sqlQuery);
+ PreparedStatement sqlStatement = connect.prepareStatement(sqlQuery);
+ sqlStatement.setString(1, blabberUsername);
+
+ ResultSet result = sqlStatement.executeQuery();
result.next();
/* START EXAMPLE VULNERABILITY */
--- FIX 2 -------------------------------------------------------------
--- verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
+++ verademo/app/src/main/java/com/veracode/verademo/commands/IgnoreCommand.java
@@ -35,7 +35,7 @@
action.execute();
sqlQuery = "SELECT blab_name FROM users WHERE username = '" + blabberUsername + "'";
- Statement sqlStatement = connect.createStatement();
+ PreparedStatement sqlStatement = connect.prepareStatement();
logger.info(sqlQuery);
ResultSet result = sqlStatement.executeQuery(sqlQuery);
result.next();
Enter the fix to apply. [1-2]: -
To apply FIX 1, enter
1
and press Enter.You are done! Veracode Fix has patched the code on line 40 in
IgnoreCommand.java
and you have remediated a CWE-89 flaw.
Confirm the fix
Optionally, to confirm the fix, you can build verademo
as a WAR file, scan the WAR file with the command veracode static scan
, and review the results.
-
Change to the folder
/try-fix/verademo
. -
To build
verademo
and package it asverademo.war
, run:- Windows
- macOS or Linux
mvn -f app\pom.xml clean package
mvn -f app/pom.xml clean package
-
To scan
verademo.war
, run:- Windows
- macOS or Linux
veracode static scan app\target\verademo.war -esd true
./veracode static scan app/target/verademo.war -esd true
-esd true
adds the stack dump data for each flaw to the scan results inresults.json
. This parameter is optional, but you must include it if you want to use the results with Fix. -
Review the scan results. In the list of High severity issues, which shows all CWE-89 flaws, including the affected source file followed by the code line number,
com/veracode/verademo/commands/IgnoreCommand:40
is not listed.===================
Analyzed 2 modules.
===================
verademo.war
JS files within verademo.war
====================
Analyzed 172 issues.
====================
-------------------------------------
Found 2 issues of Very High severity.
-------------------------------------
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:53
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): com/veracode/verademo/controller/ToolsController.java:83
---------------------------------
Found 13 issues of High severity.
---------------------------------
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:165
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:249
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:310
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:374
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:479
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/UserController.java:490
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/controller/BlabController.java:467
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:42
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:49
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/RemoveAccountCommand.java:53
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:40
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/ListenCommand.java:47
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): com/veracode/verademo/commands/IgnoreCommand.java:50
-----------------------------------
Next steps
- Learn more about Veracode Fix.
- Learn about Veracode and the CWE.
- Learn more about the Veracode CLI.